This is an RFC patch to introduce TLS support on nbdserver & nbdclient.
This is *NOT* production ready by any means, and is submitted for comment. I have added crypto-gnutls.[ch] from: github.com/abligh/tlsproxy which is my attempt at an MIT licenced GnuTLS proxy. The proxy element is standalone, and is incorporated here. Whilst it's not GPL licensed, MIT is compatible. Also it uses GNU format indentation (sorry about that). However, it (together with buffer.[ch]) is almost entirely self-contained. The same approach is taken for nbdclient. As the proxy runs as an independent process, nbdclient can launch it, then call the DOIT ioctl() on one end of the created socketpair(). The proxy process then drops into the background and closes after either the kernel closes the socket or the other end closes the socket. I have tested this to a minimal extent against qemu-img (i.e. qemu acting as a client). The problem (see nbdgeneral ad nauseam) we have with NBD_CMD_DISC means that we see false reports of 'magic number mismatch'. This appears to be because read() returns 0 in negotiate(), and nbdserver does not check for this. It then reverses (again) the *previous* magic number, using ntohll(), and this causes the 'magic number mismatch' issue. This isn't really a problem but causes confusing errors. I have also tested nbd-client against nbd-server with TLS, and the test suite tests nbd-tester-client against nbd-server with TLS. The first two patches are preparatory work, and the third patch actually adds NBD_OPT_STARTTLS. The comment in that patch shows what is left to figure out. Changes from v4: * Fix hash table up so we can count number of server children * Change keys & certs to ones that have a 10 year expiry time * Make it clear keys and certs are not GPLv2 licensed * Rebase onto master Changes from v3: * Move set_nonblocking to cliserv.[ch] * Various nits from Wouter * I've not (yet) adjusted the return code from nbdserver to NBD_OPT_STARTTLS when TLS isn't compiled in, until we figure out whether the suggested value is permitted by the spec. Changes from v2: * Add support for nbd-client * Wouter's changes to Makefile.am and conditional compilation. Changes from v1: * Added support for TLS to nbd-tester-client. Weirdly it passed first time. * In doing so, folded into this series the two patches to ndb-tester-client.c into this series. Note the FIXED_NEWSTYLE patch earlier missed host/network ordering. * Per Wouter, use AM_CONDITIONAL rather than #ifdef'ing out files * Per Wouter, do the test for GnuTLS later. Alex Bligh (7): Add GnuTLS infrastructure Add options for TLS support for server Add TLS support to server Change child hashtable to record child type Add TLS testing to nbd-tester-client.c Add options to nbd-client for TLS support Add TLS support to NBD client Makefile.am | 5 + buffer.c | 225 +++++++++++++++ buffer.h | 45 +++ cliserv.c | 17 +- cliserv.h | 2 + configure.ac | 15 + crypto-gnutls.c | 624 ++++++++++++++++++++++++++++++++++++++++ crypto-gnutls.h | 43 +++ man/nbd-server.5.in.sgml | 65 +++++ nbd-client.c | 179 +++++++++++- nbd-server.c | 249 +++++++++++++--- nbd.h | 2 + nbdsrv.h | 1 + tests/run/Makefile.am | 14 +- tests/run/certs/README.md | 69 +++++ tests/run/certs/ca-cert.pem | 20 ++ tests/run/certs/ca-key.pem | 32 +++ tests/run/certs/ca.info | 4 + tests/run/certs/client-cert.pem | 23 ++ tests/run/certs/client-key.pem | 32 +++ tests/run/certs/client.info | 9 + tests/run/certs/server-cert.pem | 22 ++ tests/run/certs/server-key.pem | 32 +++ tests/run/certs/server.info | 6 + tests/run/nbd-tester-client.c | 155 +++++++++- tests/run/simple_test | 45 +++ 26 files changed, 1886 insertions(+), 49 deletions(-) create mode 100644 buffer.c create mode 100644 buffer.h create mode 100644 crypto-gnutls.c create mode 100644 crypto-gnutls.h create mode 100644 tests/run/certs/README.md create mode 100644 tests/run/certs/ca-cert.pem create mode 100644 tests/run/certs/ca-key.pem create mode 100644 tests/run/certs/ca.info create mode 100644 tests/run/certs/client-cert.pem create mode 100644 tests/run/certs/client-key.pem create mode 100644 tests/run/certs/client.info create mode 100644 tests/run/certs/server-cert.pem create mode 100644 tests/run/certs/server-key.pem create mode 100644 tests/run/certs/server.info -- 1.9.1 ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ Nbd-general mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nbd-general
