[v2,35/39] tests/qtest: migration-test: Skip running some TLS cases for win32

Commit Message

Bin Meng Sept. 20, 2022, 10:31 a.m. UTC

From: Bin Meng <bin.meng@windriver.com>

Some migration test cases use TLS to communicate, but they fail on
Windows with the following error messages:

  qemu-system-x86_64: TLS handshake failed: Insufficient credentials for that request.
  qemu-system-x86_64: TLS handshake failed: Error in the pull function.
  query-migrate shows failed migration: TLS handshake failed: Error in the pull function.

Disable them temporarily.

Signed-off-by: Bin Meng <bin.meng@windriver.com>
---
I am not familar with the gnutls and simply enabling the gnutls debug
output does not give me an immedidate hint on why it's failing on
Windows. Disable these cases for now until someone or maintainers
who may want to test this on Windows.

(no changes since v1)

 tests/qtest/migration-test.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

Comments

Dr. David Alan Gilbert Sept. 21, 2022, 4:51 p.m. UTC | #1

* Bin Meng (bmeng.cn@gmail.com) wrote:
> From: Bin Meng <bin.meng@windriver.com>
> 
> Some migration test cases use TLS to communicate, but they fail on
> Windows with the following error messages:
> 
>   qemu-system-x86_64: TLS handshake failed: Insufficient credentials for that request.
>   qemu-system-x86_64: TLS handshake failed: Error in the pull function.
>   query-migrate shows failed migration: TLS handshake failed: Error in the pull function.
> 
> Disable them temporarily.
> 
> Signed-off-by: Bin Meng <bin.meng@windriver.com>
> ---
> I am not familar with the gnutls and simply enabling the gnutls debug
> output does not give me an immedidate hint on why it's failing on
> Windows. Disable these cases for now until someone or maintainers
> who may want to test this on Windows.

Copying in Dan Berrange, he's our expert on weird TLS failures.

Dave

> 
> (no changes since v1)
> 
>  tests/qtest/migration-test.c | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
> 
> diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
> index aedd9ddb72..dbee9b528a 100644
> --- a/tests/qtest/migration-test.c
> +++ b/tests/qtest/migration-test.c
> @@ -1403,6 +1403,7 @@ static void test_precopy_unix_dirty_ring(void)
>  }
>  
>  #ifdef CONFIG_GNUTLS
> +#ifndef _WIN32
>  static void test_precopy_unix_tls_psk(void)
>  {
>      g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs);
> @@ -1415,6 +1416,7 @@ static void test_precopy_unix_tls_psk(void)
>  
>      test_precopy_common(&args);
>  }
> +#endif /* _WIN32 */
>  
>  #ifdef CONFIG_TASN1
>  static void test_precopy_unix_tls_x509_default_host(void)
> @@ -1523,6 +1525,7 @@ static void test_precopy_tcp_plain(void)
>  }
>  
>  #ifdef CONFIG_GNUTLS
> +#ifndef _WIN32
>  static void test_precopy_tcp_tls_psk_match(void)
>  {
>      MigrateCommon args = {
> @@ -1533,6 +1536,7 @@ static void test_precopy_tcp_tls_psk_match(void)
>  
>      test_precopy_common(&args);
>  }
> +#endif /* _WIN32 */
>  
>  static void test_precopy_tcp_tls_psk_mismatch(void)
>  {
> @@ -1930,6 +1934,7 @@ static void test_multifd_tcp_zstd(void)
>  #endif
>  
>  #ifdef CONFIG_GNUTLS
> +#ifndef _WIN32
>  static void *
>  test_migrate_multifd_tcp_tls_psk_start_match(QTestState *from,
>                                               QTestState *to)
> @@ -1937,6 +1942,7 @@ test_migrate_multifd_tcp_tls_psk_start_match(QTestState *from,
>      test_migrate_precopy_tcp_multifd_start_common(from, to, "none");
>      return test_migrate_tls_psk_start_match(from, to);
>  }
> +#endif /* _WIN32 */
>  
>  static void *
>  test_migrate_multifd_tcp_tls_psk_start_mismatch(QTestState *from,
> @@ -1988,6 +1994,7 @@ test_migrate_multifd_tls_x509_start_reject_anon_client(QTestState *from,
>  }
>  #endif /* CONFIG_TASN1 */
>  
> +#ifndef _WIN32
>  static void test_multifd_tcp_tls_psk_match(void)
>  {
>      MigrateCommon args = {
> @@ -1997,6 +2004,7 @@ static void test_multifd_tcp_tls_psk_match(void)
>      };
>      test_precopy_common(&args);
>  }
> +#endif /* _WIN32 */
>  
>  static void test_multifd_tcp_tls_psk_mismatch(void)
>  {
> @@ -2497,8 +2505,10 @@ int main(int argc, char **argv)
>      qtest_add_func("/migration/precopy/unix/plain", test_precopy_unix_plain);
>      qtest_add_func("/migration/precopy/unix/xbzrle", test_precopy_unix_xbzrle);
>  #ifdef CONFIG_GNUTLS
> +#ifndef _WIN32
>      qtest_add_func("/migration/precopy/unix/tls/psk",
>                     test_precopy_unix_tls_psk);
> +#endif
>  
>      if (has_uffd) {
>          /*
> @@ -2524,8 +2534,10 @@ int main(int argc, char **argv)
>  
>      qtest_add_func("/migration/precopy/tcp/plain", test_precopy_tcp_plain);
>  #ifdef CONFIG_GNUTLS
> +#ifndef _WIN32
>      qtest_add_func("/migration/precopy/tcp/tls/psk/match",
>                     test_precopy_tcp_tls_psk_match);
> +#endif
>      qtest_add_func("/migration/precopy/tcp/tls/psk/mismatch",
>                     test_precopy_tcp_tls_psk_mismatch);
>  #ifdef CONFIG_TASN1
> @@ -2569,8 +2581,10 @@ int main(int argc, char **argv)
>                     test_multifd_tcp_zstd);
>  #endif
>  #ifdef CONFIG_GNUTLS
> +#ifndef _WIN32
>      qtest_add_func("/migration/multifd/tcp/tls/psk/match",
>                     test_multifd_tcp_tls_psk_match);
> +#endif
>      qtest_add_func("/migration/multifd/tcp/tls/psk/mismatch",
>                     test_multifd_tcp_tls_psk_mismatch);
>  #ifdef CONFIG_TASN1
> -- 
> 2.34.1
>

Daniel P. Berrangé Sept. 21, 2022, 5:23 p.m. UTC | #2

On Wed, Sep 21, 2022 at 05:51:33PM +0100, Dr. David Alan Gilbert wrote:
> * Bin Meng (bmeng.cn@gmail.com) wrote:
> > From: Bin Meng <bin.meng@windriver.com>
> > 
> > Some migration test cases use TLS to communicate, but they fail on
> > Windows with the following error messages:
> > 
> >   qemu-system-x86_64: TLS handshake failed: Insufficient credentials for that request.
> >   qemu-system-x86_64: TLS handshake failed: Error in the pull function.
> >   query-migrate shows failed migration: TLS handshake failed: Error in the pull function.
> > 
> > Disable them temporarily.
> > 
> > Signed-off-by: Bin Meng <bin.meng@windriver.com>
> > ---
> > I am not familar with the gnutls and simply enabling the gnutls debug
> > output does not give me an immedidate hint on why it's failing on
> > Windows. Disable these cases for now until someone or maintainers
> > who may want to test this on Windows.
> 
> Copying in Dan Berrange, he's our expert on weird TLS failures.

Seems to match this:

   https://gnutls.org/faq.html#key-usage-violation2

which suggests we have a configuration mis-match.

I'm surprised to see you are only needing to disable the TLS PSK tests,
not the TLS x509 tests.

I'd like to know if tests/unit/test-crypto-tlssession passes.

If so, it might suggest we are missing 'priority: NORMAL' property
when configuring TLS creds for the migration test.

> > (no changes since v1)
> > 
> >  tests/qtest/migration-test.c | 14 ++++++++++++++
> >  1 file changed, 14 insertions(+)
> > 
> > diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
> > index aedd9ddb72..dbee9b528a 100644
> > --- a/tests/qtest/migration-test.c
> > +++ b/tests/qtest/migration-test.c
> > @@ -1403,6 +1403,7 @@ static void test_precopy_unix_dirty_ring(void)
> >  }
> >  
> >  #ifdef CONFIG_GNUTLS
> > +#ifndef _WIN32
> >  static void test_precopy_unix_tls_psk(void)
> >  {
> >      g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs);
> > @@ -1415,6 +1416,7 @@ static void test_precopy_unix_tls_psk(void)
> >  
> >      test_precopy_common(&args);
> >  }
> > +#endif /* _WIN32 */
> >  
> >  #ifdef CONFIG_TASN1
> >  static void test_precopy_unix_tls_x509_default_host(void)
> > @@ -1523,6 +1525,7 @@ static void test_precopy_tcp_plain(void)
> >  }
> >  
> >  #ifdef CONFIG_GNUTLS
> > +#ifndef _WIN32
> >  static void test_precopy_tcp_tls_psk_match(void)
> >  {
> >      MigrateCommon args = {
> > @@ -1533,6 +1536,7 @@ static void test_precopy_tcp_tls_psk_match(void)
> >  
> >      test_precopy_common(&args);
> >  }
> > +#endif /* _WIN32 */
> >  
> >  static void test_precopy_tcp_tls_psk_mismatch(void)
> >  {
> > @@ -1930,6 +1934,7 @@ static void test_multifd_tcp_zstd(void)
> >  #endif
> >  
> >  #ifdef CONFIG_GNUTLS
> > +#ifndef _WIN32
> >  static void *
> >  test_migrate_multifd_tcp_tls_psk_start_match(QTestState *from,
> >                                               QTestState *to)
> > @@ -1937,6 +1942,7 @@ test_migrate_multifd_tcp_tls_psk_start_match(QTestState *from,
> >      test_migrate_precopy_tcp_multifd_start_common(from, to, "none");
> >      return test_migrate_tls_psk_start_match(from, to);
> >  }
> > +#endif /* _WIN32 */
> >  
> >  static void *
> >  test_migrate_multifd_tcp_tls_psk_start_mismatch(QTestState *from,
> > @@ -1988,6 +1994,7 @@ test_migrate_multifd_tls_x509_start_reject_anon_client(QTestState *from,
> >  }
> >  #endif /* CONFIG_TASN1 */
> >  
> > +#ifndef _WIN32
> >  static void test_multifd_tcp_tls_psk_match(void)
> >  {
> >      MigrateCommon args = {
> > @@ -1997,6 +2004,7 @@ static void test_multifd_tcp_tls_psk_match(void)
> >      };
> >      test_precopy_common(&args);
> >  }
> > +#endif /* _WIN32 */
> >  
> >  static void test_multifd_tcp_tls_psk_mismatch(void)
> >  {
> > @@ -2497,8 +2505,10 @@ int main(int argc, char **argv)
> >      qtest_add_func("/migration/precopy/unix/plain", test_precopy_unix_plain);
> >      qtest_add_func("/migration/precopy/unix/xbzrle", test_precopy_unix_xbzrle);
> >  #ifdef CONFIG_GNUTLS
> > +#ifndef _WIN32
> >      qtest_add_func("/migration/precopy/unix/tls/psk",
> >                     test_precopy_unix_tls_psk);
> > +#endif
> >  
> >      if (has_uffd) {
> >          /*
> > @@ -2524,8 +2534,10 @@ int main(int argc, char **argv)
> >  
> >      qtest_add_func("/migration/precopy/tcp/plain", test_precopy_tcp_plain);
> >  #ifdef CONFIG_GNUTLS
> > +#ifndef _WIN32
> >      qtest_add_func("/migration/precopy/tcp/tls/psk/match",
> >                     test_precopy_tcp_tls_psk_match);
> > +#endif
> >      qtest_add_func("/migration/precopy/tcp/tls/psk/mismatch",
> >                     test_precopy_tcp_tls_psk_mismatch);
> >  #ifdef CONFIG_TASN1
> > @@ -2569,8 +2581,10 @@ int main(int argc, char **argv)
> >                     test_multifd_tcp_zstd);
> >  #endif
> >  #ifdef CONFIG_GNUTLS
> > +#ifndef _WIN32
> >      qtest_add_func("/migration/multifd/tcp/tls/psk/match",
> >                     test_multifd_tcp_tls_psk_match);
> > +#endif
> >      qtest_add_func("/migration/multifd/tcp/tls/psk/mismatch",
> >                     test_multifd_tcp_tls_psk_mismatch);
> >  #ifdef CONFIG_TASN1
> > -- 
> > 2.34.1
> > 
> -- 
> Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
> 

With regards,
Daniel

Bin Meng Sept. 22, 2022, 2:47 a.m. UTC | #3

On Thu, Sep 22, 2022 at 1:23 AM Daniel P. Berrangé <berrange@redhat.com> wrote:
>
> On Wed, Sep 21, 2022 at 05:51:33PM +0100, Dr. David Alan Gilbert wrote:
> > * Bin Meng (bmeng.cn@gmail.com) wrote:
> > > From: Bin Meng <bin.meng@windriver.com>
> > >
> > > Some migration test cases use TLS to communicate, but they fail on
> > > Windows with the following error messages:
> > >
> > >   qemu-system-x86_64: TLS handshake failed: Insufficient credentials for that request.
> > >   qemu-system-x86_64: TLS handshake failed: Error in the pull function.
> > >   query-migrate shows failed migration: TLS handshake failed: Error in the pull function.
> > >
> > > Disable them temporarily.
> > >
> > > Signed-off-by: Bin Meng <bin.meng@windriver.com>
> > > ---
> > > I am not familar with the gnutls and simply enabling the gnutls debug
> > > output does not give me an immedidate hint on why it's failing on
> > > Windows. Disable these cases for now until someone or maintainers
> > > who may want to test this on Windows.
> >
> > Copying in Dan Berrange, he's our expert on weird TLS failures.
>
> Seems to match this:
>
>    https://gnutls.org/faq.html#key-usage-violation2
>
> which suggests we have a configuration mis-match.
>
> I'm surprised to see you are only needing to disable the TLS PSK tests,
> not the TLS x509 tests.

