From patchwork Tue Mar 8 01:44:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 12772867 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 97986C433F5 for ; Tue, 8 Mar 2022 01:48:29 +0000 (UTC) Received: from localhost ([::1]:48172 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nROxg-0002u8-6n for qemu-devel@archiver.kernel.org; Mon, 07 Mar 2022 20:48:28 -0500 Received: from eggs.gnu.org ([209.51.188.92]:52718) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROtp-0008Tp-L9 for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:29 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:36083) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROtm-0006LI-T5 for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:28 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646703865; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+agItL/XUOQbbSqoHJElHeQQ7syR3OpEBARbARpSXuQ=; b=XTeFLlt5slNMMpzXKjNroai1X+//ic+oSo/VhqTtCb6Iu9ZPZnRJyuJ+1nr0y2Bps7+JHX m1jVL7/ALRBkP3bXPWEPQX8jyu12hnrMFkmTT9Roi28MNA0nYT9Krr1pSdbx8KOJNNHn4v iQOu/9CACmbR1i+VlRwPf6IgV4S/p/k= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-501-_hn9rgWgPnub08K1ktJ1Ew-1; Mon, 07 Mar 2022 20:44:24 -0500 X-MC-Unique: _hn9rgWgPnub08K1ktJ1Ew-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 460F01800D50 for ; Tue, 8 Mar 2022 01:44:23 +0000 (UTC) Received: from blue.redhat.com (unknown [10.2.16.5]) by smtp.corp.redhat.com (Postfix) with ESMTP id CCDC045C8C; Tue, 8 Mar 2022 01:44:22 +0000 (UTC) From: Eric Blake To: qemu-devel@nongnu.org Subject: [PULL 01/15] crypto: mandate a hostname when checking x509 creds on a client Date: Mon, 7 Mar 2022 19:44:05 -0600 Message-Id: <20220308014419.3056549-2-eblake@redhat.com> In-Reply-To: <20220308014419.3056549-1-eblake@redhat.com> References: <20220308014419.3056549-1-eblake@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=eblake@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.129.124; envelope-from=eblake@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" From: Daniel P. Berrangé Currently the TLS session object assumes that the caller will always provide a hostname when using x509 creds on a client endpoint. This relies on the caller to detect and report an error if the user has configured QEMU with x509 credentials on a UNIX socket. The migration code has such a check, but it is too broad, reporting an error when the user has configured QEMU with PSK credentials on a UNIX socket, where hostnames are irrelevant. Putting the check into the TLS session object credentials validation code ensures we report errors in only the scenario that matters. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé Message-Id: <20220304193610.3293146-2-berrange@redhat.com> Signed-off-by: Eric Blake --- crypto/tlssession.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/crypto/tlssession.c b/crypto/tlssession.c index a8db8c76d138..b302d835d215 100644 --- a/crypto/tlssession.c +++ b/crypto/tlssession.c @@ -373,6 +373,12 @@ qcrypto_tls_session_check_certificate(QCryptoTLSSession *session, session->hostname); goto error; } + } else { + if (session->creds->endpoint == + QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT) { + error_setg(errp, "No hostname for certificate validation"); + goto error; + } } } From patchwork Tue Mar 8 01:44:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 12772876 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id B6FB8C433F5 for ; Tue, 8 Mar 2022 01:54:07 +0000 (UTC) Received: from localhost ([::1]:36020 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nRP38-0005EB-Ea for qemu-devel@archiver.kernel.org; Mon, 07 Mar 2022 20:54:06 -0500 Received: from eggs.gnu.org ([209.51.188.92]:52854) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROtx-00006w-UQ for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:37 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:21194) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROtv-0006MF-PF for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646703873; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vmONlC6SNNcPuW8Xna/KlINzyJVWikPkwsfEP6E4YcQ=; b=fmDOV6R+CbcygYdKpfo3ceCwYb5DeEn5muIz6cqezmI6aCdoxNig9UQlZkQGHlAoO44Ovz HCdbsXpIl8sOaQLjEmcpFyl3hqoEyPFNXbgO+Da3cGyDCzI1ANNWGvvngNLMmf1M4nukzf xW9CMvbSwasWYGLUmo4qdMhxmWfkgpU= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-193-8RLTrbeoMRGN1ok14wEB1A-1; Mon, 07 Mar 2022 20:44:30 -0500 X-MC-Unique: 8RLTrbeoMRGN1ok14wEB1A-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 7AB34108087A; Tue, 8 Mar 2022 01:44:27 +0000 (UTC) Received: from blue.redhat.com (unknown [10.2.16.5]) by smtp.corp.redhat.com (Postfix) with ESMTP id 91F612270D; Tue, 8 Mar 2022 01:44:23 +0000 (UTC) From: Eric Blake To: qemu-devel@nongnu.org Subject: [PULL 02/15] block: pass desired TLS hostname through from block driver client Date: Mon, 7 Mar 2022 19:44:06 -0600 Message-Id: <20220308014419.3056549-3-eblake@redhat.com> In-Reply-To: <20220308014419.3056549-1-eblake@redhat.com> References: <20220308014419.3056549-1-eblake@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=eblake@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.129.124; envelope-from=eblake@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Hanna Reitz , Vladimir Sementsov-Ogievskiy , =?utf-8?q?Daniel_P?= =?utf-8?q?=2E_Berrang=C3=A9?= , "open list:Network Block Dev..." Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" From: Daniel P. Berrangé In commit a71d597b989fd701b923f09b3c20ac4fcaa55e81 Author: Vladimir Sementsov-Ogievskiy Date: Thu Jun 10 13:08:00 2021 +0300 block/nbd: reuse nbd_co_do_establish_connection() in nbd_open() the use of the 'hostname' field from the BDRVNBDState struct was lost, and 'nbd_connect' just hardcoded it to match the IP socket address. This was a harmless bug at the time since we block use with anything other than IP sockets. Shortly though, we want to allow the caller to override the hostname used in the TLS certificate checks. This is to allow for TLS when doing port forwarding or tunneling. Thus we need to reinstate the passing along of the 'hostname'. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé Message-Id: <20220304193610.3293146-3-berrange@redhat.com> Signed-off-by: Eric Blake --- include/block/nbd.h | 3 ++- block/nbd.c | 7 ++++--- nbd/client-connection.c | 12 +++++++++--- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/include/block/nbd.h b/include/block/nbd.h index 78d101b77488..a98eb665da04 100644 --- a/include/block/nbd.h +++ b/include/block/nbd.h @@ -415,7 +415,8 @@ NBDClientConnection *nbd_client_connection_new(const SocketAddress *saddr, bool do_negotiation, const char *export_name, const char *x_dirty_bitmap, - QCryptoTLSCreds *tlscreds); + QCryptoTLSCreds *tlscreds, + const char *tlshostname); void nbd_client_connection_release(NBDClientConnection *conn); QIOChannel *coroutine_fn diff --git a/block/nbd.c b/block/nbd.c index 146d25660e86..f04634905584 100644 --- a/block/nbd.c +++ b/block/nbd.c @@ -92,7 +92,7 @@ typedef struct BDRVNBDState { SocketAddress *saddr; char *export, *tlscredsid; QCryptoTLSCreds *tlscreds; - const char *hostname; + const char *tlshostname; char *x_dirty_bitmap; bool alloc_depth; @@ -1836,7 +1836,7 @@ static int nbd_process_options(BlockDriverState *bs, QDict *options, error_setg(errp, "TLS only supported over IP sockets"); goto error; } - s->hostname = s->saddr->u.inet.host; + s->tlshostname = s->saddr->u.inet.host; } s->x_dirty_bitmap = g_strdup(qemu_opt_get(opts, "x-dirty-bitmap")); @@ -1876,7 +1876,8 @@ static int nbd_open(BlockDriverState *bs, QDict *options, int flags, } s->conn = nbd_client_connection_new(s->saddr, true, s->export, - s->x_dirty_bitmap, s->tlscreds); + s->x_dirty_bitmap, s->tlscreds, + s->tlshostname); if (s->open_timeout) { nbd_client_connection_enable_retry(s->conn); diff --git a/nbd/client-connection.c b/nbd/client-connection.c index 2bda42641dc8..2a632931c393 100644 --- a/nbd/client-connection.c +++ b/nbd/client-connection.c @@ -33,6 +33,7 @@ struct NBDClientConnection { /* Initialization constants, never change */ SocketAddress *saddr; /* address to connect to */ QCryptoTLSCreds *tlscreds; + char *tlshostname; NBDExportInfo initial_info; bool do_negotiation; bool do_retry; @@ -77,7 +78,8 @@ NBDClientConnection *nbd_client_connection_new(const SocketAddress *saddr, bool do_negotiation, const char *export_name, const char *x_dirty_bitmap, - QCryptoTLSCreds *tlscreds) + QCryptoTLSCreds *tlscreds, + const char *tlshostname) { NBDClientConnection *conn = g_new(NBDClientConnection, 1); @@ -85,6 +87,7 @@ NBDClientConnection *nbd_client_connection_new(const SocketAddress *saddr, *conn = (NBDClientConnection) { .saddr = QAPI_CLONE(SocketAddress, saddr), .tlscreds = tlscreds, + .tlshostname = g_strdup(tlshostname), .do_negotiation = do_negotiation, .initial_info.request_sizes = true, @@ -107,6 +110,7 @@ static void nbd_client_connection_do_free(NBDClientConnection *conn) } error_free(conn->err); qapi_free_SocketAddress(conn->saddr); + g_free(conn->tlshostname); object_unref(OBJECT(conn->tlscreds)); g_free(conn->initial_info.x_dirty_bitmap); g_free(conn->initial_info.name); @@ -120,6 +124,7 @@ static void nbd_client_connection_do_free(NBDClientConnection *conn) */ static int nbd_connect(QIOChannelSocket *sioc, SocketAddress *addr, NBDExportInfo *info, QCryptoTLSCreds *tlscreds, + const char *tlshostname, QIOChannel **outioc, Error **errp) { int ret; @@ -140,7 +145,7 @@ static int nbd_connect(QIOChannelSocket *sioc, SocketAddress *addr, } ret = nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc), tlscreds, - tlscreds ? addr->u.inet.host : NULL, + tlshostname, outioc, info, errp); if (ret < 0) { /* @@ -183,7 +188,8 @@ static void *connect_thread_func(void *opaque) ret = nbd_connect(conn->sioc, conn->saddr, conn->do_negotiation ? &conn->updated_info : NULL, - conn->tlscreds, &conn->ioc, &local_err); + conn->tlscreds, conn->tlshostname, + &conn->ioc, &local_err); /* * conn->updated_info will finally be returned to the user. Clear the From patchwork Tue Mar 8 01:44:07 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 12772872 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 60021C433EF for ; Tue, 8 Mar 2022 01:51:48 +0000 (UTC) Received: from localhost ([::1]:57930 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nRP0t-0000y6-8A for qemu-devel@archiver.kernel.org; Mon, 07 Mar 2022 20:51:47 -0500 Received: from eggs.gnu.org ([209.51.188.92]:52858) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROtx-00006z-UO for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:37 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:37742) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROtv-0006M3-Pj for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646703873; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=D9OAPp+k9BQQp+vSu3yP4xCf5/v6vwioMXA1g+Lv000=; b=bHUbddg6D66XNc0hdWJFlOumOrCH8EsXpj37vX+2GAGgfePJA+MPBVXR6aG/yQ0sDbAraf 2GCWEuub5qTt3Lre7YUALFbYc9drr3BGhp75Col4PfnmTpPRn8dyQWu4IVP7EuU7CZm5bS +9cSzptXwEcnskJDkBoymKAEG8pEppg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-516-zlo-UzbrPgSBj1-EstQGwQ-1; Mon, 07 Mar 2022 20:44:30 -0500 X-MC-Unique: zlo-UzbrPgSBj1-EstQGwQ-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id BF61F108088A; Tue, 8 Mar 2022 01:44:28 +0000 (UTC) Received: from blue.redhat.com (unknown [10.2.16.5]) by smtp.corp.redhat.com (Postfix) with ESMTP id BF9E85E480; Tue, 8 Mar 2022 01:44:27 +0000 (UTC) From: Eric Blake To: qemu-devel@nongnu.org Subject: [PULL 03/15] block/nbd: support override of hostname for TLS certificate validation Date: Mon, 7 Mar 2022 19:44:07 -0600 Message-Id: <20220308014419.3056549-4-eblake@redhat.com> In-Reply-To: <20220308014419.3056549-1-eblake@redhat.com> References: <20220308014419.3056549-1-eblake@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=eblake@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=eblake@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Vladimir Sementsov-Ogievskiy , =?utf-8?q?Daniel_P?= =?utf-8?q?=2E_Berrang=C3=A9?= , "open list:Network Block Dev..." , Markus Armbruster , Hanna Reitz Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" From: Daniel P. Berrangé When connecting to an NBD server with TLS and x509 credentials, the client must validate the hostname it uses for the connection, against that published in the server's certificate. If the client is tunnelling its connection over some other channel, however, the hostname it uses may not match the info reported in the server's certificate. In such a case, the user needs to explicitly set an override for the hostname to use for certificate validation. This is achieved by adding a 'tls-hostname' property to the NBD block driver. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé Message-Id: <20220304193610.3293146-4-berrange@redhat.com> Signed-off-by: Eric Blake --- qapi/block-core.json | 3 +++ block/nbd.c | 18 +++++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/qapi/block-core.json b/qapi/block-core.json index f13b5ff942b6..e89f2dfb5be7 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -4079,6 +4079,8 @@ # # @tls-creds: TLS credentials ID # +# @tls-hostname: TLS hostname override for certificate validation (Since 7.0) +# # @x-dirty-bitmap: A metadata context name such as "qemu:dirty-bitmap:NAME" # or "qemu:allocation-depth" to query in place of the # traditional "base:allocation" block status (see @@ -4109,6 +4111,7 @@ 'data': { 'server': 'SocketAddress', '*export': 'str', '*tls-creds': 'str', + '*tls-hostname': 'str', '*x-dirty-bitmap': { 'type': 'str', 'features': [ 'unstable' ] }, '*reconnect-delay': 'uint32', '*open-timeout': 'uint32' } } diff --git a/block/nbd.c b/block/nbd.c index f04634905584..0a9b6cde5bd3 100644 --- a/block/nbd.c +++ b/block/nbd.c @@ -90,9 +90,10 @@ typedef struct BDRVNBDState { uint32_t reconnect_delay; uint32_t open_timeout; SocketAddress *saddr; - char *export, *tlscredsid; + char *export; + char *tlscredsid; QCryptoTLSCreds *tlscreds; - const char *tlshostname; + char *tlshostname; char *x_dirty_bitmap; bool alloc_depth; @@ -121,6 +122,8 @@ static void nbd_clear_bdrvstate(BlockDriverState *bs) s->export = NULL; g_free(s->tlscredsid); s->tlscredsid = NULL; + g_free(s->tlshostname); + s->tlshostname = NULL; g_free(s->x_dirty_bitmap); s->x_dirty_bitmap = NULL; } @@ -1765,6 +1768,11 @@ static QemuOptsList nbd_runtime_opts = { .type = QEMU_OPT_STRING, .help = "ID of the TLS credentials to use", }, + { + .name = "tls-hostname", + .type = QEMU_OPT_STRING, + .help = "Override hostname for validating TLS x509 certificate", + }, { .name = "x-dirty-bitmap", .type = QEMU_OPT_STRING, @@ -1836,7 +1844,10 @@ static int nbd_process_options(BlockDriverState *bs, QDict *options, error_setg(errp, "TLS only supported over IP sockets"); goto error; } - s->tlshostname = s->saddr->u.inet.host; + s->tlshostname = g_strdup(qemu_opt_get(opts, "tls-hostname")); + if (!s->tlshostname) { + s->tlshostname = g_strdup(s->saddr->u.inet.host); + } } s->x_dirty_bitmap = g_strdup(qemu_opt_get(opts, "x-dirty-bitmap")); @@ -2038,6 +2049,7 @@ static const char *const nbd_strong_runtime_opts[] = { "port", "export", "tls-creds", + "tls-hostname", "server.", NULL From patchwork Tue Mar 8 01:44:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 12772870 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 02EAEC433EF for ; Tue, 8 Mar 2022 01:51:25 +0000 (UTC) Received: from localhost ([::1]:56832 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nRP0W-0000Ee-Ug for qemu-devel@archiver.kernel.org; Mon, 07 Mar 2022 20:51:24 -0500 Received: from eggs.gnu.org ([209.51.188.92]:52742) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROtu-00005L-0A for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:35 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:45565) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROts-0006Lv-AZ for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:33 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646703871; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zQAW6mWQRpJvsOSR2LcTD4QTjTUvNffPNNZma1UJ/UE=; b=dGm7UDyIeulEawK5htvCcsnzX5qpvdZ4LQEjQ1Kv3qNuPl0Q5ktYXPziFVZW8YiCVe4B54 wMZSf2hxehl5ipQqj5Jgl0PyutiH+7WBOYABYriWs6e413vWUvjbMOCHg8y2PCkdrXhzbF PSwijFdBJo4jbddMIq6ia9s5GEI1Fp4= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-516-2F9vrIeTMtemzUQ7R0V6fA-1; Mon, 07 Mar 2022 20:44:30 -0500 X-MC-Unique: 2F9vrIeTMtemzUQ7R0V6fA-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B0FA6800D55; Tue, 8 Mar 2022 01:44:29 +0000 (UTC) Received: from blue.redhat.com (unknown [10.2.16.5]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0E6965E482; Tue, 8 Mar 2022 01:44:28 +0000 (UTC) From: Eric Blake To: qemu-devel@nongnu.org Subject: [PULL 04/15] qemu-nbd: add --tls-hostname option for TLS certificate validation Date: Mon, 7 Mar 2022 19:44:08 -0600 Message-Id: <20220308014419.3056549-5-eblake@redhat.com> In-Reply-To: <20220308014419.3056549-1-eblake@redhat.com> References: <20220308014419.3056549-1-eblake@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=eblake@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=eblake@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Vladimir Sementsov-Ogievskiy , =?utf-8?q?Danie?= =?utf-8?q?l_P=2E_Berrang=C3=A9?= , "open list:Network Block Dev..." Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" From: Daniel P. Berrangé When using the --list option, qemu-nbd acts as an NBD client rather than a server. As such when using TLS, it has a need to validate the server certificate. This adds a --tls-hostname option which can be used to override the default hostname used for certificate validation. