---
docs/nbdkit-captive.pod | 24 +++++++---
tests/Makefile.am | 4 ++
server/captive.c | 16 +++++--
tests/test-captive-tls-certificates.sh | 64 ++++++++++++++++++++++++++
tests/test-captive-tls-psk.sh | 63 +++++++++++++++++++++++++
5 files changed, 162 insertions(+), 9 deletions(-)
diff --git a/docs/nbdkit-captive.pod b/docs/nbdkit-captive.pod
index f38863bfd7..d5c40d91b9 100644
--- a/docs/nbdkit-captive.pod
+++ b/docs/nbdkit-captive.pod
@@ -77,12 +77,6 @@ both variables expand to the same URI.
See also L<nbdkit(1)/NBD URIs and endpoints>.
-=item C<$tls>
-
-Corresponds to the I<--tls> option passed to nbdkit. If I<--tls=off>
-this is not set. If I<--tls=on> this is set to C<"1">. If
-I<--tls=require> this is set to C<"2">.
-
=item C<$port>
If E<ne> "", the port number that nbdkit is listening on.
@@ -99,6 +93,24 @@ line option of nbdkit. This only matters to plugins that
differentiate what they serve based on the export name requested by
the client.
+=item C<$tls>
+
+Corresponds to the I<--tls> option passed to nbdkit. If I<--tls=off>
+this is not set. If I<--tls=on> this is set to C<"1">. If
+I<--tls=require> this is set to C<"2">.
+
+=item C<$tls_certificates>
+
+If I<--tls-certificates> was passed to nbdkit, the value is copied
+here. It is usually the directory containing PKI certificates. Note
+that the path might not be an absolute path, or even valid.
+
+=item C<$tls_psk>
+
+If I<--tls-psk> was passed to nbdkit, the value is copied here. It is
+usually the filename of a TLS Pre-Shared Keys (PSK) file. Note that
+the filename might not be an absolute path, or even valid.
+
=back
I<--run> implies I<--foreground>. It is not possible, and probably
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 08473ee801..67732f8303 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -258,6 +258,8 @@ TESTS += \
test-single-sh.sh \
test-captive.sh \
test-captive-tls.sh \
+ test-captive-tls-certificates.sh \
+ test-captive-tls-psk.sh \
test-random-sock.sh \
test-tls.sh \
test-tls-psk.sh \
@@ -289,6 +291,8 @@ endif
EXTRA_DIST += \
test-bad-filter-name.sh \
test-bad-plugin-name.sh \
+ test-captive-tls-certificates.sh \
+ test-captive-tls-psk.sh \
test-captive-tls.sh \
test-captive.sh \
test-client-death-tls.sh \
diff --git a/server/captive.c b/server/captive.c
index 51dafca34a..51d92b3297 100644
--- a/server/captive.c
+++ b/server/captive.c
@@ -88,9 +88,7 @@ run_command (void)
shell_quote (export_name, fp);
putc ('\n', fp);
- /* Construct $tls, $port and $unixsocket. */
- if (tls > 0)
- fprintf (fp, "tls=%d\n", tls);
+ /* Construct $port and $unixsocket. */
fprintf (fp, "port=");
if (port)
shell_quote (port, fp);
@@ -100,6 +98,18 @@ run_command (void)
shell_quote (unixsocket, fp);
fprintf (fp, "\n");
+ /* Construct TLS-related variables. */
+ if (tls > 0)
+ fprintf (fp, "tls=%d\n", tls);
+ fprintf (fp, "tls_certificates=");
+ if (tls_certificates_dir)
+ shell_quote (tls_certificates_dir, fp);
+ fprintf (fp, "\n");
+ fprintf (fp, "tls_psk=");
+ if (tls_psk)
+ shell_quote (tls_psk, fp);
+ fprintf (fp, "\n");
+
/* Add the --run command. Note we don't have to quote this. */
fprintf (fp, "%s", run);
diff --git a/tests/test-captive-tls-certificates.sh
b/tests/test-captive-tls-certificates.sh
new file mode 100755
index 0000000000..4700c9f6ef
--- /dev/null
+++ b/tests/test-captive-tls-certificates.sh
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+# nbdkit
+# Copyright Red Hat
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# * Neither the name of Red Hat nor the names of its contributors may be
+# used to endorse or promote products derived from this software without
+# specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
+# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+# Test that nbdkit --tls-certificates is passed to --run script.
+
+source ./functions.sh
+set -e
+set -x
+
+requires_run
+
+# Does the nbdkit binary support TLS?
+if ! nbdkit --dump-config | grep -sq tls=yes; then
+ echo "$0: nbdkit built without TLS support"
+ exit 77
+fi
+
+# Did we create the PKI files?
+# Probably 'certtool' is missing.
+pkidir="pki"
+if [ ! -f "$pkidir/ca-cert.pem" ]; then
+ echo "$0: PKI files were not created by the test harness"
+ exit 77
+fi
+
+out=test-captive-tls-certificates.out
+cleanup_fn rm -f $out
+rm -f $out
+
+LANG=C \
+nbdkit --tls=require --tls-certificates="$pkidir" \
+ null \
+ --run 'echo OUTPUT: "$tls_certificates"' > $out
+cat $out
+grep "OUTPUT: $pkidir" $out
diff --git a/tests/test-captive-tls-psk.sh b/tests/test-captive-tls-psk.sh
new file mode 100755
index 0000000000..d225dbc9ff
--- /dev/null
+++ b/tests/test-captive-tls-psk.sh
@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+# nbdkit
+# Copyright Red Hat
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# * Neither the name of Red Hat nor the names of its contributors may be
+# used to endorse or promote products derived from this software without
+# specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
+# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+# Test that nbdkit --tls-psk is passed to --run script.
+
+source ./functions.sh
+set -e
+set -x
+
+requires_run
+
+# Does the nbdkit binary support TLS?
+if ! nbdkit --dump-config | grep -sq tls=yes; then
+ echo "$0: nbdkit built without TLS support"
+ exit 77
+fi
+
+# Did we create the PSK keys file?
+# Probably 'psktool' is missing.
+if [ ! -s keys.psk ]; then
+ echo "$0: PSK keys file was not created by the test harness"
+ exit 77
+fi
+
+out=test-captive-tls-psk.out
+cleanup_fn rm -f $out
+rm -f $out
+
+LANG=C \
+nbdkit --tls=require --tls-psk=keys.psk \
+ null \
+ --run 'echo OUTPUT: "$tls_psk"' > $out
+cat $out
+grep "OUTPUT: keys.psk" $out
--
2.44.0