The TLS x509 qtests all passed.

>
> I'd like to know if tests/unit/test-crypto-tlssession passes.

These unit tests currently are not built on Windows as they simply
don't build due to usage of socketpair().

>
> If so, it might suggest we are missing 'priority: NORMAL' property
> when configuring TLS creds for the migration test.

I did the following changes but the error is still the same:

diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
index dbee9b528a..c1e3f11873 100644
--- a/tests/qtest/migration-test.c
+++ b/tests/qtest/migration-test.c
@@ -788,7 +788,8 @@ test_migrate_tls_psk_start_common(QTestState *from,
" 'id': 'tlscredspsk0',"
" 'endpoint': 'client',"
" 'dir': %s,"
- " 'username': 'qemu'} }",
+ " 'username': 'qemu',"
+ " 'priority': 'NORMAL'} }",
data->workdir);
qobject_unref(rsp);
@@ -797,7 +798,8 @@ test_migrate_tls_psk_start_common(QTestState *from,
" 'arguments': { 'qom-type': 'tls-creds-psk',"
" 'id': 'tlscredspsk0',"
" 'endpoint': 'server',"
- " 'dir': %s } }",
+ " 'dir': %s,"
+ " 'priority': 'NORMAL'} }",
mismatch ? data->workdiralt : data->workdir);
qobject_unref(rsp);

I am not sure whether I did the right changes.

>
> > > (no changes since v1)
> > >
> > >  tests/qtest/migration-test.c | 14 ++++++++++++++
> > >  1 file changed, 14 insertions(+)
> > >
> > > diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
> > > index aedd9ddb72..dbee9b528a 100644
> > > --- a/tests/qtest/migration-test.c
> > > +++ b/tests/qtest/migration-test.c
> > > @@ -1403,6 +1403,7 @@ static void test_precopy_unix_dirty_ring(void)
> > >  }
> > >
> > >  #ifdef CONFIG_GNUTLS
> > > +#ifndef _WIN32
> > >  static void test_precopy_unix_tls_psk(void)
> > >  {
> > >      g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs);
> > > @@ -1415,6 +1416,7 @@ static void test_precopy_unix_tls_psk(void)
> > >
> > >      test_precopy_common(&args);
> > >  }
> > > +#endif /* _WIN32 */
> > >
> > >  #ifdef CONFIG_TASN1
> > >  static void test_precopy_unix_tls_x509_default_host(void)
> > > @@ -1523,6 +1525,7 @@ static void test_precopy_tcp_plain(void)
> > >  }
> > >
> > >  #ifdef CONFIG_GNUTLS
> > > +#ifndef _WIN32
> > >  static void test_precopy_tcp_tls_psk_match(void)
> > >  {
> > >      MigrateCommon args = {
> > > @@ -1533,6 +1536,7 @@ static void test_precopy_tcp_tls_psk_match(void)
> > >
> > >      test_precopy_common(&args);
> > >  }
> > > +#endif /* _WIN32 */
> > >
> > >  static void test_precopy_tcp_tls_psk_mismatch(void)
> > >  {
> > > @@ -1930,6 +1934,7 @@ static void test_multifd_tcp_zstd(void)
> > >  #endif
> > >
> > >  #ifdef CONFIG_GNUTLS
> > > +#ifndef _WIN32
> > >  static void *
> > >  test_migrate_multifd_tcp_tls_psk_start_match(QTestState *from,
> > >                                               QTestState *to)
> > > @@ -1937,6 +1942,7 @@ test_migrate_multifd_tcp_tls_psk_start_match(QTestState *from,
> > >      test_migrate_precopy_tcp_multifd_start_common(from, to, "none");
> > >      return test_migrate_tls_psk_start_match(from, to);
> > >  }
> > > +#endif /* _WIN32 */
> > >
> > >  static void *
> > >  test_migrate_multifd_tcp_tls_psk_start_mismatch(QTestState *from,
> > > @@ -1988,6 +1994,7 @@ test_migrate_multifd_tls_x509_start_reject_anon_client(QTestState *from,
> > >  }
> > >  #endif /* CONFIG_TASN1 */
> > >
> > > +#ifndef _WIN32
> > >  static void test_multifd_tcp_tls_psk_match(void)
> > >  {
> > >      MigrateCommon args = {
> > > @@ -1997,6 +2004,7 @@ static void test_multifd_tcp_tls_psk_match(void)
> > >      };
> > >      test_precopy_common(&args);
> > >  }
> > > +#endif /* _WIN32 */
> > >
> > >  static void test_multifd_tcp_tls_psk_mismatch(void)
> > >  {
> > > @@ -2497,8 +2505,10 @@ int main(int argc, char **argv)
> > >      qtest_add_func("/migration/precopy/unix/plain", test_precopy_unix_plain);
> > >      qtest_add_func("/migration/precopy/unix/xbzrle", test_precopy_unix_xbzrle);
> > >  #ifdef CONFIG_GNUTLS
> > > +#ifndef _WIN32
> > >      qtest_add_func("/migration/precopy/unix/tls/psk",
> > >                     test_precopy_unix_tls_psk);
> > > +#endif
> > >
> > >      if (has_uffd) {
> > >          /*
> > > @@ -2524,8 +2534,10 @@ int main(int argc, char **argv)
> > >
> > >      qtest_add_func("/migration/precopy/tcp/plain", test_precopy_tcp_plain);
> > >  #ifdef CONFIG_GNUTLS
> > > +#ifndef _WIN32
> > >      qtest_add_func("/migration/precopy/tcp/tls/psk/match",
> > >                     test_precopy_tcp_tls_psk_match);
> > > +#endif
> > >      qtest_add_func("/migration/precopy/tcp/tls/psk/mismatch",
> > >                     test_precopy_tcp_tls_psk_mismatch);
> > >  #ifdef CONFIG_TASN1
> > > @@ -2569,8 +2581,10 @@ int main(int argc, char **argv)
> > >                     test_multifd_tcp_zstd);
> > >  #endif
> > >  #ifdef CONFIG_GNUTLS
> > > +#ifndef _WIN32
> > >      qtest_add_func("/migration/multifd/tcp/tls/psk/match",
> > >                     test_multifd_tcp_tls_psk_match);
> > > +#endif
> > >      qtest_add_func("/migration/multifd/tcp/tls/psk/mismatch",
> > >                     test_multifd_tcp_tls_psk_mismatch);
> > >  #ifdef CONFIG_TASN1
> > > --
> > > 2.34.1
> > >

Regards,
Bin

Daniel P. Berrangé Sept. 22, 2022, 10:39 a.m. UTC | #4

On Thu, Sep 22, 2022 at 10:47:26AM +0800, Bin Meng wrote:
> On Thu, Sep 22, 2022 at 1:23 AM Daniel P. Berrangé <berrange@redhat.com> wrote:
> >
> > On Wed, Sep 21, 2022 at 05:51:33PM +0100, Dr. David Alan Gilbert wrote:
> > > * Bin Meng (bmeng.cn@gmail.com) wrote:
> > > > From: Bin Meng <bin.meng@windriver.com>
> > > >
> > > > Some migration test cases use TLS to communicate, but they fail on
> > > > Windows with the following error messages:
> > > >
> > > >   qemu-system-x86_64: TLS handshake failed: Insufficient credentials for that request.
> > > >   qemu-system-x86_64: TLS handshake failed: Error in the pull function.
> > > >   query-migrate shows failed migration: TLS handshake failed: Error in the pull function.
> > > >
> > > > Disable them temporarily.
> > > >
> > > > Signed-off-by: Bin Meng <bin.meng@windriver.com>
> > > > ---
> > > > I am not familar with the gnutls and simply enabling the gnutls debug
> > > > output does not give me an immedidate hint on why it's failing on
> > > > Windows. Disable these cases for now until someone or maintainers
> > > > who may want to test this on Windows.
> > >
> > > Copying in Dan Berrange, he's our expert on weird TLS failures.
> >
> > Seems to match this:
> >
> >    https://gnutls.org/faq.html#key-usage-violation2
> >
> > which suggests we have a configuration mis-match.
> >
> > I'm surprised to see you are only needing to disable the TLS PSK tests,
> > not the TLS x509 tests.
> 
> The TLS x509 qtests all passed.
> 
> >
> > I'd like to know if tests/unit/test-crypto-tlssession passes.
> 
> These unit tests currently are not built on Windows as they simply
> don't build due to usage of socketpair().

Doh, yes, that's rather annoying, as debugging this problem in the
unit tests would be easier than in qtests.

> > If so, it might suggest we are missing 'priority: NORMAL' property
> > when configuring TLS creds for the migration test.
> 
> I did the following changes but the error is still the same:

> 
> diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
> index dbee9b528a..c1e3f11873 100644
> --- a/tests/qtest/migration-test.c
> +++ b/tests/qtest/migration-test.c
> @@ -788,7 +788,8 @@ test_migrate_tls_psk_start_common(QTestState *from,
> " 'id': 'tlscredspsk0',"
> " 'endpoint': 'client',"
> " 'dir': %s,"
> - " 'username': 'qemu'} }",
> + " 'username': 'qemu',"
> + " 'priority': 'NORMAL'} }",
> data->workdir);
> qobject_unref(rsp);
> @@ -797,7 +798,8 @@ test_migrate_tls_psk_start_common(QTestState *from,
> " 'arguments': { 'qom-type': 'tls-creds-psk',"
> " 'id': 'tlscredspsk0',"
> " 'endpoint': 'server',"
> - " 'dir': %s } }",
> + " 'dir': %s,"
> + " 'priority': 'NORMAL'} }",
> mismatch ? data->workdiralt : data->workdir);
> qobject_unref(rsp);
> 
> I am not sure whether I did the right changes.


That ought to have been sufficient, if priority strings were the
problem.


I think we'd need the debug output from gnutls - could you edit crypto/init.c
and uncomment the '#define DEBUG_GNUTLS' line near the top.

If you can post the output you get from a single migration-test test case
involving PSK, it might be enough to diagnose why gnutls is failing.

With regards,
Daniel

Bin Meng Sept. 22, 2022, 11:54 a.m. UTC | #5

On Thu, Sep 22, 2022 at 6:39 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
>
> On Thu, Sep 22, 2022 at 10:47:26AM +0800, Bin Meng wrote:
> > On Thu, Sep 22, 2022 at 1:23 AM Daniel P. Berrangé <berrange@redhat.com> wrote:
> > >
> > > On Wed, Sep 21, 2022 at 05:51:33PM +0100, Dr. David Alan Gilbert wrote:
> > > > * Bin Meng (bmeng.cn@gmail.com) wrote:
> > > > > From: Bin Meng <bin.meng@windriver.com>
> > > > >
> > > > > Some migration test cases use TLS to communicate, but they fail on
> > > > > Windows with the following error messages:
> > > > >
> > > > >   qemu-system-x86_64: TLS handshake failed: Insufficient credentials for that request.
> > > > >   qemu-system-x86_64: TLS handshake failed: Error in the pull function.
> > > > >   query-migrate shows failed migration: TLS handshake failed: Error in the pull function.
> > > > >
> > > > > Disable them temporarily.
> > > > >
> > > > > Signed-off-by: Bin Meng <bin.meng@windriver.com>
> > > > > ---
> > > > > I am not familar with the gnutls and simply enabling the gnutls debug
> > > > > output does not give me an immedidate hint on why it's failing on
> > > > > Windows. Disable these cases for now until someone or maintainers
> > > > > who may want to test this on Windows.
> > > >
> > > > Copying in Dan Berrange, he's our expert on weird TLS failures.
> > >
> > > Seems to match this:
> > >
> > >    https://gnutls.org/faq.html#key-usage-violation2
> > >
> > > which suggests we have a configuration mis-match.
> > >
> > > I'm surprised to see you are only needing to disable the TLS PSK tests,
> > > not the TLS x509 tests.
> >
> > The TLS x509 qtests all passed.
> >
> > >
> > > I'd like to know if tests/unit/test-crypto-tlssession passes.
> >
> > These unit tests currently are not built on Windows as they simply
> > don't build due to usage of socketpair().
>
> Doh, yes, that's rather annoying, as debugging this problem in the
> unit tests would be easier than in qtests.
>
> > > If so, it might suggest we are missing 'priority: NORMAL' property
> > > when configuring TLS creds for the migration test.
> >
> > I did the following changes but the error is still the same:
>
> >
> > diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
> > index dbee9b528a..c1e3f11873 100644
> > --- a/tests/qtest/migration-test.c
> > +++ b/tests/qtest/migration-test.c
> > @@ -788,7 +788,8 @@ test_migrate_tls_psk_start_common(QTestState *from,
> > " 'id': 'tlscredspsk0',"
> > " 'endpoint': 'client',"
> > " 'dir': %s,"
> > - " 'username': 'qemu'} }",
> > + " 'username': 'qemu',"
> > + " 'priority': 'NORMAL'} }",
> > data->workdir);
> > qobject_unref(rsp);
> > @@ -797,7 +798,8 @@ test_migrate_tls_psk_start_common(QTestState *from,
> > " 'arguments': { 'qom-type': 'tls-creds-psk',"
> > " 'id': 'tlscredspsk0',"
> > " 'endpoint': 'server',"
> > - " 'dir': %s } }",
> > + " 'dir': %s,"
> > + " 'priority': 'NORMAL'} }",
> > mismatch ? data->workdiralt : data->workdir);
> > qobject_unref(rsp);
> >
> > I am not sure whether I did the right changes.
>
>
> That ought to have been sufficient, if priority strings were the
> problem.
>
>
> I think we'd need the debug output from gnutls - could you edit crypto/init.c
> and uncomment the '#define DEBUG_GNUTLS' line near the top.
>
> If you can post the output you get from a single migration-test test case
> involving PSK, it might be enough to diagnose why gnutls is failing.
>