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé Message-Id: <20220304193610.3293146-5-berrange@redhat.com> Signed-off-by: Eric Blake --- docs/tools/qemu-nbd.rst | 13 +++++++++++++ qemu-nbd.c | 17 ++++++++++++++++- 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/docs/tools/qemu-nbd.rst b/docs/tools/qemu-nbd.rst index 6031f9689312..2b8c90c35498 100644 --- a/docs/tools/qemu-nbd.rst +++ b/docs/tools/qemu-nbd.rst @@ -169,6 +169,19 @@ driver options if ``--image-opts`` is specified. option; or provide the credentials needed for connecting as a client in list mode. +.. option:: --tls-hostname=hostname + + When validating an x509 certificate received over a TLS connection, + the hostname that the NBD client used to connect will be checked + against information in the server provided certificate. Sometimes + it might be required to override the hostname used to perform this + check. For example, if the NBD client is using a tunnel from localhost + to connect to the remote server, the `--tls-hostname` option should + be used to set the officially expected hostname of the remote NBD + server. This can also be used if accessing NBD over a UNIX socket + where there is no inherent hostname available. This is only permitted + when acting as a NBD client with the `--list` option. + .. option:: --fork Fork off the server process and exit the parent once the server is running. diff --git a/qemu-nbd.c b/qemu-nbd.c index c6c20df68a4d..18d281aba3d1 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -69,6 +69,7 @@ #define QEMU_NBD_OPT_TLSAUTHZ 264 #define QEMU_NBD_OPT_PID_FILE 265 #define QEMU_NBD_OPT_SELINUX_LABEL 266 +#define QEMU_NBD_OPT_TLSHOSTNAME 267 #define MBR_SIZE 512 @@ -542,6 +543,7 @@ int main(int argc, char **argv) { "export-name", required_argument, NULL, 'x' }, { "description", required_argument, NULL, 'D' }, { "tls-creds", required_argument, NULL, QEMU_NBD_OPT_TLSCREDS }, + { "tls-hostname", required_argument, NULL, QEMU_NBD_OPT_TLSHOSTNAME }, { "tls-authz", required_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ }, { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS }, { "trace", required_argument, NULL, 'T' }, @@ -568,6 +570,7 @@ int main(int argc, char **argv) strList *bitmaps = NULL; bool alloc_depth = false; const char *tlscredsid = NULL; + const char *tlshostname = NULL; bool imageOpts = false; bool writethrough = false; /* Client will flush as needed. */ bool fork_process = false; @@ -747,6 +750,9 @@ int main(int argc, char **argv) case QEMU_NBD_OPT_TLSCREDS: tlscredsid = optarg; break; + case QEMU_NBD_OPT_TLSHOSTNAME: + tlshostname = optarg; + break; case QEMU_NBD_OPT_IMAGE_OPTS: imageOpts = true; break; @@ -835,6 +841,10 @@ int main(int argc, char **argv) error_report("TLS authorization is incompatible with export list"); exit(EXIT_FAILURE); } + if (tlshostname && !list) { + error_report("TLS hostname is only supported with export list"); + exit(EXIT_FAILURE); + } tlscreds = nbd_get_tls_creds(tlscredsid, list, &local_err); if (local_err) { error_reportf_err(local_err, "Failed to get TLS creds: "); @@ -845,6 +855,10 @@ int main(int argc, char **argv) error_report("--tls-authz is not permitted without --tls-creds"); exit(EXIT_FAILURE); } + if (tlshostname) { + error_report("--tls-hostname is not permitted without --tls-creds"); + exit(EXIT_FAILURE); + } } if (selinux_label) { @@ -861,7 +875,8 @@ int main(int argc, char **argv) if (list) { saddr = nbd_build_socket_address(sockpath, bindto, port); - return qemu_nbd_client_list(saddr, tlscreds, bindto); + return qemu_nbd_client_list(saddr, tlscreds, + tlshostname ? tlshostname : bindto); } #if !HAVE_NBD_DEVICE From patchwork Tue Mar 8 01:44:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 12772879 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9E027C433F5 for ; Tue, 8 Mar 2022 01:56:40 +0000 (UTC) Received: from localhost ([::1]:42722 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nRP5b-0001P5-MH for qemu-devel@archiver.kernel.org; Mon, 07 Mar 2022 20:56:39 -0500 Received: from eggs.gnu.org ([209.51.188.92]:52912) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROtz-00008T-27 for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:41 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:30862) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROtv-0006MR-RV for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:38 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646703874; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3/X0DmPZAouVQvXP2F86F2O8Ug4bgYDlPQkgDM0SMj0=; b=fjs29kogVFXO90+hIVCACmllcLWk+7RCEt4nV39s01ZJI8+jZBbjv6FaZTm2YdosBqMqqC xKmwOa/+h/YVBIW4ZhGHW+gQTx3ZafpTy7iKXFs5B3+T7RXJCh7rq5DgF6RRk0Xk/UyWaz OzYE0Yaf/niLqiZIZouqYMtl6a5KRiU= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-520-7pVWD5URODyFz6YTPHgrxA-1; Mon, 07 Mar 2022 20:44:31 -0500 X-MC-Unique: 7pVWD5URODyFz6YTPHgrxA-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DA0AC1006AA5; Tue, 8 Mar 2022 01:44:30 +0000 (UTC) Received: from blue.redhat.com (unknown [10.2.16.5]) by smtp.corp.redhat.com (Postfix) with ESMTP id 05F9545C84; Tue, 8 Mar 2022 01:44:29 +0000 (UTC) From: Eric Blake To: qemu-devel@nongnu.org Subject: [PULL 05/15] block/nbd: don't restrict TLS usage to IP sockets Date: Mon, 7 Mar 2022 19:44:09 -0600 Message-Id: <20220308014419.3056549-6-eblake@redhat.com> In-Reply-To: <20220308014419.3056549-1-eblake@redhat.com> References: <20220308014419.3056549-1-eblake@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=eblake@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=eblake@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Hanna Reitz , Vladimir Sementsov-Ogievskiy , =?utf-8?q?Daniel_P?= =?utf-8?q?=2E_Berrang=C3=A9?= , "open list:Network Block Dev..." Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" From: Daniel P. Berrangé The TLS usage for NBD was restricted to IP sockets because validating x509 certificates requires knowledge of the hostname that the client is connecting to. TLS does not have to use x509 certificates though, as PSK (pre-shared keys) provide an alternative credential option. These have no requirement for a hostname and can thus be trivially used for UNIX sockets. Furthermore, with the ability to overide the default hostname for TLS validation in the previous patch, it is now also valid to want to use x509 certificates with FD passing and UNIX sockets. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé Message-Id: <20220304193610.3293146-6-berrange@redhat.com> Signed-off-by: Eric Blake --- block/nbd.c | 8 ++------ blockdev-nbd.c | 6 ------ qemu-nbd.c | 8 +++----- 3 files changed, 5 insertions(+), 17 deletions(-) diff --git a/block/nbd.c b/block/nbd.c index 0a9b6cde5bd3..34b9429de387 100644 --- a/block/nbd.c +++ b/block/nbd.c @@ -1839,13 +1839,9 @@ static int nbd_process_options(BlockDriverState *bs, QDict *options, goto error; } - /* TODO SOCKET_ADDRESS_KIND_FD where fd has AF_INET or AF_INET6 */ - if (s->saddr->type != SOCKET_ADDRESS_TYPE_INET) { - error_setg(errp, "TLS only supported over IP sockets"); - goto error; - } s->tlshostname = g_strdup(qemu_opt_get(opts, "tls-hostname")); - if (!s->tlshostname) { + if (!s->tlshostname && + s->saddr->type == SOCKET_ADDRESS_TYPE_INET) { s->tlshostname = g_strdup(s->saddr->u.inet.host); } } diff --git a/blockdev-nbd.c b/blockdev-nbd.c index bdfa7ed3a5a9..9840d25a8298 100644 --- a/blockdev-nbd.c +++ b/blockdev-nbd.c @@ -148,12 +148,6 @@ void nbd_server_start(SocketAddress *addr, const char *tls_creds, if (!nbd_server->tlscreds) { goto error; } - - /* TODO SOCKET_ADDRESS_TYPE_FD where fd has AF_INET or AF_INET6 */ - if (addr->type != SOCKET_ADDRESS_TYPE_INET) { - error_setg(errp, "TLS is only supported with IPv4/IPv6"); - goto error; - } } nbd_server->tlsauthz = g_strdup(tls_authz); diff --git a/qemu-nbd.c b/qemu-nbd.c index 18d281aba3d1..713e7557a9eb 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -808,7 +808,9 @@ int main(int argc, char **argv) socket_activation = check_socket_activation(); if (socket_activation == 0) { - setup_address_and_port(&bindto, &port); + if (!sockpath) { + setup_address_and_port(&bindto, &port); + } } else { /* Using socket activation - check user didn't use -p etc. */ const char *err_msg = socket_activation_validate_opts(device, sockpath, @@ -829,10 +831,6 @@ int main(int argc, char **argv) } if (tlscredsid) { - if (sockpath) { - error_report("TLS is only supported with IPv4/IPv6"); - exit(EXIT_FAILURE); - } if (device) { error_report("TLS is not supported with a host device"); exit(EXIT_FAILURE); From patchwork Tue Mar 8 01:44:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 12772868 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id E038BC433FE for ; Tue, 8 Mar 2022 01:48:32 +0000 (UTC) Received: from localhost ([::1]:48536 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nROxj-00038u-Sm for qemu-devel@archiver.kernel.org; Mon, 07 Mar 2022 20:48:31 -0500 Received: from eggs.gnu.org ([209.51.188.92]:52848) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROtx-00006v-Ty for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:37 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:52523) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROtv-0006MK-O4 for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646703874; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aTzuB/q6HgdeHF6ugqZXRcCJCGcPey0yBryK8lI9kec=; b=WCtObU7SOMbrAFRbRTCnGkgn8yM2QVk0WG/3B7k/Xjworah9TH24E+XJVABCrv3K9upEsH GrPc5YshuGoowb+EvPeNuPu3E2dQFXALMgAryxaco63Tflke2pQM30Ux/kBCzmC31cd7nd KtREPmIyjUgG8oMYZS2p/lhqDZD851s= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-526-XMNCkenYO-6jVyUd2u5F_Q-1; Mon, 07 Mar 2022 20:44:32 -0500 X-MC-Unique: XMNCkenYO-6jVyUd2u5F_Q-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E0B552F35; Tue, 8 Mar 2022 01:44:31 +0000 (UTC) Received: from blue.redhat.com (unknown [10.2.16.5]) by smtp.corp.redhat.com (Postfix) with ESMTP id 25DD55E480; Tue, 8 Mar 2022 01:44:31 +0000 (UTC) From: Eric Blake To: qemu-devel@nongnu.org Subject: [PULL 06/15] tests/qemu-iotests: add QEMU_IOTESTS_REGEN=1 to update reference file Date: Mon, 7 Mar 2022 19:44:10 -0600 Message-Id: <20220308014419.3056549-7-eblake@redhat.com> In-Reply-To: <20220308014419.3056549-1-eblake@redhat.com> References: <20220308014419.3056549-1-eblake@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=eblake@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=eblake@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Hanna Reitz , =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= , "open list:Block layer core" Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" From: Daniel P. Berrangé When developing an I/O test it is typical to add some logic to the test script, run it to view the output diff, and then apply the output diff to the reference file. This can be drastically simplified by letting the test runner update the reference file in place. By setting 'QEMU_IOTESTS_REGEN=1', the test runner will report the failure and show the diff, but at the same time update the reference file. So next time the I/O test is run it will succeed. Continuing to display the diff when updating the reference gives the developer a chance to review what was changed. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé Message-Id: <20220304193610.3293146-7-berrange@redhat.com> Signed-off-by: Eric Blake --- tests/qemu-iotests/testrunner.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/qemu-iotests/testrunner.py b/tests/qemu-iotests/testrunner.py index 41083ff9c6f7..5c207225b140 100644 --- a/tests/qemu-iotests/testrunner.py +++ b/tests/qemu-iotests/testrunner.py @@ -25,6 +25,7 @@ import contextlib import json import termios +import shutil import sys from multiprocessing import Pool from contextlib import contextmanager @@ -322,6 +323,11 @@ def do_run_test(self, test: str, mp: bool) -> TestResult: diff = file_diff(str(f_reference), str(f_bad)) if diff: + if os.environ.get("QEMU_IOTESTS_REGEN", None) is not None: + shutil.copyfile(str(f_bad), str(f_reference)) + print("########################################") + print("##### REFERENCE FILE UPDATED #####") + print("########################################") return TestResult(status='fail', elapsed=elapsed, description=f'output mismatch (see {f_bad})', diff=diff, casenotrun=casenotrun) From patchwork Tue Mar 8 01:44:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 12772877 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id ECDACC433EF for ; Tue, 8 Mar 2022 01:54:16 +0000 (UTC) Received: from localhost ([::1]:36774 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nRP3I-0005jh-12 for qemu-devel@archiver.kernel.org; Mon, 07 Mar 2022 20:54:16 -0500 Received: from eggs.gnu.org ([209.51.188.92]:52902) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROty-00008O-Ts for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:41 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:25986) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROtv-0006Mq-RV for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:38 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646703875; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8wz7nUAnXsOqjCXERDm14GjsCQhr7dwi1/tNmPCXZtg=; b=Cn+gnlAlNy6kkVsSj9XWn6swr8ad9ooJQVAvXXAnVDKb+P09AWawWowj4YpZFebhHXnU+s mIpYqWY0nz9nHQ+CxA3azudOH4HbPsGrsEhO7jMuXl2q9UfgK48XkbD6I9/Zj+pNDBaXTr vtCM6VLn1kT/nmIaWdczQmhnq6kNurk= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-251-ervW_ORuMMiuyjrNlC6XGw-1; Mon, 07 Mar 2022 20:44:34 -0500 X-MC-Unique: ervW_ORuMMiuyjrNlC6XGw-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E9CCC1006AA5; Tue, 8 Mar 2022 01:44:32 +0000 (UTC) Received: from blue.redhat.com (unknown [10.2.16.5]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2D12045C88; Tue, 8 Mar 2022 01:44:32 +0000 (UTC) From: Eric Blake To: qemu-devel@nongnu.org Subject: [PULL 07/15] tests/qemu-iotests: expand _filter_nbd rules Date: Mon, 7 Mar 2022 19:44:11 -0600 Message-Id: <20220308014419.3056549-8-eblake@redhat.com> In-Reply-To: <20220308014419.3056549-1-eblake@redhat.com> References: <20220308014419.3056549-1-eblake@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=eblake@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.129.124; envelope-from=eblake@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Hanna Reitz , =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= , "open list:Block layer core" Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" From: Daniel P. Berrangé Some tests will want to use 'localhost' instead of '127.0.0.1', and some will use the image options syntax rather than the classic URI syntax. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé Message-Id: <20220304193610.3293146-8-berrange@redhat.com> Signed-off-by: Eric Blake --- tests/qemu-iotests/common.filter | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/qemu-iotests/common.filter b/tests/qemu-iotests/common.filter index 21819db9c3a5..f53d8cbb9daa 100644 --- a/tests/qemu-iotests/common.filter +++ b/tests/qemu-iotests/common.filter @@ -301,6 +301,10 @@ _filter_nbd() # Filter out the TCP port number since this changes between runs. sed -e '/nbd\/.*\.c:/d' \ -e 's#127\.0\.0\.1:[0-9]*#127.0.0.1:PORT#g' \ + -e 's#localhost:[0-9]*#localhost:PORT#g' \ + -e 's#host=127\.0\.0\.1,port=[0-9]*#host=127.0.0.1,port=PORT#g' \ + -e 's#host=localhost,port=[0-9]*#host=localhost,port=PORT#g' \ + -e "s#path=$SOCK_DIR#path=SOCK_DIR#g" \ -e "s#?socket=$SOCK_DIR#?socket=SOCK_DIR#g" \ -e 's#\(foo\|PORT/\?\|.sock\): Failed to .*$#\1#' } From patchwork Tue Mar 8 01:44:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 12772871 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 188E3C433F5 for ; Tue, 8 Mar 2022 01:51:27 +0000 (UTC) Received: from localhost ([::1]:56856 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nRP0Y-0000Fe-5s for qemu-devel@archiver.kernel.org; Mon, 07 Mar 2022 20:51:26 -0500 Received: from eggs.gnu.org ([209.51.188.92]:52962) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROu1-00008Z-DT for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:41 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:21042) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROty-0006Nu-Ql for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646703878; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UG/F3ZYrF6lpvi9A8Nh4T3gBRPdRufkGiwmtqTouavs=; b=OuozSq3A1lbHL6dWK1+MghtDU18hJn7quwj5hLlAlt2kDZz4SGCE1GB/rcUSNRIUIRxJ/D YDY8VJIT7LPOANM4ZugInb+IdUZ1cuI9bwCx0+APhZ30MUE8LDdXwarqusbScjHRBv1vgF 0qvYWBMR6VK6pl9X83sCm2rPCYW+foY= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-323-uRWCqwBhMGK2w6_LkVQLXA-1; Mon, 07 Mar 2022 20:44:35 -0500 X-MC-Unique: uRWCqwBhMGK2w6_LkVQLXA-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0C522801AFC; Tue, 8 Mar 2022 01:44:34 +0000 (UTC) Received: from blue.redhat.com (unknown [10.2.16.5]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3DA6D5E480; Tue, 8 Mar 2022 01:44:33 +0000 (UTC) From: Eric Blake To: qemu-devel@nongnu.org Subject: [PULL 08/15] tests/qemu-iotests: introduce filter for qemu-nbd export list Date: Mon, 7 Mar 2022 19:44:12 -0600 Message-Id: <20220308014419.3056549-9-eblake@redhat.com> In-Reply-To: <20220308014419.3056549-1-eblake@redhat.com> References: <20220308014419.3056549-1-eblake@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=eblake@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.129.124; envelope-from=eblake@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Hanna Reitz , =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= , "open list:Block layer core" Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" From: Daniel P. Berrangé Introduce a filter for the output of qemu-nbd export list so it can be reused in multiple tests. The filter is a bit more permissive that what test 241 currently uses, as its allows printing of the export count, along with any possible error messages that might be emitted. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé Message-Id: <20220304193610.3293146-9-berrange@redhat.com> Tested-by: Eric Blake Signed-off-by: Eric Blake --- tests/qemu-iotests/common.filter | 5 +++++ tests/qemu-iotests/241 | 6 +++--- tests/qemu-iotests/241.out | 6 ++++++ 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/tests/qemu-iotests/common.filter b/tests/qemu-iotests/common.filter index f53d8cbb9daa..9790411bf0e4 100644 --- a/tests/qemu-iotests/common.filter +++ b/tests/qemu-iotests/common.filter @@ -309,6 +309,11 @@ _filter_nbd() -e 's#\(foo\|PORT/\?\|.sock\): Failed to .*$#\1#' } +_filter_qemu_nbd_exports() +{ + grep '\(exports available\|export\|size\|min block\|qemu-nbd\):' +} + _filter_qmp_empty_return() { grep -v '{"return": {}}' diff --git a/tests/qemu-iotests/241 b/tests/qemu-iotests/241 index c962c8b6075d..f196650afad0 100755 --- a/tests/qemu-iotests/241 +++ b/tests/qemu-iotests/241 @@ -58,7 +58,7 @@ echo nbd_server_start_unix_socket -f $IMGFMT "$TEST_IMG_FILE" -$QEMU_NBD_PROG --list -k $nbd_unix_socket | grep '\(size\|min\)' +$QEMU_NBD_PROG --list -k $nbd_unix_socket | _filter_qemu_nbd_exports $QEMU_IMG map -f raw --output=json "$TEST_IMG" | _filter_qemu_img_map $QEMU_IO -f raw -c map "$TEST_IMG" nbd_server_stop @@ -71,7 +71,7 @@ echo # sector alignment, here at the server. nbd_server_start_unix_socket "$TEST_IMG_FILE" 2> "$TEST_DIR/server.log" -$QEMU_NBD_PROG --list -k $nbd_unix_socket | grep '\(size\|min\)' +$QEMU_NBD_PROG --list -k $nbd_unix_socket | _filter_qemu_nbd_exports $QEMU_IMG map -f raw --output=json "$TEST_IMG" | _filter_qemu_img_map $QEMU_IO -f raw -c map "$TEST_IMG" nbd_server_stop @@ -84,7 +84,7 @@ echo # Now force sector alignment at the client. nbd_server_start_unix_socket -f $IMGFMT "$TEST_IMG_FILE" -$QEMU_NBD_PROG --list -k $nbd_unix_socket | grep '\(size\|min\)' +$QEMU_NBD_PROG --list -k $nbd_unix_socket | _filter_qemu_nbd_exports $QEMU_IMG map --output=json "$TEST_IMG" | _filter_qemu_img_map $QEMU_IO -c map "$TEST_IMG" nbd_server_stop diff --git a/tests/qemu-iotests/241.out b/tests/qemu-iotests/241.out