On Wed, Sep 18, 2019 at 07:41:52AM -0500, Eric Blake wrote:
On 9/17/19 5:35 PM, Richard W.M. Jones wrote:
> +#if TLS
> if (nbd_supports_tls (nbd) != 1) {
> fprintf (stderr, "skip: compiled without TLS support\n");
> exit (77);
> }
This skips the test if we are compiled without TLS support, even if
TLS_ALLOW was requested. What behavior do we really want there? Is
TLS_ALLOW unconditionally falling back to plaintext okay, or do we only
want to permit TLS_ALLOW if TLS support is at least plausible?
I didn't consider this case until now. I did run the patch series as
posted without gnutls and it does work. None of the tests run (they
are not even skipped) because of the ‘if HAVE_GNUTLS’ conditional. We
could remove the code above completely although I'm not going to do
that.
Because we need certtool/psktool to build the certificates etc we
cannot test non-gnutls-libnbd + tls enabled nbdkit.
I believe the only way to test this would be a new dedicated test for
this specific case.
Also worth noting that the current code (lib/crypto.c) doesn't even
let you to set LIBNBD_TLS_ALLOW, so the dedicated test would fail
anyway unless this was fixed:
https://github.com/libguestfs/libnbd/blob/b47693488177ce7868d19f2a3eac5a5...
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
Read my programming and virtualization blog:
http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v