Here is the output:

# Start of tls tests
# starting QEMU: ./qemu-system-x86_64 -qtest
unix:D:\msys64\tmp/qtest-18480.sock -qtest-log nul -chardev
socket,path=D:\msys64\tmp/qtest-18480.qmp,id=char0 -mon
chardev=char0,mode=control -display none -accel kvm -accel t
cg -name source,debug-threads=on -m 150M -serial
file:D:\msys64\tmp\migration-test-A5WJS1/src_serial -drive
file=D:\msys64\tmp\migration-test-A5WJS1/bootsect,format=raw -accel
qtest
qemu: thread naming not supported on this host
# starting QEMU: ./qemu-system-x86_64 -qtest
unix:D:\msys64\tmp/qtest-18480.sock -qtest-log nul -chardev
socket,path=D:\msys64\tmp/qtest-18480.qmp,id=char0 -mon
chardev=char0,mode=control -display none -accel kvm -accel t
cg -name target,debug-threads=on -m 150M -serial
file:D:\msys64\tmp\migration-test-A5WJS1/dest_serial -incoming
unix:D:\msys64\tmp\migration-test-A5WJS1/migsocket -drive
file=D:\msys64\tmp\migration-test-A5WJS1/bootsect,f
ormat=raw -accel qtest
qemu: thread naming not supported on this host
3: ASSERT: ../../gnutls-3.7.7/lib/str.c[gnutls_hex_decode]:605
3: ASSERT: ../../gnutls-3.7.7/lib/psk.c[gnutls_psk_set_client_credentials2]:164
55:: RREECC[[000000000011651b6bd15dfd420c2500]]:: AAllllooccaattiinngg
eeppoocchh ##00
2: a2d:de da d6d epdr o6t opcrooltso,c o4l6s ,c i4p6h
ecrispuhietressu,i t1e9s ,s i1g9 asliggo sa lagnods 1a0 ngdr o1u0ps i
ngtroo upprsi oirnitto yp rliiosrti
ty5 :l iRsEtC
[50:0 0REC0[0010601060d155fb4b012d0d]2:c 5A0l]l:o cAalltocatiinngg
eeppoocchh ##11
3:4: AHSSSKE[R0T0:0 0.0.1/5.b.b/1gdndu2tcl5s0-]3:. 7A.d7v/.l
ivbe/rbsuifofne:r s3..c3[
ge2t:_ lKaesetp_ipnagc kceitp]h:e1r1s8u5i
t10: eR E1A3D.:0 2- 1( GrNeUtTuLrSn_eAdE Sf_r2o5m6 _0G0C0M0_0S1H6A1368349)b
d21:7 0K,e ererpnion=g1 1c igpehrerrnsou=i0t
e3 :1 3A.S0S3E R(TG:N
U.T.L/S._.C/HgAnCuHtAl2s0-_3P.O7L.Y71/3l0i5b_/SbHuAf2f5e6r)s
.2c:[ _Kgeneuptilnsg_ icoi_prheeards_ubiutfef e1r3e.d0]1: 5(8G9N
UTLS_AES_128_GCM_SHA256)
2: Keeping ciphersuite 13.04 (GNUTLS_AES_128_CCM_SHA256)
2: Keeping ciphersuite cc.ac (GNUTLS_ECDHE_PSK_CHACHA20_POLY1305)
2: Keeping ciphersuite c0.36 (GNUTLS_ECDHE_PSK_AES_256_CBC_SHA1)
2: Keeping ciphersuite c0.35 (GNUTLS_ECDHE_PSK_AES_128_CBC_SHA1)
2: Keeping ciphersuite 00.ab (GNUTLS_DHE_PSK_AES_256_GCM_SHA384)
2: Keeping ciphersuite cc.ad (GNUTLS_DHE_PSK_CHACHA20_POLY1305)
2: Keeping ciphersuite c0.a7 (GNUTLS_DHE_PSK_AES_256_CCM)
2: Keeping ciphersuite 00.91 (GNUTLS_DHE_PSK_AES_256_CBC_SHA1)
2: Keeping ciphersuite 00.aa (GNUTLS_DHE_PSK_AES_128_GCM_SHA256)
2: Keeping ciphersuite c0.a6 (GNUTLS_DHE_PSK_AES_128_CCM)
2: Keeping ciphersuite 00.90 (GNUTLS_DHE_PSK_AES_128_CBC_SHA1)
2: Keeping ciphersuite 00.a9 (GNUTLS_PSK_AES_256_GCM_SHA384)
2: Keeping ciphersuite cc.ab (GNUTLS_PSK_CHACHA20_POLY1305)
2: Keeping ciphersuite c0.a5 (GNUTLS_PSK_AES_256_CCM)
2: Keeping ciphersuite 00.8d (GNUTLS_PSK_AES_256_CBC_SHA1)
2: Keeping ciphersuite 00.a8 (GNUTLS_PSK_AES_128_GCM_SHA256)
2: Keeping ciphersuite c0.a4 (GNUTLS_PSK_AES_128_CCM)
2: Keeping ciphersuite 00.8c (GNUTLS_PSK_AES_128_CBC_SHA1)
4: EXT[0000015bb1dd2c50]: Preparing extension (OCSP Status Request/5)
for 'client hello'
4: EXT[0000015bb1dd2c50]: Preparing extension (Client Certificate
Type/19) for 'client hello'
4: EXT[0000015bb1dd2c50]: Preparing extension (Server Certificate
Type/20) for 'client hello'
4: EXT[0000015bb1dd2c50]: Preparing extension (Supported Groups/10)
for 'client hello'
4: EXT[0000015bb1dd2c50]: Sent group SECP256R1 (0x17)
4: EXT[0000015bb1dd2c50]: Sent group SECP384R1 (0x18)
4: EXT[0000015bb1dd2c50]: Sent group SECP521R1 (0x19)
4: EXT[0000015bb1dd2c50]: Sent group X25519 (0x1d)
4: EXT[0000015bb1dd2c50]: Sent group X448 (0x1e)
4: EXT[0000015bb1dd2c50]: Sent group FFDHE2048 (0x100)
4: EXT[0000015bb1dd2c50]: Sent group FFDHE3072 (0x101)
4: EXT[0000015bb1dd2c50]: Sent group FFDHE4096 (0x102)
4: EXT[0000015bb1dd2c50]: Sent group FFDHE6144 (0x103)
4: EXT[0000015bb1dd2c50]: Sent group FFDHE8192 (0x104)
4: EXT[0000015bb1dd2c50]: Sending extension Supported Groups/10 (22 bytes)
4: EXT[0000015bb1dd2c50]: Preparing extension (Supported EC Point
Formats/11) for 'client hello'
4: EXT[0000015bb1dd2c50]: Sending extension Supported EC Point
Formats/11 (2 bytes)
4: EXT[0000015bb1dd2c50]: Preparing extension (SRP/12) for 'client hello'
4: EXT[0000015bb1dd2c50]: Preparing extension (Signature
Algorithms/13) for 'client hello'
4: EXT[0000015bb1dd2c50]: sent signature algo (4.1) RSA-SHA256
4: EXT[0000015bb1dd2c50]: sent signature algo (8.9) RSA-PSS-SHA256
4: EXT[0000015bb1dd2c50]: sent signature algo (8.4) RSA-PSS-RSAE-SHA256
4: EXT[0000015bb1dd2c50]: sent signature algo (4.3) ECDSA-SHA256
4: EXT[0000015bb1dd2c50]: sent signature algo (8.7) EdDSA-Ed25519
4: EXT[0000015bb1dd2c50]: sent signature algo (5.1) RSA-SHA384
4: EXT[0000015bb1dd2c50]: sent signature algo (8.10) RSA-PSS-SHA384
4: EXT[0000015bb1dd2c50]: sent signature algo (8.5) RSA-PSS-RSAE-SHA384
4: EXT[0000015bb1dd2c50]: sent signature algo (5.3) ECDSA-SHA384
4: EXT[0000015bb1dd2c50]: sent signature algo (8.8) EdDSA-Ed448
4: EXT[0000015bb1dd2c50]: sent signature algo (6.1) RSA-SHA512
4: EXT[0000015bb1dd2c50]: sent signature algo (8.11) RSA-PSS-SHA512
4: EXT[0000015bb1dd2c50]: sent signature algo (8.6) RSA-PSS-RSAE-SHA512
4: EXT[0000015bb1dd2c50]: sent signature algo (6.3) ECDSA-SHA512
4: EXT[0000015bb1dd2c50]: sent signature algo (2.1) RSA-SHA1
4: EXT[0000015bb1dd2c50]: sent signature algo (2.3) ECDSA-SHA1
4: EXT[0000015bb1dd2c50]: Sending extension Signature Algorithms/13 (34 bytes)
4: EXT[0000015bb1dd2c50]: Preparing extension (SRTP/14) for 'client hello'
4: EXT[0000015bb1dd2c50]: Preparing extension (Heartbeat/15) for 'client hello'
4: EXT[0000015bb1dd2c50]: Preparing extension (ALPN/16) for 'client hello'
4: EXT[0000015bb1dd2c50]: Preparing extension (Encrypt-then-MAC/22)
for 'client hello'
4: EXT[0000015bb1dd2c50]: Sending extension Encrypt-then-MAC/22 (0 bytes)
4: EXT[0000015bb1dd2c50]: Preparing extension (Extended Master
Secret/23) for 'client hello'
4: EXT[0000015bb1dd2c50]: Sending extension Extended Master Secret/23 (0 bytes)
4: EXT[0000015bb1dd2c50]: Preparing extension (Session Ticket/35) for
'client hello'
4: EXT[0000015bb1dd2c50]: Sending extension Session Ticket/35 (0 bytes)
4: EXT[0000015bb1dd2c50]: Preparing extension (Key Share/51) for 'client hello'
4: EXT[0000015bb1dd2c50]: sending key share for SECP256R1
4: EXT[0000015bb1dd2c50]: sending key share for X25519
4: EXT[0000015bb1dd2c50]: Sending extension Key Share/51 (107 bytes)
4: EXT[0000015bb1dd2c50]: Preparing extension (Supported Versions/43)
for 'client hello'
2: Advertizing version 3.4
2: Advertizing version 3.3
2: Advertizing version 3.2
2: Advertizing version 3.1
4: EXT[0000015bb1dd2c50]: Sending extension Supported Versions/43 (9 bytes)
4: EXT[0000015bb1dd2c50]: Preparing extension (Post Handshake Auth/49)
for 'client hello'
4: EXT[0000015bb1dd2c50]: Preparing extension (Safe
Renegotiation/65281) for 'client hello'
4: EXT[0000015bb1dd2c50]: Sending extension Safe Renegotiation/65281 (1 bytes)
4: EXT[0000015bb1dd2c50]: Preparing extension (Server Name
Indication/0) for 'client hello'
4: EXT[0000015bb1dd2c50]: Preparing extension (Cookie/44) for 'client hello'
4: EXT[0000015bb1dd2c50]: Preparing extension (Early Data/42) for 'client hello'
4: EXT[0000015bb1dd2c50]: Preparing extension (PSK Key Exchange
Modes/45) for 'client hello'
4: EXT[0000015bb1dd2c50]: Sending extension PSK Key Exchange Modes/45 (3 bytes)
4: EXT[0000015bb1dd2c50]: Preparing extension (Record Size Limit/28)
for 'client hello'
4: EXT[0000015bb1dd2c50]: Sending extension Record Size Limit/28 (2 bytes)
4: EXT[0000015bb1dd2c50]: Preparing extension (Maximum Record Size/1)
for 'client hello'
4: EXT[0000015bb1dd2c50]: Preparing extension (Compress
Certificate/27) for 'client hello'
4: EXT[0000015bb1dd2c50]: Preparing extension (ClientHello Padding/21)
for 'client hello'
4: EXT[0000015bb1dd2c50]: Preparing extension (Pre Shared Key/41) for