index 56e95b599a3d..88e8cfcd7e25 100644 --- a/tests/qemu-iotests/241.out +++ b/tests/qemu-iotests/241.out @@ -2,6 +2,8 @@ QA output created by 241 === Exporting unaligned raw image, natural alignment === +exports available: 1 + export: '' size: 1024 min block: 1 [{ "start": 0, "length": 1000, "depth": 0, "present": true, "zero": false, "data": true, "offset": OFFSET}, @@ -10,6 +12,8 @@ QA output created by 241 === Exporting unaligned raw image, forced server sector alignment === +exports available: 1 + export: '' size: 1024 min block: 512 [{ "start": 0, "length": 1024, "depth": 0, "present": true, "zero": false, "data": true, "offset": OFFSET}] @@ -20,6 +24,8 @@ WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed === Exporting unaligned raw image, forced client sector alignment === +exports available: 1 + export: '' size: 1024 min block: 1 [{ "start": 0, "length": 1000, "depth": 0, "present": true, "zero": false, "data": true, "offset": OFFSET}, From patchwork Tue Mar 8 01:44:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 12772880 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 17BF9C433F5 for ; Tue, 8 Mar 2022 01:57:01 +0000 (UTC) Received: from localhost ([::1]:44008 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nRP5w-0002GT-5K for qemu-devel@archiver.kernel.org; Mon, 07 Mar 2022 20:57:00 -0500 Received: from eggs.gnu.org ([209.51.188.92]:52964) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROu1-00008a-EH for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:41 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:26494) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROty-0006NK-2m for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646703877; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Cxq53dtn45HTRjrQCN5yoDsAm2I/LJ+mwjU0AsyM/Ow=; b=KHHVJI4fOxJvHx9o/7/keuEC20bQOKXULrONPY8IX/Cq//IHFwfvHTPtDDfZRGQXZlRzj8 /kU0ZzJQuCzlmo52nRYzXChi/e8EhoHotaqbu1b+RnIngl+PKKGlCehBrlrhUoR4m29dYp jLrUlJMVqoxyX7SBRTkGCCU+pcA2zAY= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-613-Hfp5bhoaMzinZ4_roOg4jw-1; Mon, 07 Mar 2022 20:44:36 -0500 X-MC-Unique: Hfp5bhoaMzinZ4_roOg4jw-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 18D66805EE8; Tue, 8 Mar 2022 01:44:35 +0000 (UTC) Received: from blue.redhat.com (unknown [10.2.16.5]) by smtp.corp.redhat.com (Postfix) with ESMTP id 525075E480; Tue, 8 Mar 2022 01:44:34 +0000 (UTC) From: Eric Blake To: qemu-devel@nongnu.org Subject: [PULL 09/15] tests/qemu-iotests: convert NBD TLS test to use standard filters Date: Mon, 7 Mar 2022 19:44:13 -0600 Message-Id: <20220308014419.3056549-10-eblake@redhat.com> In-Reply-To: <20220308014419.3056549-1-eblake@redhat.com> References: <20220308014419.3056549-1-eblake@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=eblake@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.129.124; envelope-from=eblake@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Hanna Reitz , =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= , "open list:Block layer core" Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" From: Daniel P. Berrangé Using standard filters is more future proof than rolling our own. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé Message-Id: <20220304193610.3293146-10-berrange@redhat.com> Signed-off-by: Eric Blake --- tests/qemu-iotests/233 | 29 ++++++++++++++++------------- tests/qemu-iotests/233.out | 8 -------- 2 files changed, 16 insertions(+), 21 deletions(-) diff --git a/tests/qemu-iotests/233 b/tests/qemu-iotests/233 index 9ca7b68f42cf..050267298d67 100755 --- a/tests/qemu-iotests/233 +++ b/tests/qemu-iotests/233 @@ -65,7 +65,7 @@ tls_x509_create_client "ca1" "client3" echo echo "== preparing image ==" _make_test_img 64M -$QEMU_IO -c 'w -P 0x11 1m 1m' "$TEST_IMG" | _filter_qemu_io +$QEMU_IO -c 'w -P 0x11 1m 1m' "$TEST_IMG" 2>&1 | _filter_qemu_io echo echo "== check TLS client to plain server fails ==" @@ -74,9 +74,9 @@ nbd_server_start_tcp_socket -f $IMGFMT "$TEST_IMG" 2> "$TEST_DIR/server.log" obj=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 $QEMU_IMG info --image-opts --object $obj \ driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \ - 2>&1 | sed "s/$nbd_tcp_port/PORT/g" + 2>&1 | _filter_nbd $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj \ - --tls-creds=tls0 + --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports nbd_server_stop @@ -88,8 +88,10 @@ nbd_server_start_tcp_socket \ --tls-creds tls0 \ -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log" -$QEMU_IMG info nbd://localhost:$nbd_tcp_port 2>&1 | sed "s/$nbd_tcp_port/PORT/g" -$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port +$QEMU_IMG info nbd://localhost:$nbd_tcp_port \ + 2>&1 | _filter_nbd +$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port \ + 2>&1 | _filter_qemu_nbd_exports echo echo "== check TLS works ==" @@ -97,21 +99,21 @@ obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 obj2=tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0 $QEMU_IMG info --image-opts --object $obj1 \ driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \ - 2>&1 | sed "s/$nbd_tcp_port/PORT/g" + 2>&1 | _filter_nbd $QEMU_IMG info --image-opts --object $obj2 \ driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \ - 2>&1 | sed "s/$nbd_tcp_port/PORT/g" + 2>&1 | _filter_nbd $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj1 \ - --tls-creds=tls0 + --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports echo echo "== check TLS with different CA fails ==" obj=tls-creds-x509,dir=${tls_dir}/client2,endpoint=client,id=tls0 $QEMU_IMG info --image-opts --object $obj \ driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \ - 2>&1 | sed "s/$nbd_tcp_port/PORT/g" + 2>&1 | _filter_nbd $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj \ - --tls-creds=tls0 + --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports echo echo "== perform I/O over TLS ==" @@ -121,7 +123,8 @@ $QEMU_IO -c 'r -P 0x11 1m 1m' -c 'w -P 0x22 1m 1m' --image-opts \ driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \ 2>&1 | _filter_qemu_io -$QEMU_IO -f $IMGFMT -r -U -c 'r -P 0x22 1m 1m' "$TEST_IMG" | _filter_qemu_io +$QEMU_IO -f $IMGFMT -r -U -c 'r -P 0x22 1m 1m' "$TEST_IMG" \ + 2>&1 | _filter_qemu_io echo echo "== check TLS with authorization ==" @@ -139,12 +142,12 @@ nbd_server_start_tcp_socket \ $QEMU_IMG info --image-opts \ --object tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 \ driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \ - 2>&1 | sed "s/$nbd_tcp_port/PORT/g" + 2>&1 | _filter_nbd $QEMU_IMG info --image-opts \ --object tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0 \ driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \ - 2>&1 | sed "s/$nbd_tcp_port/PORT/g" + 2>&1 | _filter_nbd echo echo "== final server log ==" diff --git a/tests/qemu-iotests/233.out b/tests/qemu-iotests/233.out index 4b1f6a0e1513..67a027d87986 100644 --- a/tests/qemu-iotests/233.out +++ b/tests/qemu-iotests/233.out @@ -17,15 +17,12 @@ wrote 1048576/1048576 bytes at offset 1048576 qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Denied by server for option 5 (starttls) server reported: TLS not configured qemu-nbd: Denied by server for option 5 (starttls) -server reported: TLS not configured == check plain client to TLS server fails == qemu-img: Could not open 'nbd://localhost:PORT': TLS negotiation required before option 7 (go) Did you forget a valid tls-creds? server reported: Option 0x7 not permitted before TLS qemu-nbd: TLS negotiation required before option 3 (list) -Did you forget a valid tls-creds? -server reported: Option 0x3 not permitted before TLS == check TLS works == image: nbd://127.0.0.1:PORT @@ -39,12 +36,7 @@ disk size: unavailable exports available: 1 export: '' size: 67108864 - flags: 0xced ( flush fua trim zeroes df cache fast-zero ) min block: 1 - opt block: 4096 - max block: 33554432 - available meta contexts: 1 - base:allocation == check TLS with different CA fails == qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': The certificate hasn't got a known issuer From patchwork Tue Mar 8 01:44:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 12772886 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id B7745C433EF for ; Tue, 8 Mar 2022 02:03:00 +0000 (UTC) Received: from localhost ([::1]:59328 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nRPBj-0004EB-PC for qemu-devel@archiver.kernel.org; Mon, 07 Mar 2022 21:02:59 -0500 Received: from eggs.gnu.org ([209.51.188.92]:53078) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROu5-0000CM-RS for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:46 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:26963) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROu3-0006Oy-2N for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:45 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646703881; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=te9Gf9taRlZ8CnYG94Gi3NVV/+z7OYnmqz6yFEizj5k=; b=Fc268TdF/c9DkGxOcbkrtJ5MgAlhx7fVTTju+9126dNhyEI4badZphjbSoPcgKdWCM2RsO 8OZHVGp6or+JRFViJnHdJGTGwEC+XfsA59saDhk2sP0X/eMWyj42qZ4gMKmfr0lvFEKtFw s8XTcgqUTyGKUIkGqYqeMs8gqBvTyFw= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-385-lHf2uq-cNxijN4DIxIj6bg-1; Mon, 07 Mar 2022 20:44:37 -0500 X-MC-Unique: lHf2uq-cNxijN4DIxIj6bg-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 31051801FCE; Tue, 8 Mar 2022 01:44:36 +0000 (UTC) Received: from blue.redhat.com (unknown [10.2.16.5]) by smtp.corp.redhat.com (Postfix) with ESMTP id 63D4F5E480; Tue, 8 Mar 2022 01:44:35 +0000 (UTC) From: Eric Blake To: qemu-devel@nongnu.org Subject: [PULL 10/15] tests/qemu-iotests: validate NBD TLS with hostname mismatch Date: Mon, 7 Mar 2022 19:44:14 -0600 Message-Id: <20220308014419.3056549-11-eblake@redhat.com> In-Reply-To: <20220308014419.3056549-1-eblake@redhat.com> References: <20220308014419.3056549-1-eblake@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=eblake@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.129.124; envelope-from=eblake@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Hanna Reitz , =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= , "open list:Block layer core" Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" From: Daniel P. Berrangé This validates that connections to an NBD server where the certificate hostname does not match will fail. It further validates that using the new 'tls-hostname' override option can solve the failure. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé Message-Id: <20220304193610.3293146-11-berrange@redhat.com> Signed-off-by: Eric Blake --- tests/qemu-iotests/common.tls | 7 ++++--- tests/qemu-iotests/233 | 18 ++++++++++++++++++ tests/qemu-iotests/233.out | 16 ++++++++++++++++ 3 files changed, 38 insertions(+), 3 deletions(-) diff --git a/tests/qemu-iotests/common.tls b/tests/qemu-iotests/common.tls index 6ba28a78d3c8..4a5760949d0f 100644 --- a/tests/qemu-iotests/common.tls +++ b/tests/qemu-iotests/common.tls @@ -118,12 +118,13 @@ tls_x509_create_server() caname=$1 name=$2 + # We don't include 'localhost' in the cert, as + # we want to keep it unlisted to let tests + # validate hostname override mkdir -p "${tls_dir}/$name" cat > "${tls_dir}/cert.info" <&1 | _filter_qemu_nbd_exports +echo +echo "== check TLS fail over TCP with mismatched hostname ==" +obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 +$QEMU_IMG info --image-opts --object $obj1 \ + driver=nbd,host=localhost,port=$nbd_tcp_port,tls-creds=tls0 \ + 2>&1 | _filter_nbd +$QEMU_NBD_PROG -L -b localhost -p $nbd_tcp_port --object $obj1 \ + --tls-creds=tls0 | _filter_qemu_nbd_exports + +echo +echo "== check TLS works over TCP with mismatched hostname and override ==" +obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 +$QEMU_IMG info --image-opts --object $obj1 \ + driver=nbd,host=localhost,port=$nbd_tcp_port,tls-creds=tls0,tls-hostname=127.0.0.1 \ + 2>&1 | _filter_nbd +$QEMU_NBD_PROG -L -b localhost -p $nbd_tcp_port --object $obj1 \ + --tls-creds=tls0 --tls-hostname=127.0.0.1 | _filter_qemu_nbd_exports + echo echo "== check TLS with different CA fails ==" obj=tls-creds-x509,dir=${tls_dir}/client2,endpoint=client,id=tls0 diff --git a/tests/qemu-iotests/233.out b/tests/qemu-iotests/233.out index 67a027d87986..d42611bf74a6 100644 --- a/tests/qemu-iotests/233.out +++ b/tests/qemu-iotests/233.out @@ -38,6 +38,20 @@ exports available: 1 size: 67108864 min block: 1 +== check TLS fail over TCP with mismatched hostname == +qemu-img: Could not open 'driver=nbd,host=localhost,port=PORT,tls-creds=tls0': Certificate does not match the hostname localhost +qemu-nbd: Certificate does not match the hostname localhost + +== check TLS works over TCP with mismatched hostname and override == +image: nbd://localhost:PORT +file format: nbd +virtual size: 64 MiB (67108864 bytes) +disk size: unavailable +exports available: 1 + export: '' + size: 67108864 + min block: 1 + == check TLS with different CA fails == qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': The certificate hasn't got a known issuer qemu-nbd: The certificate hasn't got a known issuer @@ -55,6 +69,8 @@ qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': F qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort == final server log == +qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort +qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort qemu-nbd: option negotiation failed: Verify failed: No certificate was found. qemu-nbd: option negotiation failed: Verify failed: No certificate was found. qemu-nbd: option negotiation failed: TLS x509 authz check for DISTINGUISHED-NAME is denied From patchwork Tue Mar 8 01:44:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 12772869 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 02101C433F5 for ; Tue, 8 Mar 2022 01:51:09 +0000 (UTC) Received: from localhost ([::1]:55418 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nRP0G-0007fr-WE for qemu-devel@archiver.kernel.org; Mon, 07 Mar 2022 20:51:09 -0500 Received: from eggs.gnu.org ([209.51.188.92]:53074) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROu5-0000CL-Ps for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:46 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:44085) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROu3-0006Ou-1x for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:45 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646703881; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=E2MJZaot96VpzkxTJ8He6FC4IaUEDTRLdbay5I6ON2I=; b=DpTqui/y3E5HFkyuR9GE3Z+JzQLvC49tgEUEsgxDEft+JJSfpkRIgTN0IwTx0b+bC8WjTU j5HobtTcgl1HWv2SXw4zNeFaF3zFwGS00/jt0nF1BseMb/JrJFhZbxhAJuP30ekN3PlYN4 WaGUXMfP1LuiQLVJN+UD5h9vQDe3mLI= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-70-ihqS1cRuNZ2VHlGVLljm2g-1; Mon, 07 Mar 2022 20:44:38 -0500 X-MC-Unique: ihqS1cRuNZ2VHlGVLljm2g-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 63D24108088A; Tue, 8 Mar 2022 01:44:37 +0000 (UTC) Received: from blue.redhat.com (unknown [10.2.16.5]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9C65D5E480; Tue, 8 Mar 2022 01:44:36 +0000 (UTC) From: Eric Blake To: qemu-devel@nongnu.org Subject: [PULL 11/15] tests/qemu-iotests: validate NBD TLS with UNIX sockets Date: Mon, 7 Mar 2022 19:44:15 -0600 Message-Id: <20220308014419.3056549-12-eblake@redhat.com> In-Reply-To: <20220308014419.3056549-1-eblake@redhat.com> References: <20220308014419.3056549-1-eblake@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=eblake@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=eblake@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Hanna Reitz , =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= , "open list:Block layer core" Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" From: Daniel P. Berrangé This validates that connections to an NBD server running on a UNIX socket can use TLS, and require a TLS hostname override to pass certificate validation. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé Message-Id: <20220304193610.3293146-12-berrange@redhat.com> [eblake: squash in rebase fix] Tested-by: Eric Blake Signed-off-by: Eric Blake --- tests/qemu-iotests/233 | 24 ++++++++++++++++++++++++ tests/qemu-iotests/233.out | 16 ++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/tests/qemu-iotests/233 b/tests/qemu-iotests/233 index c24d877be88e..442fd1378c1d 100755 --- a/tests/qemu-iotests/233 +++ b/tests/qemu-iotests/233 @@ -167,6 +167,30 @@ $QEMU_IMG info --image-opts \ driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \ 2>&1 | _filter_nbd +nbd_server_stop + +nbd_server_start_unix_socket \ + --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \ + --tls-creds tls0 \ + -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log" + +echo +echo "== check TLS fail over UNIX with no hostname ==" +obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 +$QEMU_IMG info --image-opts --object $obj1 \ + driver=nbd,path=$nbd_unix_socket,tls-creds=tls0 2>&1 | _filter_nbd +$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 --tls-creds=tls0 \ + 2>&1 | _filter_qemu_nbd_exports + +echo +echo "== check TLS works over UNIX with hostname override ==" +obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 +$QEMU_IMG info --image-opts --object $obj1 \ + driver=nbd,path=$nbd_unix_socket,tls-creds=tls0,tls-hostname=127.0.0.1 \ + 2>&1 | _filter_nbd +$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \ + --tls-creds=tls0 --tls-hostname=127.0.0.1 2>&1 | _filter_qemu_nbd_exports + echo echo "== final server log ==" cat "$TEST_DIR/server.log" | _filter_authz_check_tls diff --git a/tests/qemu-iotests/233.out b/tests/qemu-iotests/233.out index d42611bf74a6..6e55be779946 100644 --- a/tests/qemu-iotests/233.out +++ b/tests/qemu-iotests/233.out @@ -68,6 +68,20 @@ read 1048576/1048576 bytes at offset 1048576 qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort +== check TLS fail over UNIX with no hostname == +qemu-img: Could not open 'driver=nbd,path=SOCK_DIR/qemu-nbd.sock,tls-creds=tls0': No hostname for certificate validation +qemu-nbd: No hostname for certificate validation + +== check TLS works over UNIX with hostname override == +image: nbd+unix://?socket=SOCK_DIR/qemu-nbd.sock +file format: nbd +virtual size: 64 MiB (67108864 bytes) +disk size: unavailable +exports available: 1 + export: '' + size: 67108864 + min block: 1 + == final server log == qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort @@ -75,4 +89,6 @@ qemu-nbd: option negotiation failed: Verify failed: No certificate was found. qemu-nbd: option negotiation failed: Verify failed: No certificate was found. qemu-nbd: option negotiation failed: TLS x509 authz check for DISTINGUISHED-NAME is denied qemu-nbd: option negotiation failed: TLS x509 authz check for DISTINGUISHED-NAME is denied +qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort +qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort *** done From patchwork Tue Mar 8 01:44:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 12772881 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7E9F3C433EF for ; Tue, 8 Mar 2022 01:59:01 +0000 (UTC) Received: from localhost ([::1]:50956 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nRP7s-0006uU-L2 for qemu-devel@archiver.kernel.org; Mon, 07 Mar 2022 20:59:00 -0500 Received: from eggs.gnu.org ([209.51.188.92]:53016) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROu4-0000Ac-BF for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:44 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:49294) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROu1-0006Og-4V for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:43 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646703880; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pmN5iD6HdqhS9KhtJm3dUu20HSvl7qKqiw4RfVgeNcU=; b=dSTkv2aS+TBRn1muPHBbTbSQa68GAaI62O7JmUNqdL01Ya2USUsG7GZI12fP2Ty4Q9SNjN G0k/5HhdHs1f/C9F7lMjDcVYc2Fl/ilrDZSYDnjNJ7kbfBmCU0pAx7WmtaKPui9wADKD/W ockdfqIkbwlVL0zUdokI2IKoJ3l0r8U= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-509-Xw_mA2BHODSd4vDWsOlLQw-1; Mon, 07 Mar 2022 20:44:39 -0500 X-MC-Unique: Xw_mA2BHODSd4vDWsOlLQw-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 73854801AFE; Tue, 8 Mar 2022 01:44:38 +0000 (UTC) Received: from blue.redhat.com (unknown [10.2.16.5]) by smtp.corp.redhat.com (Postfix) with ESMTP id AAC3245C88; Tue, 8 Mar 2022 01:44:37 +0000 (UTC) From: Eric Blake To: qemu-devel@nongnu.org Subject: [PULL 12/15] tests/qemu-iotests: validate NBD TLS with UNIX sockets and PSK Date: Mon, 7 Mar 2022 19:44:16 -0600 Message-Id: <20220308014419.3056549-13-eblake@redhat.com> In-Reply-To: <20220308014419.3056549-1-eblake@redhat.com> References: <20220308014419.3056549-1-eblake@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=eblake@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.129.124; envelope-from=eblake@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Hanna Reitz , =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= , "open list:Block layer core" Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" From: Daniel P. Berrangé This validates that connections to an NBD server running on a UNIX socket can use TLS with pre-shared keys (PSK). Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé Message-Id: <20220304193610.3293146-13-berrange@redhat.com> [eblake: squash in rebase fix] Tested-by: Eric Blake Signed-off-by: Eric Blake --- tests/qemu-iotests/common.tls | 24 ++++++++++++++++++++++++ tests/qemu-iotests/233 | 28 ++++++++++++++++++++++++++++ tests/qemu-iotests/233.out | 18 ++++++++++++++++++ 3 files changed, 70 insertions(+) diff --git a/tests/qemu-iotests/common.tls b/tests/qemu-iotests/common.tls index 4a5760949d0f..b9c546298610 100644 --- a/tests/qemu-iotests/common.tls +++ b/tests/qemu-iotests/common.tls @@ -24,6 +24,7 @@ tls_x509_cleanup() { rm -f "${tls_dir}"/*.pem rm -f "${tls_dir}"/*/*.pem + rm -f "${tls_dir}"/*/*.psk rmdir "${tls_dir}"/* rmdir "${tls_dir}" } @@ -40,6 +41,18 @@ tls_certtool() rm -f "${tls_dir}"/certtool.log } +tls_psktool() +{ + psktool "$@" 1>"${tls_dir}"/psktool.log 2>&1 + if test "$?" = 0; then + head -1 "${tls_dir}"/psktool.log + else + cat "${tls_dir}"/psktool.log + fi + rm -f "${tls_dir}"/psktool.log +} + + tls_x509_init() { (certtool --help) >/dev/null 2>&1 || \ @@ -176,3 +189,14 @@ EOF rm -f "${tls_dir}/cert.info" } + +tls_psk_create_creds() +{ + name=$1 + + mkdir -p "${tls_dir}/$name" + + tls_psktool \ + --pskfile "${tls_dir}/$name/keys.psk" \ + --username "$name" +} diff --git a/tests/qemu-iotests/233 b/tests/qemu-iotests/233 index 442fd1378c1d..55db5b3811fd 100755 --- a/tests/qemu-iotests/233 +++ b/tests/qemu-iotests/233 @@ -61,6 +61,8 @@ tls_x509_create_server "ca1" "server1" tls_x509_create_client "ca1" "client1" tls_x509_create_client "ca2" "client2" tls_x509_create_client "ca1" "client3" +tls_psk_create_creds "psk1" +tls_psk_create_creds "psk2" echo echo "== preparing image ==" @@ -191,6 +193,32 @@ $QEMU_IMG info --image-opts --object $obj1 \ $QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \ --tls-creds=tls0 --tls-hostname=127.0.0.1 2>&1 | _filter_qemu_nbd_exports + +echo +echo "== check TLS works over UNIX with PSK ==" +nbd_server_stop + +nbd_server_start_unix_socket \ + --object tls-creds-psk,dir=${tls_dir}/psk1,endpoint=server,id=tls0,verify-peer=on \ + --tls-creds tls0 \ + -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log" + +obj1=tls-creds-psk,dir=${tls_dir}/psk1,username=psk1,endpoint=client,id=tls0 +$QEMU_IMG info --image-opts --object $obj1 \ + driver=nbd,path=$nbd_unix_socket,tls-creds=tls0 \ + 2>&1 | _filter_nbd +$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \ + --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports + +echo +echo "== check TLS fails over UNIX with mismatch PSK ==" +obj1=tls-creds-psk,dir=${tls_dir}/psk2,username=psk2,endpoint=client,id=tls0 +$QEMU_IMG info --image-opts --object $obj1 \ + driver=nbd,path=$nbd_unix_socket,tls-creds=tls0 \ + 2>&1 | _filter_nbd +$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \ + --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports + echo echo "== final server log ==" cat "$TEST_DIR/server.log" | _filter_authz_check_tls diff --git a/tests/qemu-iotests/233.out b/tests/qemu-iotests/233.out index 6e55be779946..237c82767ea3 100644 --- a/tests/qemu-iotests/233.out +++ b/tests/qemu-iotests/233.out @@ -7,6 +7,8 @@ Generating a signed certificate... Generating a signed certificate... Generating a signed certificate... Generating a signed certificate... +Generating a random key for user 'psk1' +Generating a random key for user 'psk2' == preparing image == Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 @@ -82,6 +84,20 @@ exports available: 1 size: 67108864 min block: 1 +== check TLS works over UNIX with PSK == +image: nbd+unix://?socket=SOCK_DIR/qemu-nbd.sock +file format: nbd +virtual size: 64 MiB (67108864 bytes) +disk size: unavailable +exports available: 1 + export: '' + size: 67108864 + min block: 1 + +== check TLS fails over UNIX with mismatch PSK == +qemu-img: Could not open 'driver=nbd,path=SOCK_DIR/qemu-nbd.sock,tls-creds=tls0': TLS handshake failed: The TLS connection was non-properly terminated. +qemu-nbd: TLS handshake failed: The TLS connection was non-properly terminated. + == final server log == qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort @@ -91,4 +107,6 @@ qemu-nbd: option negotiation failed: TLS x509 authz check for DISTINGUISHED-NAME qemu-nbd: option negotiation failed: TLS x509 authz check for DISTINGUISHED-NAME is denied qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort +qemu-nbd: option negotiation failed: TLS handshake failed: An illegal parameter has been received. +qemu-nbd: option negotiation failed: TLS handshake failed: An illegal parameter has been received. *** done From patchwork Tue Mar 8 01:44:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 12772878 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 63B29C433F5 for ; Tue, 8 Mar 2022 01:54:29 +0000 (UTC) Received: from localhost ([::1]:37942 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nRP3U-0006VH-G2 for qemu-devel@archiver.kernel.org; Mon, 07 Mar 2022 20:54:28 -0500 Received: from eggs.gnu.org ([209.51.188.92]:53126) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROu6-0000Cy-RB for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:48 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:36919) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROu4-0006PS-9J for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:46 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646703883; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WraX/OGMNVmbZY1nV3i3/BhswvgcPXKieI3gWq4dCcQ=; b=HJOxFhwDIKhwL89TyVpjhyVey4+CrHBhyvGmgxwQIa+giuOBpSxtYIqNC1BEvHStHUFfeK fuA2S5gu2ix2NxAQASVI2PFi1lhuN4mLYtdjZMIpEM08WUG6QNDdqe/TzMvLdHmBBs1jzq M7VV2X4H34SgDkzMlvHYhG4wDAcEkYw= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-211-Ah7QmAR3N7CxrbjS1rj-WA-1; Mon, 07 Mar 2022 20:44:40 -0500 X-MC-Unique: Ah7QmAR3N7CxrbjS1rj-WA-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 475F9801AFC; Tue, 8 Mar 2022 01:44:39 +0000 (UTC) Received: from blue.redhat.com (unknown [10.2.16.5]) by smtp.corp.redhat.com (Postfix) with ESMTP id B519D5E480; Tue, 8 Mar 2022 01:44:38 +0000 (UTC) From: Eric Blake To: qemu-devel@nongnu.org Subject: [PULL 13/15] nbd/server: Minor cleanups Date: Mon, 7 Mar 2022 19:44:17 -0600 Message-Id: <20220308014419.3056549-14-eblake@redhat.com> In-Reply-To: <20220308014419.3056549-1-eblake@redhat.com> References: <20220308014419.3056549-1-eblake@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=eblake@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.129.124; envelope-from=eblake@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Vladimir Sementsov-Ogievskiy , "open list:Network Block Dev..." Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Spelling fixes, grammar improvements and consistent spacing, noticed while preparing other patches in this file. Signed-off-by: Eric Blake Message-Id: <20211203231539.3900865-2-eblake@redhat.com> Reviewed-by: Vladimir Sementsov-Ogievskiy --- nbd/server.