search for: psk

v2: * Improved documentation. * Added a test (interop with qemu client).

...mber without worrying about what comes after the number. Signed-off-by: Eric Blake <eblake@redhat.com> --- We could still use jq if desired, but it was easy enough to let these tests pass instead of skip when jq is not present. tests/test-ip.sh | 10 ++++++---- tests/test-nbd-tls-psk.sh | 6 +++--- tests/test-nbd-tls.sh | 6 +++--- tests/test-tls-psk.sh | 7 +++---- tests/test-tls.sh | 7 +++---- tests/test-truncate3.sh | 4 ++-- 6 files changed, 20 insertions(+), 20 deletions(-) diff --git a/tests/test-ip.sh b/tests/test-ip.sh index 636d3d3f..5a00a2ec 1...

...76bc7. Signed-off-by: Eric Blake <eblake@redhat.com> --- My current setup does not seem to be hitting the testsuite hang/failure as frequently as Rich's setup, so for now I'm posting this in the hopes that we can see if it reduces the rate of testsuite failures. tests/test-nbd-tls-psk.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/test-nbd-tls-psk.sh b/tests/test-nbd-tls-psk.sh index 7a477da9..547064ab 100755 --- a/tests/test-nbd-tls-psk.sh +++ b/tests/test-nbd-tls-psk.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash # nbdkit -# Copyright (C) 201...

...we already depend on jq elsewhere in the testsuite. But since I'd already got this written up, I'm at least posting it (if nothing else, to have a list archive to point to when someone else complains about qemu-img changing output). tests/test-ip.sh | 4 ++-- tests/test-nbd-tls-psk.sh | 2 +- tests/test-nbd-tls.sh | 2 +- tests/test-tls-psk.sh | 2 +- tests/test-tls.sh | 2 +- tests/test-truncate3.sh | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/test-ip.sh b/tests/test-ip.sh index 636d3d3f..60f2e066 100755 --- a/tests/test-ip.s...

...lake@redhat.com> > --- > > My current setup does not seem to be hitting the testsuite > hang/failure as frequently as Rich's setup, so for now I'm posting > this in the hopes that we can see if it reduces the rate of testsuite > failures. > > tests/test-nbd-tls-psk.sh | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > > diff --git a/tests/test-nbd-tls-psk.sh b/tests/test-nbd-tls-psk.sh > index 7a477da9..547064ab 100755 > --- a/tests/test-nbd-tls-psk.sh > +++ b/tests/test-nbd-tls-psk.sh > @@ -1,6 +1,6 @@ > #!/usr/bin...

This is ready for review but needs a bit more real-world testing before I'd be happy about it going upstream. It also needs tests. It does interoperate with qemu, at least in my limited tests. Rich.

...+11,7 @@ nbdkit - A toolkit for creating NBD servers [--newstyle] [--oldstyle] [-P PIDFILE] [-p PORT] [-r] [--run CMD] [-s] [--selinux-label LABEL] [-t THREADS] [--tls=off|on|require] [--tls-certificates /path/to/certificates] - [--tls-verify-peer] + [--tls-psk /path/to/pskfile] [--tls-verify-peer] [-U SOCKET] [-u USER] [-v] [-V] PLUGIN [key=value [key=value [...]]] @@ -288,6 +288,12 @@ support). See L</TLS> below. Set the path to the TLS certificates directory. If not specified, some built-in paths are checked. See L</TL...

I was a little surprised to find that LIBNBD_TLS_ALLOW worked out of the box, so I had to examine the logs whereupon I saw the magic message ... libnbd: debug: nbd1: nbd_connect_command: server refused TLS (policy), continuing with unencrypted connection I don't believe this path has ever been tested before. It's possible the tests could be improved if they actually checked for this

...nes wrote: > --- > docs/nbdkit.pod.in | 45 +++++++++-- > src/crypto.c | 234 +++++++++++++++++++++++++++++++++++++---------------- > src/internal.h | 1 + > src/main.c | 8 +- > 4 files changed, 210 insertions(+), 78 deletions(-) > > +Create a PSK file containing one or more C<username:key> pairs. It is > +easiest to use L<psktool(1)> for this: > + > + psktool -u rich -p /tmp/psk > + > +The PSK file contains the hex-encoded random keys in plaintext. Any > +client which can read this file will be able to connec...

...> src/crypto.c | 234 > +++++++++++++++++++++++++++++++++++++---------------- > > > src/internal.h | 1 + > > > src/main.c | 8 +- > > > 4 files changed, 210 insertions(+), 78 deletions(-) > > > > > > > > +Create a PSK file containing one or more C<username:key> pairs. It is > > > +easiest to use L<psktool(1)> for this: > > > + > > > + psktool -u rich -p /tmp/psk > > > + > > > +The PSK file contains the hex-encoded random keys in plaintext. Any > >...

...ab47370..dd8a052 100644 --- a/.gitignore +++ b/.gitignore @@ -62,7 +62,11 @@ Makefile.in /interop/dirty-bitmap /interop/interop-nbdkit /interop/interop-nbdkit-tls-certs +/interop/interop-nbdkit-tls-certs-allow-enabled +/interop/interop-nbdkit-tls-certs-allow-fallback /interop/interop-nbdkit-tls-psk +/interop/interop-nbdkit-tls-psk-allow-enabled +/interop/interop-nbdkit-tls-psk-allow-fallback /interop/interop-nbd-server /interop/interop-qemu-nbd /interop/interop-qemu-nbd-tls-certs diff --git a/TODO b/TODO index 21feb2f..642d39f 100644 --- a/TODO +++ b/TODO @@ -17,9 +17,6 @@ NBD_INFO_BLOCK_S...