'client hello'
4: HSK[0000015bb1dd2c50]: CLIENT HELLO was queued [343 bytes]
5: REC[0000015bb1dd2c50]: Preparing Packet Handshake(22) with length:
343 and min pad: 0
9: ENC[0000015bb1dd2c50]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
5: REC[0000015bb1dd2c50]: Sent Packet[1] Handshake(22) in epoch 0 and
length: 348
3: A3S:S EARSTS:E R.T.:/
....//g.n.u/tglnsu-t3l.s7-.37./7l.i7b//lbiubf/fbeurfsf.ecr[sg.ect[_gleats_tl_apsatc_kpeatc]k:e1t1]8:51
185
10: READ: Got 5 bytes from 00000161639bd170
10: READ: read 5 bytes from 00000161639bd170
10: RB: Have 0 bytes into buffer. Adding 5 bytes.
10: RB: Requested 5 bytes
5: REC[000001616d5f4020]: SSL 3.1 Handshake packet received. Epoch 0,
length: 343
5: REC[000001616d5f4020]: Expected Packet Handshake(22)
5: REC[000001616d5f4020]: Received Packet Handshake(22) with length: 343
10: READ: Got 343 bytes from 00000161639bd170
10: READ: read 343 bytes from 00000161639bd170
10: RB: Have 5 bytes into buffer. Adding 343 bytes.
10: RB: Requested 348 bytes
5: REC[000001616d5f4020]: Decrypted Packet[0] Handshake(22) with length: 343
4: HSK[000001616d5f4020]: CLIENT HELLO (1) was received. Length
339[339], frag offset 0, frag length: 339, sequence: 0
4: HSK[000001616d5f4020]: Client's version: 3.3
4: EXT[000001616d5f4020]: Parsing extension 'Supported Versions/43' (9 bytes)
4: EXT[000001616d5f4020]: Found version: 3.4
4: EXT[000001616d5f4020]: Found version: 3.3
4: EXT[000001616d5f4020]: Found version: 3.2
4: EXT[000001616d5f4020]: Found version: 3.1
4: EXT[000001616d5f4020]: Negotiated version: 3.4
4: EXT[000001616d5f4020]: Parsing extension 'Encrypt-then-MAC/22' (0 bytes)
4: EXT[000001616d5f4020]: Parsing extension 'Extended Master
Secret/23' (0 bytes)
4: EXT[000001616d5f4020]: Parsing extension 'Safe Renegotiation/65281' (1 bytes)
4: EXT[000001616d5f4020]: Parsing extension 'Record Size Limit/28' (2 bytes)
4: EXT[000001616d5f4020]: record_size_limit 16385 negotiated
4: EXT[000001616d5f4020]: Parsing extension 'Supported Groups/10' (22 bytes)
4: EXT[000001616d5f4020]: Received group SECP256R1 (0x17)
4: EXT[000001616d5f4020]: Received group SECP384R1 (0x18)
4: EXT[000001616d5f4020]: Received group SECP521R1 (0x19)
4: EXT[000001616d5f4020]: Received group X25519 (0x1d)
4: EXT[000001616d5f4020]: Received group X448 (0x1e)
4: EXT[000001616d5f4020]: Received group FFDHE2048 (0x100)
4: EXT[000001616d5f4020]: Received group FFDHE3072 (0x101)
4: EXT[000001616d5f4020]: Received group FFDHE4096 (0x102)
4: EXT[000001616d5f4020]: Received group FFDHE6144 (0x103)
4: EXT[000001616d5f4020]: Received group FFDHE8192 (0x104)
4: EXT[000001616d5f4020]: Selected group SECP256R1
4: EXT[000001616d5f4020]: Parsing extension 'Supported EC Point
Formats/11' (2 bytes)
4: EXT[000001616d5f4020]: Parsing extension 'Signature Algorithms/13' (34 bytes)
4: EXT[000001616d5f4020]: rcvd signature algo (4.1) RSA-SHA256
4: EXT[000001616d5f4020]: rcvd signature algo (8.9) RSA-PSS-SHA256
4: EXT[000001616d5f4020]: rcvd signature algo (8.4) RSA-PSS-RSAE-SHA256
4: EXT[000001616d5f4020]: rcvd signature algo (4.3) ECDSA-SECP256R1-SHA256
4: EXT[000001616d5f4020]: rcvd signature algo (8.7) EdDSA-Ed25519
4: EXT[000001616d5f4020]: rcvd signature algo (5.1) RSA-SHA384
4: EXT[000001616d5f4020]: rcvd signature algo (8.10) RSA-PSS-SHA384
4: EXT[000001616d5f4020]: rcvd signature algo (8.5) RSA-PSS-RSAE-SHA384
4: EXT[000001616d5f4020]: rcvd signature algo (5.3) ECDSA-SECP384R1-SHA384
4: EXT[000001616d5f4020]: rcvd signature algo (8.8) EdDSA-Ed448
4: EXT[000001616d5f4020]: rcvd signature algo (6.1) RSA-SHA512
4: EXT[000001616d5f4020]: rcvd signature algo (8.11) RSA-PSS-SHA512
4: EXT[000001616d5f4020]: rcvd signature algo (8.6) RSA-PSS-RSAE-SHA512
4: EXT[000001616d5f4020]: rcvd signature algo (6.3) ECDSA-SECP521R1-SHA512
4: EXT[000001616d5f4020]: rcvd signature algo (2.1) RSA-SHA1
4: EXT[000001616d5f4020]: rcvd signature algo (2.3) ECDSA-SHA1
4: EXT[000001616d5f4020]: Parsing extension 'Session Ticket/35' (0 bytes)
4: EXT[000001616d5f4020]: Parsing extension 'PSK Key Exchange
Modes/45' (3 bytes)
4: EXT[000001616d5f4020]: PSK KE mode 01 received
4: EXT[000001616d5f4020]: PSK KE mode 00 received
2: checking 13.02 (GNUTLS_AES_256_GCM_SHA384) for compatibility
3: ASSERT: ../../../gnutls-3.7.7/lib/auth/cert.c[_gnutls_select_server_cert]:1622
4: HSK[000001616d5f4020]: Selected cipher suite: GNUTLS_AES_256_GCM_SHA384
4: HSK[000001616d5f4020]: Selected version TLS1.3
4: EXT[000001616d5f4020]: Parsing extension 'Key Share/51' (107 bytes)
4: EXT[000001616d5f4020]: Received key share for SECP256R1
4: HSK[000001616d5f4020]: Selected group SECP256R1 (2)
2: EXT[000001616d5f4020]: server generated SECP256R1 shared key
4: HSK[000001616d5f4020]: Safe renegotiation succeeded
4: HSK[000001616d5f4020]: SessionID:
746d784844566d638ffa314a9b00c72d2d0ad0cfdd83ae6623c36fa21e3dfc94
4: EXT[000001616d5f4020]: Not sending extension (OCSP Status
Request/5) for 'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Not sending extension (Client Certificate
Type/19) for 'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Not sending extension (Server Certificate
Type/20) for 'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Not sending extension (Supported Groups/10)
for 'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Not sending extension (Supported EC Point
Formats/11) for 'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Not sending extension (SRP/12) for 'TLS 1.3
server hello'
4: EXT[000001616d5f4020]: Not sending extension (Signature
Algorithms/13) for 'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Not sending extension (SRTP/14) for 'TLS 1.3
server hello'
4: EXT[000001616d5f4020]: Not sending extension (Heartbeat/15) for
'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Not sending extension (ALPN/16) for 'TLS 1.3
server hello'
4: EXT[000001616d5f4020]: Not sending extension (Encrypt-then-MAC/22)
for 'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Not sending extension (Extended Master
Secret/23) for 'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Not sending extension (Session Ticket/35)
for 'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Preparing extension (Key Share/51) for 'TLS
1.3 server hello'
4: EXT[000001616d5f4020]: sending key share for SECP256R1
4: EXT[000001616d5f4020]: Sending extension Key Share/51 (69 bytes)
4: EXT[000001616d5f4020]: Preparing extension (Supported Versions/43)
for 'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Sending extension Supported Versions/43 (2 bytes)
4: EXT[000001616d5f4020]: Not sending extension (Post Handshake
Auth/49) for 'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Not sending extension (Safe
Renegotiation/65281) for 'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Not sending extension (Server Name
Indication/0) for 'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Not sending extension (Cookie/44) for 'TLS
1.3 server hello'
4: EXT[000001616d5f4020]: Not sending extension (Early Data/42) for
'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Preparing extension (PSK Key Exchange
Modes/45) for 'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Not sending extension (Record Size Limit/28)
for 'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Not sending extension (Maximum Record
Size/1) for 'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Preparing extension (Compress
Certificate/27) for 'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Not sending extension (ClientHello
Padding/21) for 'TLS 1.3 server hello'
4: EXT[000001616d5f4020]: Preparing extension (Pre Shared Key/41) for
'TLS 1.3 server hello'
4: HSK[000001616d5f4020]: SERVER HELLO was queued [155 bytes]
5: REC[000001616d5f4020]: Preparing Packet Handshake(22) with length:
155 and min pad: 0
9: ENC[000001616d5f4020]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