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/nbd/server.c b/nbd/server.c index 9fb2f264023e..ba6f71e15d49 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -2084,11 +2084,10 @@ static void nbd_extent_array_convert_to_be(NBDExtentArray *ea) * Add extent to NBDExtentArray. If extent can't be added (no available space), * return -1. * For safety, when returning -1 for the first time, .can_add is set to false, - * further call to nbd_extent_array_add() will crash. - * (to avoid the situation, when after failing to add an extent (returned -1), - * user miss this failure and add another extent, which is successfully added - * (array is full, but new extent may be squashed into the last one), then we - * have invalid array with skipped extent) + * and further calls to nbd_extent_array_add() will crash. + * (this avoids the situation where a caller ignores failure to add one extent, + * where adding another extent that would squash into the last array entry + * would result in an incorrect range reported to the client) */ static int nbd_extent_array_add(NBDExtentArray *ea, uint32_t length, uint32_t flags) @@ -2287,7 +2286,7 @@ static int nbd_co_receive_request(NBDRequestData *req, NBDRequest *request, assert(client->recv_coroutine == qemu_coroutine_self()); ret = nbd_receive_request(client, request, errp); if (ret < 0) { - return ret; + return ret; } trace_nbd_co_receive_request_decode_type(request->handle, request->type, @@ -2647,7 +2646,7 @@ static coroutine_fn void nbd_trip(void *opaque) } if (ret < 0) { - /* It wans't -EIO, so, according to nbd_co_receive_request() + /* It wasn't -EIO, so, according to nbd_co_receive_request() * semantics, we should return the error to the client. */ Error *export_err = local_err; From patchwork Tue Mar 8 01:44:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 12772892 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 4E511C433F5 for ; Tue, 8 Mar 2022 02:05:30 +0000 (UTC) Received: from localhost ([::1]:39246 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nRPE9-0001G1-8d for qemu-devel@archiver.kernel.org; Mon, 07 Mar 2022 21:05:29 -0500 Received: from eggs.gnu.org ([209.51.188.92]:53134) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROu7-0000D0-0n for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:48 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:35925) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROu5-0006Q2-F3 for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:46 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646703884; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1B5PWvik7VoI5qFeyAXAq9YuqAt4I1WhlEsH+KXEjqs=; b=KA70t3piTLKFvJsgAJcDp/a0ZzCSw9jVV4+Ml2GwPB5p/3pwx60/JpzHqxeJS97Qtv3Tsk 8uLJnrTeN+HjfM14K/0+GHsa2WQNrsMKxMUazBFKlU4pjWSz/HPIkewO5xK426LSADcrhj +qtXpFxh/MhlFMsc+rpiFUuxQovJrK8= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-186-O9obLqCVNGO-3Itv5YAd6Q-1; Mon, 07 Mar 2022 20:44:41 -0500 X-MC-Unique: O9obLqCVNGO-3Itv5YAd6Q-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4EEF2108088A; Tue, 8 Mar 2022 01:44:40 +0000 (UTC) Received: from blue.redhat.com (unknown [10.2.16.5]) by smtp.corp.redhat.com (Postfix) with ESMTP id 888ED2270D; Tue, 8 Mar 2022 01:44:39 +0000 (UTC) From: Eric Blake To: qemu-devel@nongnu.org Subject: [PULL 14/15] qemu-io: Utilize 64-bit status during map Date: Mon, 7 Mar 2022 19:44:18 -0600 Message-Id: <20220308014419.3056549-15-eblake@redhat.com> In-Reply-To: <20220308014419.3056549-1-eblake@redhat.com> References: <20220308014419.3056549-1-eblake@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=eblake@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=eblake@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Hanna Reitz , Vladimir Sementsov-Ogievskiy , "open list:Block layer core" Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" The block layer has supported 64-bit block status from drivers since commit 86a3d5c688 ("block: Add .bdrv_co_block_status() callback", v2.12) and friends, with individual driver callbacks responsible for capping things where necessary. Artificially capping things below 2G in the qemu-io 'map' command, added in commit d6a644bbfe ("block: Make bdrv_is_allocated() byte-based", v2.10) is thus no longer necessary. One way to test this is with qemu-nbd as server on a raw file larger than 4G (the entire file should show as allocated), plus 'qemu-io -f raw -c map nbd://localhost --trace=nbd_\*' as client. Prior to this patch, the NBD_CMD_BLOCK_STATUS requests are fragmented at 0x7ffffe00 distances; with this patch, the fragmenting changes to 0x7fffffff (since the NBD protocol is currently still limited to 32-bit transactions - see block/nbd.c:nbd_client_co_block_status). Then in later patches, once I add an NBD extension for a 64-bit block status, the same map command completes with just one NBD_CMD_BLOCK_STATUS. Signed-off-by: Eric Blake Message-Id: <20211203231539.3900865-3-eblake@redhat.com> Reviewed-by: Vladimir Sementsov-Ogievskiy --- qemu-io-cmds.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/qemu-io-cmds.c b/qemu-io-cmds.c index 46593d632d8f..954955c12fb9 100644 --- a/qemu-io-cmds.c +++ b/qemu-io-cmds.c @@ -1993,11 +1993,9 @@ static int map_is_allocated(BlockDriverState *bs, int64_t offset, int64_t bytes, int64_t *pnum) { int64_t num; - int num_checked; int ret, firstret; - num_checked = MIN(bytes, BDRV_REQUEST_MAX_BYTES); - ret = bdrv_is_allocated(bs, offset, num_checked, &num); + ret = bdrv_is_allocated(bs, offset, bytes, &num); if (ret < 0) { return ret; } @@ -2009,8 +2007,7 @@ static int map_is_allocated(BlockDriverState *bs, int64_t offset, offset += num; bytes -= num; - num_checked = MIN(bytes, BDRV_REQUEST_MAX_BYTES); - ret = bdrv_is_allocated(bs, offset, num_checked, &num); + ret = bdrv_is_allocated(bs, offset, bytes, &num); if (ret == firstret && num) { *pnum += num; } else { From patchwork Tue Mar 8 01:44:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 12772895 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id D2A4BC433F5 for ; Tue, 8 Mar 2022 02:07:45 +0000 (UTC) Received: from localhost ([::1]:45560 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nRPGK-0005Zj-TQ for qemu-devel@archiver.kernel.org; Mon, 07 Mar 2022 21:07:44 -0500 Received: from eggs.gnu.org ([209.51.188.92]:53140) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROu8-0000D7-0s for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:48 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:38954) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nROu6-0006QN-2U for qemu-devel@nongnu.org; Mon, 07 Mar 2022 20:44:47 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646703885; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7p7pFOdgSqGhud7GsIP/QghHbL0OwMTKZyDUpnqoPrk=; b=eWCkDca2huFoI1bKrMIxoUfwG+RiR1WBqzRZRxsucQ9dCcJoV10extTsDkyuTGwNRpIE9Q ni9PID2S8yQPJB4hNVH2WZz3fl/mx9XnEre5CqYqsQ3bq/PZIuxCnpvLi2gfCpRtlpZ+0S fadwM6y8KT4HkpqELdfcN2asX1qg0Dc= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-53-u3cpwcaTPnCO6858HwMNlg-1; Mon, 07 Mar 2022 20:44:42 -0500 X-MC-Unique: u3cpwcaTPnCO6858HwMNlg-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 5AEF12F35; Tue, 8 Mar 2022 01:44:41 +0000 (UTC) Received: from blue.redhat.com (unknown [10.2.16.5]) by smtp.corp.redhat.com (Postfix) with ESMTP id 928BE5E480; Tue, 8 Mar 2022 01:44:40 +0000 (UTC) From: Eric Blake To: qemu-devel@nongnu.org Subject: [PULL 15/15] qemu-io: Allow larger write zeroes under no fallback Date: Mon, 7 Mar 2022 19:44:19 -0600 Message-Id: <20220308014419.3056549-16-eblake@redhat.com> In-Reply-To: <20220308014419.3056549-1-eblake@redhat.com> References: <20220308014419.3056549-1-eblake@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=eblake@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.129.124; envelope-from=eblake@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Hanna Reitz , Vladimir Sementsov-Ogievskiy , "open list:Block layer core" Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" When writing zeroes can fall back to a slow write, permitting an overly large request can become an amplification denial of service attack in triggering a large amount of work from a small request. But the whole point of the no fallback flag is to quickly determine if writing an entire device to zero can be done quickly (such as when it is already known that the device started with zero contents); in those cases, artificially capping things at 2G in qemu-io itself doesn't help us. Signed-off-by: Eric Blake Message-Id: <20211203231539.3900865-4-eblake@redhat.com> Reviewed-by: Vladimir Sementsov-Ogievskiy --- qemu-io-cmds.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/qemu-io-cmds.c b/qemu-io-cmds.c index 954955c12fb9..45a957093369 100644 --- a/qemu-io-cmds.c +++ b/qemu-io-cmds.c @@ -603,10 +603,6 @@ static int do_co_pwrite_zeroes(BlockBackend *blk, int64_t offset, .done = false, }; - if (bytes > INT_MAX) { - return -ERANGE; - } - co = qemu_coroutine_create(co_pwrite_zeroes_entry, &data); bdrv_coroutine_enter(blk_bs(blk), co); while (!data.done) { @@ -1160,8 +1156,9 @@ static int write_f(BlockBackend *blk, int argc, char **argv) if (count < 0) { print_cvtnum_err(count, argv[optind]); return count; - } else if (count > BDRV_REQUEST_MAX_BYTES) { - printf("length cannot exceed %" PRIu64 ", given %s\n", + } else if (count > BDRV_REQUEST_MAX_BYTES && + !(flags & BDRV_REQ_NO_FALLBACK)) { + printf("length cannot exceed %" PRIu64 " without -n, given %s\n", (uint64_t)BDRV_REQUEST_MAX_BYTES, argv[optind]); return -EINVAL; }