...kit.pod.in | 45 +++++++++-- > > src/crypto.c | 234 +++++++++++++++++++++++++++++++++++++---------------- > > src/internal.h | 1 + > > src/main.c | 8 +- > > 4 files changed, 210 insertions(+), 78 deletions(-) > > > > > +Create a PSK file containing one or more C<username:key> pairs. It is > > +easiest to use L<psktool(1)> for this: > > + > > + psktool -u rich -p /tmp/psk > > + > > +The PSK file contains the hex-encoded random keys in plaintext. Any > > +client which can read th...

...> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> No ALPN negotiated >> SSL-Session: >> ??? Protocol? : TLSv1.2 >> ??? Cipher??? : 0000 >> ??? Session-ID: >> ??? Session-ID-ctx: >> ??? Master-Key: >> ??? PSK identity: None >> ??? PSK identity hint: None >> ??? SRP username: None >> ??? Start Time: 1532969474 >> ??? Timeout?? : 7200 (sec) >> ??? Verify return code: 0 (ok) >> ??? Extended master secret: no >> >> --- >> >> and this for the certif...

Previous discussion: https://www.redhat.com/archives/libguestfs/2019-August/msg00102.html Last night I experimentally added support for URIs that contain the query parameter tls-psk-file, as part of rewriting the tests to cover more of the URI code. So you can now have a URI like: nbds://alice@localhost/?tls-psk-file=keys.psk However there's an obvious security problem here because now any libnbd program which takes URIs from less trusted sources will open a local fil...

...ke has read 309 bytes and written 202 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: ??? Protocol? : TLSv1.2 ??? Cipher??? : 0000 ??? Session-ID: ??? Session-ID-ctx: ??? Master-Key: ??? PSK identity: None ??? PSK identity hint: None ??? SRP username: None ??? Start Time: 1532969474 ??? Timeout?? : 7200 (sec) ??? Verify return code: 0 (ok) ??? Extended master secret: no --- and this for the certificate where the csr is generated with a RSA private key: CONNECTED(00000003) depth=0 C...

...t;-p", port_str, tmpfile' \ -DEXPORT_NAME='"/"' \ -DCERTS=1 \ + -DTLS_MODE=LIBNBD_TLS_REQUIRE \ $(NULL) interop_qemu_nbd_tls_certs_CFLAGS = $(WARNINGS_CFLAGS) interop_qemu_nbd_tls_certs_LDADD = $(top_builddir)/lib/libnbd.la @@ -113,6 +114,7 @@ interop_qemu_nbd_tls_psk_CPPFLAGS = \ -DSERVER_PARAMS='"--object", "tls-creds-psk,id=tls0,endpoint=server,dir=$(abs_top_builddir)/tests", "--tls-creds", "tls0", "-f", "raw", "-x", "/", "-p", port_str, tmpfile' \ -DEXPORT_N...

...Q_HOME}/conf/jetty.xml for more details --> <import resource="jetty.xml"/> </beans> ---------- client.cfg main_collective = mcollective collectives = mcollective libdir = /usr/libexec/mcollective logger_type = console loglevel = debug # Plugins securityprovider = psk plugin.psk = mcopwd connector = activemq direct_addressing = 1 plugin.activemq.pool.size = 1 plugin.activemq.pool.1.host = puppet.test.italy.cloudlabcsi.local plugin.activemq.pool.1.port = 61613 plugin.activemq.pool.1.user = mcollective plugin.activemq.pool.1.password = mcopwd # Facts factsource...

...buf_size_min; > - u32 buf_size_max; > - > spinlock_t tx_lock; > spinlock_t rx_lock; > > @@ -93,12 +85,6 @@ s64 virtio_transport_stream_has_space(struct > vsock_sock *vsk); > > int virtio_transport_do_socket_init(struct vsock_sock *vsk, > struct vsock_sock *psk); > -u64 virtio_transport_get_buffer_size(struct vsock_sock *vsk); > -u64 virtio_transport_get_min_buffer_size(struct vsock_sock *vsk); > -u64 virtio_transport_get_max_buffer_size(struct vsock_sock *vsk); -void > virtio_transport_set_buffer_size(struct vsock_sock *vsk, u64 val); -void &...

..._vsock(trans->vsk)) */ - u32 buf_size; - u32 buf_size_min; - u32 buf_size_max; - spinlock_t tx_lock; spinlock_t rx_lock; @@ -93,12 +85,6 @@ s64 virtio_transport_stream_has_space(struct vsock_sock *vsk); int virtio_transport_do_socket_init(struct vsock_sock *vsk, struct vsock_sock *psk); -u64 virtio_transport_get_buffer_size(struct vsock_sock *vsk); -u64 virtio_transport_get_min_buffer_size(struct vsock_sock *vsk); -u64 virtio_transport_get_max_buffer_size(struct vsock_sock *vsk); -void virtio_transport_set_buffer_size(struct vsock_sock *vsk, u64 val); -void virtio_transport_set_...

New APIs are added which let you enable or disable features of NBD URIs, mainly for security reasons. tls-psk-file is *disabled* by default for obvious security reasons. All other features are enabled by default. --- generator/generator | 127 +++++++++++++++++++++++++++++++++++++++++++- lib/handle.c | 26 +++++++++ lib/internal.h | 5 ++ lib/uri.c | 31 +++++++++-- tests/connect...