5: REC[000001616d5f4020]: Sent Packet[1] Handshake(22) in epoch 0 and
length: 160
5: REC[000001616d5f4020]: Preparing Packet ChangeCipherSpec(20) with
length: 1 and min pad: 0
9: ENC[000001616d5f4020]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
5: REC[000001616d5f4020]: Sent Packet[2] ChangeCipherSpec(20) in epoch
0 and length: 6
41:0 :R ERCE[A0D00:0 0G1o6t1 65d 5bfy4t0e2s0 ]f:r oSme n0t0
0C0h0a1n5gbefCdi2pah3eeraS0p
e1c0
: RE5:A DR:E Cr[e0a0d0 050 1b6y1t6eds5 ff4r0o2m0 ]0:0
0I0n0i1t5ibafldi2zai3nega 0e
p10o:c hR B#:1
Have 09 :b yItNeTs: iCnLtIoE NbTu fWfReIrT.E AKdEdYi n[g3 25] :b y7tbe4s4.8
d1b05:0 R3Be:4 5Rbedq7u7ebsbt6e4d0 053 8b7y1t1e1s0
df51:0 6R2EcC0[50a010c050e1959b6b211dfdd20c2520d]3:8 5S2S0L7 232.c3
9H:a nIdNsTh:a kSeE RpVaEcRk eWtR IrTeEc eKiEvYe d[.3 2E]p:o cdh7
d0c,b7 0lce7ncgft1hb:2 7165e52
ef50:d cR8E9C8[a0e06040a061e53bfb510d2d225c15402]8:7 7E3x1pbeec5tbefd0
dP1a5c7kee9t5 5H9aan
d9:s hIaNkTe:( 2C2L)I
EN5T: WRREICT[E0 0I0V0 0[1152b]b:1 d6dd2fc55004]6:7 cR0e5c9edi0v3e1d3
5Pca7cck8eft4
H9a:n dIsNhTa:k eS(E2R2V)E Rw iWtRhI TlEe nIgVt h[:1 21]5:5
e8d1e0a:7 8R1E0A9De:d 6Geobt4 a135c58 0b7yat1e
s 5f:r oRm E0C0[0000001050b1f6d126ad35efa400
2100]:: REEpAoDc:h r#e1a dr e1a5d5y
byt4e:s HfSrKo[m0 000000001061156bdf5df24a032e0a]0:
1T0L:S R1B.:3 Hraev-ek e5y bwyittehs ciinpthoe rb usfufietre.:
AGdNdUiTnLgS _1A5E5S _b2y5t6e_GsC.M
_1S0H:A 3R8B4:
R4e:q uEeXsTt[e0d0 0106001 6b1y6tde5sf
4052:0 ]R:E CN[o0t0 0s0e0n1d5ibnbg1 dedx2tce5n0s]i:o nD e(cOrCySpPt
eSdt aPtaucsk eRte[q0u]e sHta/n5d)s hfaokre ('2e2n)c rwyiptthe dl
eenxgttehn:s i1o5n5s
'
44:: HESXKT[[00000000001156b1b61dd5df24c05200]]:: SPErReVpEaRr iHnEgL
LeOx t(e2n)s iwoans (rCelcieeinvte dC.e rLteinfgitcha t1e5
1T[y1p5e1/]1,9 )f rfaogr o'fefnscerty p0t,e df reaxgt elnesnigotnhs:'
145:1 ,E XsTe[q0u0e0n0c0e1:6 106
d35:f 4A0S2S0E]R:T :P r.e.p/a.r.i/nggn uetxltse-n3s.i7o.n7
/(lSiebr/vbeurf fCeerrst.icf[igceatt_el aTsytp_ep/a2c0k)e tf]o:r
1'1e7n6c
r3y:p tAeSdS EeRxTt:e n.s.i/o.n.s/'g
nu4t:l sE-X3T.[70.070/0l0i1b6/1b6udf5ffe4r0s2.0c][:_
gPnruetplasr_ihnagn desxhtaeknes_iioon_ r(eScuvp_pionrtt]e:d1 4G2r8o
u4p:s /H1S0K)[ 0f0o0r0 0'1e5nbcbr1ydpdt2ecd5 0e]x:t eSnesrivoenrs''s
4v:e rEsXiTo[n0:0 030.031
6146:d 5EfX4T0[2000]0:0 0N1o5tb bs1edndd2icn5g0 ]e:x tPeanrssiionng
(eSxutpepnosritoend 'ESCu pPpooirntte dF oVremrastiso/n1s1/)4 3f'o r(
2' ebnyctreysp)t
e4d: eExXtTe[n0s0i0o0n0s1'5
bb41:d dE2XcT5[00]0:0 0N0e1g6o1t6ida5tfe4d0 2v0e]r:s iNoont: s3e.n4d
i4:n gH SeKx[t0e0n0s0i0o1n5 b(bS1RdPd/21c25)0 ]f:o rS e'leencctreydp
tceidp heexrt esnusiitoen:s 'G
N4U:T LESX_TA[E0S0_0205061_6G1C6Md_5SfH4A032804]
:4 :No tE XsTe[n0d0i0n0g0 1e5xbtbe1ndsdi2ocn5 0(]S:i gPnaartsuirneg
Aelxgtoernistihomns /'1K3e)y fSohra r'ee/n5c1r'y p(t6e9d beyxtteesn)s
i4o:n sH'S
K4[:0 0E0X0T0[1050b0b010d1d621c65d05]f:4 0S2e0l]e:c tPerd egpraoruipn
gS EeCxPt2e5n6sRi1o n( 2()S
RTP/14)2 :f oErX T'[e0n0c0r0y0p1t5ebdb 1edxdt2ecn5s0i]o:n sc'l
i4e:n tE XgTe[n0e0r0a0t0e1d6 1S6EdC5Pf245062R01] :s hParreepda rkienyg
ext5e:n sRiEoCn[ 0(0H0e0a0r1t5bbeba1td/d125c)5 0f]o:r
P'reenpcarryipntge dP aecxkteetn sCihoannsg'e
Ci4p:h eErXSTp[e0c0(02000)1 6w1i6tdh5 fl4e0n2g0t]h:: P1r eapnadr
imnign epxatde:n s0i
on 9(:A LEPNNC/[1060)0 0f0o1r5 b'be1ndcdr2ycp5t0e]d: ecxitpehnesri:o nNsU'L
L4,: MEAXTC[:0 0M0A0C0-1N6U1L6Ld,5 fE4p0o2c0h]:: 0N
ot5 :s eRnEdCi[n0g0 0e0x0t1e5nbsbi1odnd 2(cE5n0c]r:y pSte-ntth
ePna-cMkAeCt/[222]) Cfhoarn g'eeCnicprhyeprtSepde ce(x2t0e)n siino
nesp'o
ch4 :0 EaXnTd[ 0l0e0n0g0t1h6:1 66d
5f4042:0 ]R:E CN[o0t0 0s0e0n1d5ibnbg1 dedx2tce5n0s]i:o nS e(nEtx
tCehnadnegde CMiapshteerrS pSeecc
ret/52:3 )R EfCo[r0 0'0e0n0c1r5ybpbt1eddd 2ecx5t0e]n:s iIonnist'i
a4l:i zEiXnTg[ 0e0p0o0c0h1 6#116
d59f:4 0I2N0T]:: CNLoItE NsTe nWdRiInTgE eKxEtYe n[s3i2o]n:
(7Sbe4s4s8idobn5 0T3iec4k5ebd7t7/b3b56)4 0f0o3r8 7'1e1n1c0rdyfp1t0e6d2
ce0x5tae1ncs5ieo9n9s6'2
1fd40:2 2EdX3T8[502000702021c6
169d:5f 4I0N2T0:] :S ENRoVtE Rs eWnRdIiTnEg KeExYt e[n3s2i]o:n
d(7Kdecyb 7S0hca7rcef/15b12)7 6feo2re f'0edncc8r9y8patee6d4
ae6xet3efn5s0i2o2n5s1'4
248:7 7E3X1Tb[e050b0f000d115671e69d555f94a0
209:] :I Not NsTe:n dCiLnIgE NeTx tWeRnIsTiEo nI V( S[u1p2p]o:r t6eddf
5V0e4r6s7ico0n5s9/d4033)1 3f5ocr7 c'8efn4c
ry9p:t eIdN Te:x tSeEnsioRnVsE'R
W4R:I TEEX TI[V0 0[01020]1:6 1e68dd5efa47082100]9:e dN6oetb 4sae3ncd8i0n7ga 1e
x5t:e nRsEiCo[n0 0(0P0o0s1t5 bHba1nddds2hca5k0e] :A uEtpho/c4h9 )# 1f
orre a'deyn
c4r:y pHtSeKd[ 0e0x0t0e0n1s5ibobn1sd'd
24c:5 0]E:X TT[L0S0 010.031 6r1e6-dk5efy4 0w2i0t]h: cNiopth esre
nsduiintge :e xGtNeUnTsLiSo_nA E(SS_a2f5e6 _RGeCnMe_gSoHtAi3a8t4i
o3n:/ 6A5S2S8E1R)T :f o.r. /'.e.n/cgrnyupttlesd- 3e.x7t.e7n/sliiobn/sb'u
f4f:e rEsX.Tc[[0g0e0t0_0l1a6s1t6_pda5cfk4e0t2]0:]1:1 8P5r
ep1a0r:i nRgE AeDx:t eGnosti o5n b(ySteersv efrr oNma m0e0
0I0n0d1i5cbaftdi2oan3/e0a)0
f1o0r: 'ReEnAcDr:y prteeadd e5x tbeyntseiso nfsr'o
m4 :0 0E0X0T0[1050b0f0d021a631e6ad05
f1400:2 0R]B:: NHoatv es e0n dbiyntge se xitnetnos ibounf f(eCro.o
kAided/i4n4g) 5f obry t'eesn.c
r1y0p:t eRdB :e xRteeqnuseisotnesd'
54 :b yEtXeTs[
050:0 0R0E1C6[1060d050f041052b0]b:1 dPdr2ecp5a0r]i:n gS SeLx t3e.n3s
iCohna n(gEeaCrilpyh eDraStpae/c4 2p)a cfkoert 'reencceriyvpetde.d
Eepxotcehn s1i,o nlse'n
g4t:h :E X1T
[50:0 0R0E0C1[601060d050f1450b2b01]d:d 2Nco5t0 ]s:e nEdxipnegc teexdt
ePnascikoent (HPaSnKd sKheayk eE(x2c2h)a
n5g:e RMEoCd[e0s0/04050)1 5fbobr1 d'de2ncc5r0y]p:t eRde ceexitveends iPoancsk'e
t4 :C hEaXnTg[e0C0i0p0h0e1r6S1p6edc5(f2400)2 0w]i:t hP rleepnagrtihn:g 1e
xt1e0n:s iRoEnA D(:R eGcootr d1 Sbiyztee sL ifmriotm/ 2080)0 0f0o1r5
b'fedn2car3yepat0e
d1 0e:x tReEnAsDi:o nrse'a
d4 :1 EbXyTt[e0s0 0f0r0o1m6 1060d050f041052b0f]d:2 aS3eenad0i
n1g0 :e xRtBe:n sHiaovne R5e cboyrtde sS iiznet oL ibmuiftf/e2r8. (A2d
dbiyntge s1)
byt4e:s .E
XT1[00:0 0R0B0:1 6R1e6qdu5efs4t0e2d0 ]6: bPyrteepsa
ri1n0g: edxitsecnasridoinn g( Mcahxainmguem cRiepchoerrd sSpiezce
/i1n) TfLoSr1 .'3e
ncrypted extensions'
4: EXT[000001616d5f4020]: Not sending extension (Compress
Certificate/27) for 'encrypted extensions'
4: EXT[000001616d5f4020]: Not sending extension (ClientHello
Padding/21) for 'encrypted extensions'
4: EXT[000001616d5f4020]: Not sending extension (Pre Shared Key/41)
for 'encrypted extensions'
4: HSK[000001616d5f4020]: ENCRYPTED EXTENSIONS was queued [12 bytes]
3: ASSERT: ../../gnutls-3.7.7/lib/tls13/certificate.c[_gnutls13_send_certificate]:250
3: ASSERT: ../../gnutls-3.7.7/lib/handshake-tls13.c[_gnutls13_handshake_server]:440
qemu-system-x86_64: TLS handshake failed: Insufficient credentials for
that request.
5: REC[000001616d5f4020]: Start of epoch cleanup
5: REC[000001616d5f4020]: Epoch #0 freed
5: REC[000001616d5f4020]: End of epoch cleanup
5: REC[000001616d5f4020]: Epoch #1 freed
10: READ: -1 returned from 0000015bfd2a3ea0, errno=5 gerrno=0
3: ASSERT: ../../gnutls-3.7.7/lib/buffers.c[_gnutls_stream_read]:369
3: ASSERT: ../../gnutls-3.7.7/lib/buffers.c[_gnutls_io_read_buffered]:589
3: ASSERT: ../../gnutls-3.7.7/lib/record.c[recv_headers]:1195
3: ASSERT: ../../gnutls-3.7.7/lib/record.c[_gnutls_recv_in_buffers]:1321
3: ASSERT: ../../gnutls-3.7.7/lib/buffers.c[_gnutls_handshake_io_recv_int]:1467
3: ASSERT: ../../gnutls-3.7.7/lib/handshake.c[_gnutls_recv_handshake]:1600
3: ASSERT: ../../gnutls-3.7.7/lib/tls13/encrypted_extensions.c[_gnutls13_recv_encrypted_extensions]:37
3: ASSERT: ../../gnutls-3.7.7/lib/handshake-tls13.c[_gnutls13_handshake_client]:114
qemu-system-x86_64: TLS handshake failed: Error in the pull function.
5: REC[0000015bb1dd2c50]: Start of epoch cleanup
5: REC[0000015bb1dd2c50]: Epoch #0 freed
5: REC[0000015bb1dd2c50]: End of epoch cleanup
5: REC[0000015bb1dd2c50]: Epoch #1 freed
query-migrate shows failed migration: TLS handshake failed: Error in
the pull function.
**
ERROR:../tests/qtest/migration-helpers.c:151:migrate_query_not_failed:
assertion failed: (!g_str_equal(status, "failed"))
Bail out! ERROR:../tests/qtest/migration-helpers.c:151:migrate_query_not_failed:
assertion failed: (!g_str_equal(status, "failed"))

Regards,
Bin

Marc-André Lureau Sept. 22, 2022, 8:16 p.m. UTC | #6

Hi

On Tue, Sep 20, 2022 at 3:11 PM Bin Meng <bmeng.cn@gmail.com> wrote:

> From: Bin Meng <bin.meng@windriver.com>
>
> Some migration test cases use TLS to communicate, but they fail on
> Windows with the following error messages:
>
>   qemu-system-x86_64: TLS handshake failed: Insufficient credentials for
> that request.
>   qemu-system-x86_64: TLS handshake failed: Error in the pull function.
>   query-migrate shows failed migration: TLS handshake failed: Error in the
> pull function.
>
> Disable them temporarily.
>
>
You might find a better solution for this issue with Daniel help,
nevertheless when disabling a test that can compile on the platform, please
prefer g_test_skip() usage instead. That way, we make sure the code still
compiles and we get some log in the tests :) thanks


> Signed-off-by: Bin Meng <bin.meng@windriver.com>
> ---
> I am not familar with the gnutls and simply enabling the gnutls debug
> output does not give me an immedidate hint on why it's failing on
> Windows. Disable these cases for now until someone or maintainers
> who may want to test this on Windows.
>
> (no changes since v1)
>
>  tests/qtest/migration-test.c | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
>
> diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
> index aedd9ddb72..dbee9b528a 100644
> --- a/tests/qtest/migration-test.c
> +++ b/tests/qtest/migration-test.c
> @@ -1403,6 +1403,7 @@ static void test_precopy_unix_dirty_ring(void)
>  }
>
>  #ifdef CONFIG_GNUTLS
> +#ifndef _WIN32
>  static void test_precopy_unix_tls_psk(void)
>  {
>      g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs);
> @@ -1415,6 +1416,7 @@ static void test_precopy_unix_tls_psk(void)
>
>      test_precopy_common(&args);
>  }
> +#endif /* _WIN32 */
>
>  #ifdef CONFIG_TASN1
>  static void test_precopy_unix_tls_x509_default_host(void)
> @@ -1523,6 +1525,7 @@ static void test_precopy_tcp_plain(void)
>  }
>
>  #ifdef CONFIG_GNUTLS
> +#ifndef _WIN32
>  static void test_precopy_tcp_tls_psk_match(void)
>  {
>      MigrateCommon args = {
> @@ -1533,6 +1536,7 @@ static void test_precopy_tcp_tls_psk_match(void)
>
>      test_precopy_common(&args);
>  }
> +#endif /* _WIN32 */
>
>  static void test_precopy_tcp_tls_psk_mismatch(void)
>  {
> @@ -1930,6 +1934,7 @@ static void test_multifd_tcp_zstd(void)
>  #endif
>
>  #ifdef CONFIG_GNUTLS
> +#ifndef _WIN32
>  static void *
>  test_migrate_multifd_tcp_tls_psk_start_match(QTestState *from,
>                                               QTestState *to)
> @@ -1937,6 +1942,7 @@
> test_migrate_multifd_tcp_tls_psk_start_match(QTestState *from,
>      test_migrate_precopy_tcp_multifd_start_common(from, to, "none");
>      return test_migrate_tls_psk_start_match(from, to);
>  }
> +#endif /* _WIN32 */
>
>  static void *
>  test_migrate_multifd_tcp_tls_psk_start_mismatch(QTestState *from,
> @@ -1988,6 +1994,7 @@
> test_migrate_multifd_tls_x509_start_reject_anon_client(QTestState *from,
>  }
>  #endif /* CONFIG_TASN1 */
>
> +#ifndef _WIN32
>  static void test_multifd_tcp_tls_psk_match(void)
>  {
>      MigrateCommon args = {
> @@ -1997,6 +2004,7 @@ static void test_multifd_tcp_tls_psk_match(void)
>      };
>      test_precopy_common(&args);
>  }
> +#endif /* _WIN32 */
>
>  static void test_multifd_tcp_tls_psk_mismatch(void)
>  {
> @@ -2497,8 +2505,10 @@ int main(int argc, char **argv)
>      qtest_add_func("/migration/precopy/unix/plain",
> test_precopy_unix_plain);
>      qtest_add_func("/migration/precopy/unix/xbzrle",
> test_precopy_unix_xbzrle);
>  #ifdef CONFIG_GNUTLS
> +#ifndef _WIN32
>      qtest_add_func("/migration/precopy/unix/tls/psk",
>                     test_precopy_unix_tls_psk);
> +#endif
>
>      if (has_uffd) {
>          /*
> @@ -2524,8 +2534,10 @@ int main(int argc, char **argv)
>
>      qtest_add_func("/migration/precopy/tcp/plain",
> test_precopy_tcp_plain);
>  #ifdef CONFIG_GNUTLS
> +#ifndef _WIN32
>      qtest_add_func("/migration/precopy/tcp/tls/psk/match",
>                     test_precopy_tcp_tls_psk_match);
> +#endif
>      qtest_add_func("/migration/precopy/tcp/tls/psk/mismatch",
>                     test_precopy_tcp_tls_psk_mismatch);
>  #ifdef CONFIG_TASN1
> @@ -2569,8 +2581,10 @@ int main(int argc, char **argv)
>                     test_multifd_tcp_zstd);
>  #endif
>  #ifdef CONFIG_GNUTLS
> +#ifndef _WIN32
>      qtest_add_func("/migration/multifd/tcp/tls/psk/match",
>                     test_multifd_tcp_tls_psk_match);
> +#endif
>      qtest_add_func("/migration/multifd/tcp/tls/psk/mismatch",
>                     test_multifd_tcp_tls_psk_mismatch);
>  #ifdef CONFIG_TASN1
> --
> 2.34.1
>
>
>

Daniel P. Berrangé Sept. 27, 2022, 3:40 p.m. UTC | #7

On Thu, Sep 22, 2022 at 07:54:05PM +0800, Bin Meng wrote:
> On Thu, Sep 22, 2022 at 6:39 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
> >
> > On Thu, Sep 22, 2022 at 10:47:26AM +0800, Bin Meng wrote:
> > > On Thu, Sep 22, 2022 at 1:23 AM Daniel P. Berrangé <berrange@redhat.com> wrote:
> > > >
> > > > On Wed, Sep 21, 2022 at 05:51:33PM +0100, Dr. David Alan Gilbert wrote:
> > > > > * Bin Meng (bmeng.cn@gmail.com) wrote:
> > > > > > From: Bin Meng <bin.meng@windriver.com>
> > > > > >
> > > > > > Some migration test cases use TLS to communicate, but they fail on
> > > > > > Windows with the following error messages:
> > > > > >
> > > > > >   qemu-system-x86_64: TLS handshake failed: Insufficient credentials for that request.
> > > > > >   qemu-system-x86_64: TLS handshake failed: Error in the pull function.
> > > > > >   query-migrate shows failed migration: TLS handshake failed: Error in the pull function.
> > > > > >
> > > > > > Disable them temporarily.
> > > > > >
> > > > > > Signed-off-by: Bin Meng <bin.meng@windriver.com>
> > > > > > ---
> > > > > > I am not familar with the gnutls and simply enabling the gnutls debug
> > > > > > output does not give me an immedidate hint on why it's failing on
> > > > > > Windows. Disable these cases for now until someone or maintainers
> > > > > > who may want to test this on Windows.
> > > > >
> > > > > Copying in Dan Berrange, he's our expert on weird TLS failures.
> > > >
> > > > Seems to match this:
> > > >
> > > >    https://gnutls.org/faq.html#key-usage-violation2
> > > >
> > > > which suggests we have a configuration mis-match.
> > > >
> > > > I'm surprised to see you are only needing to disable the TLS PSK tests,
> > > > not the TLS x509 tests.
> > >
> > > The TLS x509 qtests all passed.
> > >
> > > >
> > > > I'd like to know if tests/unit/test-crypto-tlssession passes.
> > >
> > > These unit tests currently are not built on Windows as they simply
> > > don't build due to usage of socketpair().
> >
> > Doh, yes, that's rather annoying, as debugging this problem in the
> > unit tests would be easier than in qtests.
> >
> > > > If so, it might suggest we are missing 'priority: NORMAL' property
> > > > when configuring TLS creds for the migration test.
> > >
> > > I did the following changes but the error is still the same:
> >
> > >
> > > diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
> > > index dbee9b528a..c1e3f11873 100644
> > > --- a/tests/qtest/migration-test.c
> > > +++ b/tests/qtest/migration-test.c
> > > @@ -788,7 +788,8 @@ test_migrate_tls_psk_start_common(QTestState *from,
> > > " 'id': 'tlscredspsk0',"
> > > " 'endpoint': 'client',"
> > > " 'dir': %s,"
> > > - " 'username': 'qemu'} }",
> > > + " 'username': 'qemu',"
> > > + " 'priority': 'NORMAL'} }",
> > > data->workdir);
> > > qobject_unref(rsp);
> > > @@ -797,7 +798,8 @@ test_migrate_tls_psk_start_common(QTestState *from,
> > > " 'arguments': { 'qom-type': 'tls-creds-psk',"
> > > " 'id': 'tlscredspsk0',"
> > > " 'endpoint': 'server',"
> > > - " 'dir': %s } }",
> > > + " 'dir': %s,"
> > > + " 'priority': 'NORMAL'} }",
> > > mismatch ? data->workdiralt : data->workdir);
> > > qobject_unref(rsp);
> > >
> > > I am not sure whether I did the right changes.
> >
> >
> > That ought to have been sufficient, if priority strings were the
> > problem.
> >
> >
> > I think we'd need the debug output from gnutls - could you edit crypto/init.c
> > and uncomment the '#define DEBUG_GNUTLS' line near the top.
> >
> > If you can post the output you get from a single migration-test test case
> > involving PSK, it might be enough to diagnose why gnutls is failing.
> >
> 
> Here is the output:
> 
> # Start of tls tests
> # starting QEMU: ./qemu-system-x86_64 -qtest
> unix:D:\msys64\tmp/qtest-18480.sock -qtest-log nul -chardev
> socket,path=D:\msys64\tmp/qtest-18480.qmp,id=char0 -mon
> chardev=char0,mode=control -display none -accel kvm -accel t
> cg -name source,debug-threads=on -m 150M -serial
> file:D:\msys64\tmp\migration-test-A5WJS1/src_serial -drive
> file=D:\msys64\tmp\migration-test-A5WJS1/bootsect,format=raw -accel
> qtest
> qemu: thread naming not supported on this host
> # starting QEMU: ./qemu-system-x86_64 -qtest
> unix:D:\msys64\tmp/qtest-18480.sock -qtest-log nul -chardev
> socket,path=D:\msys64\tmp/qtest-18480.qmp,id=char0 -mon
> chardev=char0,mode=control -display none -accel kvm -accel t
> cg -name target,debug-threads=on -m 150M -serial
> file:D:\msys64\tmp\migration-test-A5WJS1/dest_serial -incoming
> unix:D:\msys64\tmp\migration-test-A5WJS1/migsocket -drive
> file=D:\msys64\tmp\migration-test-A5WJS1/bootsect,f
> ormat=raw -accel qtest

Comparing to running the same test on my machine.....

> 4: EXT[0000015bb1dd2c50]: Sending extension Supported Versions/43 (9 bytes)
> 4: EXT[0000015bb1dd2c50]: Preparing extension (Post Handshake Auth/49)
> for 'client hello'
> 4: EXT[0000015bb1dd2c50]: Preparing extension (Safe
> Renegotiation/65281) for 'client hello'
> 4: EXT[0000015bb1dd2c50]: Sending extension Safe Renegotiation/65281 (1 bytes)
> 4: EXT[0000015bb1dd2c50]: Preparing extension (Server Name
> Indication/0) for 'client hello'
> 4: EXT[0000015bb1dd2c50]: Preparing extension (Cookie/44) for 'client hello'
> 4: EXT[0000015bb1dd2c50]: Preparing extension (Early Data/42) for 'client hello'
> 4: EXT[0000015bb1dd2c50]: Preparing extension (PSK Key Exchange
> Modes/45) for 'client hello'
> 4: EXT[0000015bb1dd2c50]: Sending extension PSK Key Exchange Modes/45 (3 bytes)
> 4: EXT[0000015bb1dd2c50]: Preparing extension (Record Size Limit/28)
> for 'client hello'
> 4: EXT[0000015bb1dd2c50]: Sending extension Record Size Limit/28 (2 bytes)
> 4: EXT[0000015bb1dd2c50]: Preparing extension (Maximum Record Size/1)
> for 'client hello'
> 4: EXT[0000015bb1dd2c50]: Preparing extension (Compress
> Certificate/27) for 'client hello'
> 4: EXT[0000015bb1dd2c50]: Preparing extension (ClientHello Padding/21)
> for 'client hello'
> 4: EXT[0000015bb1dd2c50]: Preparing extension (Pre Shared Key/41) for
> 'client hello'

Right here is missing two items:

  4: EXT[0x55bd0c660d30]: sent PSK identity 'qemu' (0)
  4: EXT[0x55bd0c660d30]: Sending extension Pre Shared Key/41 (47 bytes)

So it appears the client is not sendnig the PSK credentials

> 4: HSK[0000015bb1dd2c50]: CLIENT HELLO was queued [343 bytes]
> 5: REC[0000015bb1dd2c50]: Preparing Packet Handshake(22) with length:
> 343 and min pad: 0
> 9: ENC[0000015bb1dd2c50]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
> 5: REC[0000015bb1dd2c50]: Sent Packet[1] Handshake(22) in epoch 0 and
> length: 348

I believe there are probably two issues - first we're igonring the
return value of gnutls_psk_set_client_credentials() and I have a feeling
that is reporting an error. Second, when we write the PSK credentials out
to disk, we're not using binary mode, so I think UNIX line endings are
getting turned into  DOS line endings, and when we later load the PSK
credentials there's a stray \r present  that probably breaks
gnutls_psk_set_client_credentials.

Could you try this patch and see if it makes the PSK tests work for
migration-test:

diff --git a/crypto/tlscredspsk.c b/crypto/tlscredspsk.c
index a4f9891274..546cad1c5a 100644
--- a/crypto/tlscredspsk.c
+++ b/crypto/tlscredspsk.c
@@ -109,7 +109,12 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds,
             goto cleanup;
         }
 
-        gnutls_psk_set_server_credentials_file(creds->data.server, pskfile);
+        ret = gnutls_psk_set_server_credentials_file(creds->data.server, pskfile);
+        if (ret < 0) {
+            error_setg(errp, "Cannot set PSK server credentials: %s",
+                       gnutls_strerror(ret));
+            goto cleanup;
+        }
         gnutls_psk_set_server_dh_params(creds->data.server,
                                         creds->parent_obj.dh_params);
     } else {
@@ -135,8 +140,13 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds,
             goto cleanup;
         }
 
-        gnutls_psk_set_client_credentials(creds->data.client,
-                                          username, &key, GNUTLS_PSK_KEY_HEX);
+        ret = gnutls_psk_set_client_credentials(creds->data.client,
+                                                username, &key, GNUTLS_PSK_KEY_HEX);
+        if (ret < 0) {
+            error_setg(errp, "Cannot set PSK client credentials: %s",
+                       gnutls_strerror(ret));
+            goto cleanup;
+        }
     }
 
     rv = 0;
diff --git a/tests/unit/crypto-tls-psk-helpers.c b/tests/unit/crypto-tls-psk-helpers.c
index 511e08cc9c..c6cc740772 100644
--- a/tests/unit/crypto-tls-psk-helpers.c
+++ b/tests/unit/crypto-tls-psk-helpers.c
@@ -27,15 +27,14 @@
 static void
 test_tls_psk_init_common(const char *pskfile, const char *user, const char *key)
 {
-    FILE *fp;
+    g_autoptr(GError) gerr = NULL;
+    g_autofree char *line = g_strdup_printf("%s:%s\n", user, key);
 
-    fp = fopen(pskfile, "w");
-    if (fp == NULL) {
-        g_critical("Failed to create pskfile %s: %s", pskfile, strerror(errno));
+    g_file_set_contents(pskfile, line, strlen(line), &gerr);
+    if (gerr != NULL) {
+        g_critical("Failed to create pskfile %s: %s", pskfile, gerr->message);
         abort();
     }
-    fprintf(fp, "%s:%s\n", user, key);
-    fclose(fp);
 }
 
 void test_tls_psk_init(const char *pskfile)



With regards,
Daniel

Bin Meng Sept. 28, 2022, 6:03 a.m. UTC | #8

Hi Daniel,

On Tue, Sep 27, 2022 at 11:40 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
>
> On Thu, Sep 22, 2022 at 07:54:05PM +0800, Bin Meng wrote:
> > On Thu, Sep 22, 2022 at 6:39 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
> > >
> > > On Thu, Sep 22, 2022 at 10:47:26AM +0800, Bin Meng wrote:
> > > > On Thu, Sep 22, 2022 at 1:23 AM Daniel P. Berrangé <berrange@redhat.com> wrote:
> > > > >
> > > > > On Wed, Sep 21, 2022 at 05:51:33PM +0100, Dr. David Alan Gilbert wrote:
> > > > > > * Bin Meng (bmeng.cn@gmail.com) wrote:
> > > > > > > From: Bin Meng <bin.meng@windriver.com>
> > > > > > >
> > > > > > > Some migration test cases use TLS to communicate, but they fail on
> > > > > > > Windows with the following error messages:
> > > > > > >
> > > > > > >   qemu-system-x86_64: TLS handshake failed: Insufficient credentials for that request.
> > > > > > >   qemu-system-x86_64: TLS handshake failed: Error in the pull function.
> > > > > > >   query-migrate shows failed migration: TLS handshake failed: Error in the pull function.
> > > > > > >
> > > > > > > Disable them temporarily.
> > > > > > >
> > > > > > > Signed-off-by: Bin Meng <bin.meng@windriver.com>
> > > > > > > ---
> > > > > > > I am not familar with the gnutls and simply enabling the gnutls debug
> > > > > > > output does not give me an immedidate hint on why it's failing on
> > > > > > > Windows. Disable these cases for now until someone or maintainers
> > > > > > > who may want to test this on Windows.
> > > > > >
> > > > > > Copying in Dan Berrange, he's our expert on weird TLS failures.
> > > > >
> > > > > Seems to match this:
> > > > >
> > > > >    https://gnutls.org/faq.html#key-usage-violation2
> > > > >
> > > > > which suggests we have a configuration mis-match.
> > > > >
> > > > > I'm surprised to see you are only needing to disable the TLS PSK tests,
> > > > > not the TLS x509 tests.
> > > >
> > > > The TLS x509 qtests all passed.
> > > >
> > > > >
> > > > > I'd like to know if tests/unit/test-crypto-tlssession passes.
> > > >
> > > > These unit tests currently are not built on Windows as they simply
> > > > don't build due to usage of socketpair().
> > >
> > > Doh, yes, that's rather annoying, as debugging this problem in the
> > > unit tests would be easier than in qtests.
> > >
> > > > > If so, it might suggest we are missing 'priority: NORMAL' property
> > > > > when configuring TLS creds for the migration test.
> > > >
> > > > I did the following changes but the error is still the same:
> > >
> > > >
> > > > diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
> > > > index dbee9b528a..c1e3f11873 100644
> > > > --- a/tests/qtest/migration-test.c
> > > > +++ b/tests/qtest/migration-test.c
> > > > @@ -788,7 +788,8 @@ test_migrate_tls_psk_start_common(QTestState *from,
> > > > " 'id': 'tlscredspsk0',"
> > > > " 'endpoint': 'client',"
> > > > " 'dir': %s,"
> > > > - " 'username': 'qemu'} }",
> > > > + " 'username': 'qemu',"
> > > > + " 'priority': 'NORMAL'} }",
> > > > data->workdir);
> > > > qobject_unref(rsp);
> > > > @@ -797,7 +798,8 @@ test_migrate_tls_psk_start_common(QTestState *from,
> > > > " 'arguments': { 'qom-type': 'tls-creds-psk',"
> > > > " 'id': 'tlscredspsk0',"
> > > > " 'endpoint': 'server',"
> > > > - " 'dir': %s } }",
> > > > + " 'dir': %s,"
> > > > + " 'priority': 'NORMAL'} }",
> > > > mismatch ? data->workdiralt : data->workdir);
> > > > qobject_unref(rsp);
> > > >
> > > > I am not sure whether I did the right changes.
> > >
> > >
> > > That ought to have been sufficient, if priority strings were the
> > > problem.
> > >
> > >
> > > I think we'd need the debug output from gnutls - could you edit crypto/init.c
> > > and uncomment the '#define DEBUG_GNUTLS' line near the top.
> > >
> > > If you can post the output you get from a single migration-test test case
> > > involving PSK, it might be enough to diagnose why gnutls is failing.
> > >
> >
> > Here is the output:
> >
> > # Start of tls tests
> > # starting QEMU: ./qemu-system-x86_64 -qtest
> > unix:D:\msys64\tmp/qtest-18480.sock -qtest-log nul -chardev
> > socket,path=D:\msys64\tmp/qtest-18480.qmp,id=char0 -mon
> > chardev=char0,mode=control -display none -accel kvm -accel t
> > cg -name source,debug-threads=on -m 150M -serial
> > file:D:\msys64\tmp\migration-test-A5WJS1/src_serial -drive
> > file=D:\msys64\tmp\migration-test-A5WJS1/bootsect,format=raw -accel
> > qtest
> > qemu: thread naming not supported on this host
> > # starting QEMU: ./qemu-system-x86_64 -qtest
> > unix:D:\msys64\tmp/qtest-18480.sock -qtest-log nul -chardev
> > socket,path=D:\msys64\tmp/qtest-18480.qmp,id=char0 -mon
> > chardev=char0,mode=control -display none -accel kvm -accel t
> > cg -name target,debug-threads=on -m 150M -serial
> > file:D:\msys64\tmp\migration-test-A5WJS1/dest_serial -incoming
> > unix:D:\msys64\tmp\migration-test-A5WJS1/migsocket -drive
> > file=D:\msys64\tmp\migration-test-A5WJS1/bootsect,f
> > ormat=raw -accel qtest
>
> Comparing to running the same test on my machine.....
>
> > 4: EXT[0000015bb1dd2c50]: Sending extension Supported Versions/43 (9 bytes)
> > 4: EXT[0000015bb1dd2c50]: Preparing extension (Post Handshake Auth/49)
> > for 'client hello'
> > 4: EXT[0000015bb1dd2c50]: Preparing extension (Safe
> > Renegotiation/65281) for 'client hello'
> > 4: EXT[0000015bb1dd2c50]: Sending extension Safe Renegotiation/65281 (1 bytes)
> > 4: EXT[0000015bb1dd2c50]: Preparing extension (Server Name
> > Indication/0) for 'client hello'
> > 4: EXT[0000015bb1dd2c50]: Preparing extension (Cookie/44) for 'client hello'
> > 4: EXT[0000015bb1dd2c50]: Preparing extension (Early Data/42) for 'client hello'
> > 4: EXT[0000015bb1dd2c50]: Preparing extension (PSK Key Exchange
> > Modes/45) for 'client hello'
> > 4: EXT[0000015bb1dd2c50]: Sending extension PSK Key Exchange Modes/45 (3 bytes)
> > 4: EXT[0000015bb1dd2c50]: Preparing extension (Record Size Limit/28)
> > for 'client hello'
> > 4: EXT[0000015bb1dd2c50]: Sending extension Record Size Limit/28 (2 bytes)
> > 4: EXT[0000015bb1dd2c50]: Preparing extension (Maximum Record Size/1)
> > for 'client hello'
> > 4: EXT[0000015bb1dd2c50]: Preparing extension (Compress
> > Certificate/27) for 'client hello'
> > 4: EXT[0000015bb1dd2c50]: Preparing extension (ClientHello Padding/21)
> > for 'client hello'
> > 4: EXT[0000015bb1dd2c50]: Preparing extension (Pre Shared Key/41) for
> > 'client hello'
>
> Right here is missing two items:
>
>   4: EXT[0x55bd0c660d30]: sent PSK identity 'qemu' (0)
>   4: EXT[0x55bd0c660d30]: Sending extension Pre Shared Key/41 (47 bytes)
>
> So it appears the client is not sendnig the PSK credentials
>
> > 4: HSK[0000015bb1dd2c50]: CLIENT HELLO was queued [343 bytes]
> > 5: REC[0000015bb1dd2c50]: Preparing Packet Handshake(22) with length:
> > 343 and min pad: 0
> > 9: ENC[0000015bb1dd2c50]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
> > 5: REC[0000015bb1dd2c50]: Sent Packet[1] Handshake(22) in epoch 0 and
> > length: 348
>
> I believe there are probably two issues - first we're igonring the
> return value of gnutls_psk_set_client_credentials() and I have a feeling
> that is reporting an error.

Indeed gnutls_psk_set_client_credentials() fails with "Error in
parsing." message.

> Second, when we write the PSK credentials out
> to disk, we're not using binary mode, so I think UNIX line endings are
> getting turned into  DOS line endings, and when we later load the PSK
> credentials there's a stray \r present  that probably breaks
> gnutls_psk_set_client_credentials.

I think that's what happened.

>
> Could you try this patch and see if it makes the PSK tests work for
> migration-test:

Yes, this patch fixed the TLS test cases in the migration-test on Windows!

Thank you very much for the help!

Would you mind sending the patches on your own, or you want me to
include them in the next version of this series?

>
> diff --git a/crypto/tlscredspsk.c b/crypto/tlscredspsk.c
> index a4f9891274..546cad1c5a 100644
> --- a/crypto/tlscredspsk.c
> +++ b/crypto/tlscredspsk.c
> @@ -109,7 +109,12 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds,
>              goto cleanup;
>          }
>
> -        gnutls_psk_set_server_credentials_file(creds->data.server, pskfile);
> +        ret = gnutls_psk_set_server_credentials_file(creds->data.server, pskfile);
> +        if (ret < 0) {
> +            error_setg(errp, "Cannot set PSK server credentials: %s",
> +                       gnutls_strerror(ret));
> +            goto cleanup;
> +        }
>          gnutls_psk_set_server_dh_params(creds->data.server,
>                                          creds->parent_obj.dh_params);
>      } else {
> @@ -135,8 +140,13 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds,
>              goto cleanup;
>          }
>
> -        gnutls_psk_set_client_credentials(creds->data.client,
> -                                          username, &key, GNUTLS_PSK_KEY_HEX);
> +        ret = gnutls_psk_set_client_credentials(creds->data.client,
> +                                                username, &key, GNUTLS_PSK_KEY_HEX);
> +        if (ret < 0) {
> +            error_setg(errp, "Cannot set PSK client credentials: %s",
> +                       gnutls_strerror(ret));
> +            goto cleanup;
> +        }
>      }
>
>      rv = 0;
> diff --git a/tests/unit/crypto-tls-psk-helpers.c b/tests/unit/crypto-tls-psk-helpers.c
> index 511e08cc9c..c6cc740772 100644
> --- a/tests/unit/crypto-tls-psk-helpers.c
> +++ b/tests/unit/crypto-tls-psk-helpers.c
> @@ -27,15 +27,14 @@
>  static void
>  test_tls_psk_init_common(const char *pskfile, const char *user, const char *key)
>  {
> -    FILE *fp;
> +    g_autoptr(GError) gerr = NULL;
> +    g_autofree char *line = g_strdup_printf("%s:%s\n", user, key);
>
> -    fp = fopen(pskfile, "w");
> -    if (fp == NULL) {
> -        g_critical("Failed to create pskfile %s: %s", pskfile, strerror(errno));
> +    g_file_set_contents(pskfile, line, strlen(line), &gerr);
> +    if (gerr != NULL) {
> +        g_critical("Failed to create pskfile %s: %s", pskfile, gerr->message);
>          abort();
>      }
> -    fprintf(fp, "%s:%s\n", user, key);
> -    fclose(fp);
>  }
>
>  void test_tls_psk_init(const char *pskfile)
>

Regards,
Bin

Daniel P. Berrangé Sept. 28, 2022, 7:07 a.m. UTC | #9

On Wed, Sep 28, 2022 at 02:03:28PM +0800, Bin Meng wrote:
> Hi Daniel,
> 
> On Tue, Sep 27, 2022 at 11:40 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
> >
> > On Thu, Sep 22, 2022 at 07:54:05PM +0800, Bin Meng wrote:
> > > On Thu, Sep 22, 2022 at 6:39 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
> > > >
> > > > On Thu, Sep 22, 2022 at 10:47:26AM +0800, Bin Meng wrote:
> > > > > On Thu, Sep 22, 2022 at 1:23 AM Daniel P. Berrangé <berrange@redhat.com> wrote:
> > > > > >
> > > > > > On Wed, Sep 21, 2022 at 05:51:33PM +0100, Dr. David Alan Gilbert wrote:
> > > > > > > * Bin Meng (bmeng.cn@gmail.com) wrote:
> > > > > > > > From: Bin Meng <bin.meng@windriver.com>
> > > > > > > >
> > > > > > > > Some migration test cases use TLS to communicate, but they fail on
> > > > > > > > Windows with the following error messages:
> > > > > > > >
> > > > > > > >   qemu-system-x86_64: TLS handshake failed: Insufficient credentials for that request.
> > > > > > > >   qemu-system-x86_64: TLS handshake failed: Error in the pull function.
> > > > > > > >   query-migrate shows failed migration: TLS handshake failed: Error in the pull function.
> > > > > > > >
> > > > > > > > Disable them temporarily.
> > > > > > > >
> > > > > > > > Signed-off-by: Bin Meng <bin.meng@windriver.com>
> > > > > > > > ---
> > > > > > > > I am not familar with the gnutls and simply enabling the gnutls debug
> > > > > > > > output does not give me an immedidate hint on why it's failing on
> > > > > > > > Windows. Disable these cases for now until someone or maintainers
> > > > > > > > who may want to test this on Windows.
> > > > > > >
> > > > > > > Copying in Dan Berrange, he's our expert on weird TLS failures.
> > > > > >
> > > > > > Seems to match this:
> > > > > >
> > > > > >    https://gnutls.org/faq.html#key-usage-violation2
> > > > > >
> > > > > > which suggests we have a configuration mis-match.
> > > > > >
> > > > > > I'm surprised to see you are only needing to disable the TLS PSK tests,
> > > > > > not the TLS x509 tests.
> > > > >
> > > > > The TLS x509 qtests all passed.
> > > > >
> > > > > >
> > > > > > I'd like to know if tests/unit/test-crypto-tlssession passes.
> > > > >
> > > > > These unit tests currently are not built on Windows as they simply
> > > > > don't build due to usage of socketpair().
> > > >
> > > > Doh, yes, that's rather annoying, as debugging this problem in the
> > > > unit tests would be easier than in qtests.
> > > >
> > > > > > If so, it might suggest we are missing 'priority: NORMAL' property
> > > > > > when configuring TLS creds for the migration test.
> > > > >
> > > > > I did the following changes but the error is still the same:
> > > >
> > > > >
> > > > > diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
> > > > > index dbee9b528a..c1e3f11873 100644
> > > > > --- a/tests/qtest/migration-test.c
> > > > > +++ b/tests/qtest/migration-test.c
> > > > > @@ -788,7 +788,8 @@ test_migrate_tls_psk_start_common(QTestState *from,
> > > > > " 'id': 'tlscredspsk0',"
> > > > > " 'endpoint': 'client',"
> > > > > " 'dir': %s,"
> > > > > - " 'username': 'qemu'} }",
> > > > > + " 'username': 'qemu',"
> > > > > + " 'priority': 'NORMAL'} }",
> > > > > data->workdir);
> > > > > qobject_unref(rsp);
> > > > > @@ -797,7 +798,8 @@ test_migrate_tls_psk_start_common(QTestState *from,
> > > > > " 'arguments': { 'qom-type': 'tls-creds-psk',"
> > > > > " 'id': 'tlscredspsk0',"
> > > > > " 'endpoint': 'server',"
> > > > > - " 'dir': %s } }",
> > > > > + " 'dir': %s,"
> > > > > + " 'priority': 'NORMAL'} }",
> > > > > mismatch ? data->workdiralt : data->workdir);
> > > > > qobject_unref(rsp);
> > > > >
> > > > > I am not sure whether I did the right changes.
> > > >
> > > >
> > > > That ought to have been sufficient, if priority strings were the
> > > > problem.
> > > >
> > > >
> > > > I think we'd need the debug output from gnutls - could you edit crypto/init.c
> > > > and uncomment the '#define DEBUG_GNUTLS' line near the top.
> > > >
> > > > If you can post the output you get from a single migration-test test case
> > > > involving PSK, it might be enough to diagnose why gnutls is failing.
> > > >
> > >
> > > Here is the output:
> > >
> > > # Start of tls tests
> > > # starting QEMU: ./qemu-system-x86_64 -qtest
> > > unix:D:\msys64\tmp/qtest-18480.sock -qtest-log nul -chardev
> > > socket,path=D:\msys64\tmp/qtest-18480.qmp,id=char0 -mon
> > > chardev=char0,mode=control -display none -accel kvm -accel t
> > > cg -name source,debug-threads=on -m 150M -serial
> > > file:D:\msys64\tmp\migration-test-A5WJS1/src_serial -drive
> > > file=D:\msys64\tmp\migration-test-A5WJS1/bootsect,format=raw -accel
> > > qtest
> > > qemu: thread naming not supported on this host
> > > # starting QEMU: ./qemu-system-x86_64 -qtest
> > > unix:D:\msys64\tmp/qtest-18480.sock -qtest-log nul -chardev
> > > socket,path=D:\msys64\tmp/qtest-18480.qmp,id=char0 -mon
> > > chardev=char0,mode=control -display none -accel kvm -accel t
> > > cg -name target,debug-threads=on -m 150M -serial
> > > file:D:\msys64\tmp\migration-test-A5WJS1/dest_serial -incoming
> > > unix:D:\msys64\tmp\migration-test-A5WJS1/migsocket -drive
> > > file=D:\msys64\tmp\migration-test-A5WJS1/bootsect,f
> > > ormat=raw -accel qtest
> >
> > Comparing to running the same test on my machine.....
> >
> > > 4: EXT[0000015bb1dd2c50]: Sending extension Supported Versions/43 (9 bytes)
> > > 4: EXT[0000015bb1dd2c50]: Preparing extension (Post Handshake Auth/49)
> > > for 'client hello'
> > > 4: EXT[0000015bb1dd2c50]: Preparing extension (Safe
> > > Renegotiation/65281) for 'client hello'
> > > 4: EXT[0000015bb1dd2c50]: Sending extension Safe Renegotiation/65281 (1 bytes)
> > > 4: EXT[0000015bb1dd2c50]: Preparing extension (Server Name
> > > Indication/0) for 'client hello'
> > > 4: EXT[0000015bb1dd2c50]: Preparing extension (Cookie/44) for 'client hello'
> > > 4: EXT[0000015bb1dd2c50]: Preparing extension (Early Data/42) for 'client hello'
> > > 4: EXT[0000015bb1dd2c50]: Preparing extension (PSK Key Exchange
> > > Modes/45) for 'client hello'
> > > 4: EXT[0000015bb1dd2c50]: Sending extension PSK Key Exchange Modes/45 (3 bytes)
> > > 4: EXT[0000015bb1dd2c50]: Preparing extension (Record Size Limit/28)
> > > for 'client hello'
> > > 4: EXT[0000015bb1dd2c50]: Sending extension Record Size Limit/28 (2 bytes)
> > > 4: EXT[0000015bb1dd2c50]: Preparing extension (Maximum Record Size/1)
> > > for 'client hello'
> > > 4: EXT[0000015bb1dd2c50]: Preparing extension (Compress
> > > Certificate/27) for 'client hello'
> > > 4: EXT[0000015bb1dd2c50]: Preparing extension (ClientHello Padding/21)
> > > for 'client hello'
> > > 4: EXT[0000015bb1dd2c50]: Preparing extension (Pre Shared Key/41) for
> > > 'client hello'
> >
> > Right here is missing two items:
> >
> >   4: EXT[0x55bd0c660d30]: sent PSK identity 'qemu' (0)
> >   4: EXT[0x55bd0c660d30]: Sending extension Pre Shared Key/41 (47 bytes)
> >
> > So it appears the client is not sendnig the PSK credentials
> >
> > > 4: HSK[0000015bb1dd2c50]: CLIENT HELLO was queued [343 bytes]
> > > 5: REC[0000015bb1dd2c50]: Preparing Packet Handshake(22) with length:
> > > 343 and min pad: 0
> > > 9: ENC[0000015bb1dd2c50]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
> > > 5: REC[0000015bb1dd2c50]: Sent Packet[1] Handshake(22) in epoch 0 and
> > > length: 348
> >
> > I believe there are probably two issues - first we're igonring the
> > return value of gnutls_psk_set_client_credentials() and I have a feeling
> > that is reporting an error.
> 
> Indeed gnutls_psk_set_client_credentials() fails with "Error in
> parsing." message.
> 
> > Second, when we write the PSK credentials out
> > to disk, we're not using binary mode, so I think UNIX line endings are
> > getting turned into  DOS line endings, and when we later load the PSK
> > credentials there's a stray \r present  that probably breaks
> > gnutls_psk_set_client_credentials.
> 
> I think that's what happened.
> 
> >
> > Could you try this patch and see if it makes the PSK tests work for
> > migration-test:
> 
> Yes, this patch fixed the TLS test cases in the migration-test on Windows!
> 
> Thank you very much for the help!
> 
> Would you mind sending the patches on your own, or you want me to
> include them in the next version of this series?

I'll send my patch formally and CC you.

With regards,
Daniel

Patch

diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
index aedd9ddb72..dbee9b528a 100644
--- a/tests/qtest/migration-test.c
+++ b/tests/qtest/migration-test.c
@@ -1403,6 +1403,7 @@  static void test_precopy_unix_dirty_ring(void)
 }
 
 #ifdef CONFIG_GNUTLS
+#ifndef _WIN32
 static void test_precopy_unix_tls_psk(void)
 {
     g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs);
@@ -1415,6 +1416,7 @@  static void test_precopy_unix_tls_psk(void)
 
     test_precopy_common(&args);
 }
+#endif /* _WIN32 */
 
 #ifdef CONFIG_TASN1
 static void test_precopy_unix_tls_x509_default_host(void)
@@ -1523,6 +1525,7 @@  static void test_precopy_tcp_plain(void)
 }
 
 #ifdef CONFIG_GNUTLS
+#ifndef _WIN32
 static void test_precopy_tcp_tls_psk_match(void)
 {
     MigrateCommon args = {
@@ -1533,6 +1536,7 @@  static void test_precopy_tcp_tls_psk_match(void)
 
     test_precopy_common(&args);
 }
+#endif /* _WIN32 */
 
 static void test_precopy_tcp_tls_psk_mismatch(void)
 {
@@ -1930,6 +1934,7 @@  static void test_multifd_tcp_zstd(void)
 #endif
 
 #ifdef CONFIG_GNUTLS
+#ifndef _WIN32
 static void *
 test_migrate_multifd_tcp_tls_psk_start_match(QTestState *from,
                                              QTestState *to)
@@ -1937,6 +1942,7 @@  test_migrate_multifd_tcp_tls_psk_start_match(QTestState *from,
     test_migrate_precopy_tcp_multifd_start_common(from, to, "none");
     return test_migrate_tls_psk_start_match(from, to);
 }
+#endif /* _WIN32 */
 
 static void *
 test_migrate_multifd_tcp_tls_psk_start_mismatch(QTestState *from,
@@ -1988,6 +1994,7 @@  test_migrate_multifd_tls_x509_start_reject_anon_client(QTestState *from,
 }
 #endif /* CONFIG_TASN1 */
 
+#ifndef _WIN32
 static void test_multifd_tcp_tls_psk_match(void)
 {
     MigrateCommon args = {
@@ -1997,6 +2004,7 @@  static void test_multifd_tcp_tls_psk_match(void)
     };
     test_precopy_common(&args);
 }
+#endif /* _WIN32 */
 
 static void test_multifd_tcp_tls_psk_mismatch(void)
 {
@@ -2497,8 +2505,10 @@  int main(int argc, char **argv)
     qtest_add_func("/migration/precopy/unix/plain", test_precopy_unix_plain);
     qtest_add_func("/migration/precopy/unix/xbzrle", test_precopy_unix_xbzrle);
 #ifdef CONFIG_GNUTLS
+#ifndef _WIN32
     qtest_add_func("/migration/precopy/unix/tls/psk",
                    test_precopy_unix_tls_psk);
+#endif
 
     if (has_uffd) {
         /*
@@ -2524,8 +2534,10 @@  int main(int argc, char **argv)
 
     qtest_add_func("/migration/precopy/tcp/plain", test_precopy_tcp_plain);
 #ifdef CONFIG_GNUTLS
+#ifndef _WIN32
     qtest_add_func("/migration/precopy/tcp/tls/psk/match",
                    test_precopy_tcp_tls_psk_match);
+#endif
     qtest_add_func("/migration/precopy/tcp/tls/psk/mismatch",
                    test_precopy_tcp_tls_psk_mismatch);
 #ifdef CONFIG_TASN1
@@ -2569,8 +2581,10 @@  int main(int argc, char **argv)
                    test_multifd_tcp_zstd);
 #endif
 #ifdef CONFIG_GNUTLS
+#ifndef _WIN32
     qtest_add_func("/migration/multifd/tcp/tls/psk/match",
                    test_multifd_tcp_tls_psk_match);
+#endif
     qtest_add_func("/migration/multifd/tcp/tls/psk/mismatch",
                    test_multifd_tcp_tls_psk_mismatch);
 #ifdef CONFIG_TASN1