[Libguestfs] [libnbd PATCH] api: Add nbd_supports_tls

Eric Blake eblake at redhat.com
Wed Jun 5 14:15:32 UTC 2019 

This is slightly redundant with just trying nbd_set_tls(nbd, 2) then
checking for failure; however, this function does not set errors and
looks more similar to nbd_supports_uri.
---

This is borderline enough that I figured I'd post it to check if we want it.

 generator/generator | 45 ++++++++++++++++++++++++++++++++++++++-------
 interop/interop.c   |  4 ++++
 lib/handle.c        | 12 ++++++++++++
 3 files changed, 54 insertions(+), 7 deletions(-)

diff --git a/generator/generator b/generator/generator
index ea6eea4..d21e786 100755
--- a/generator/generator
+++ b/generator/generator
@@ -971,7 +971,9 @@ the path to the certificates directory (C<nbd_set_tls_certificates>),
 the username (C<nbd_set_tls_username>) and/or
 the Pre-Shared Keys (PSK) file (C<nbd_set_tls_psk_file>).  For now,
 when using C<nbd_connect_uri>, any URI query parameters related to
-TLS are not handled automatically.
+TLS are not handled automatically.  Setting the level higher than
+zero will fail if libnbd was not compiled against gnutls; you can
+test whether this is the case with C<nbd_supports_tls>.

 For more information see L<libnbd(3)/ENCRYPTION AND AUTHENTICATION>.";
   };
@@ -995,7 +997,11 @@ set and TLS is used then a compiled in default is used.
 For root this is C</etc/pki/libnbd/>.  For non-root this is
 C<$HOME/.pki/libnbd> and C<$HOME/.config/pki/libnbd>.  If
 none of these directories can be found then the system
-trusted CAs are used.";
+trusted CAs are used.
+
+This function may be called regardless of whether TLS is
+supported, but will have no effect unless C<nbd_set_tls>
+is also used to request or require TLS.";
   };

 (* Can't implement this because we need a way to return string that
@@ -1018,7 +1024,11 @@ Get the current TLS directory.  See C<nbd_set_tls_certificates>.";
 Set this flag to control whether libnbd will verify the identity
 of the server from the server's certificate and the certificate
 authority.  This defaults to true when connecting to TCP servers
-using TLS certificate authentication, and false otherwise.";
+using TLS certificate authentication, and false otherwise.
+
+This function may be called regardless of whether TLS is
+supported, but will have no effect unless C<nbd_set_tls>
+is also used to request or require TLS.";
   };

   "get_tls_verify_peer", {
@@ -1037,7 +1047,11 @@ Get the verify peer flag.";
     longdesc = "\
 Set the TLS client username.  This is used
 if authenticating with PSK over TLS is enabled.
-If not set then the local username is used.";
+If not set then the local username is used.
+
+This function may be called regardless of whether TLS is
+supported, but will have no effect unless C<nbd_set_tls>
+is also used to request or require TLS.";
   };

   "get_tls_username", {
@@ -1057,7 +1071,11 @@ Get the current TLS username.  See C<nbd_set_tls_username>.";
 Set the TLS Pre-Shared Keys (PSK) filename.  This is used
 if trying to authenticate to the server using with a pre-shared
 key.  There is no default so if this is not set then PSK
-authentication cannot be used to connect to the server.";
+authentication cannot be used to connect to the server.
+
+This function may be called regardless of whether TLS is
+supported, but will have no effect unless C<nbd_set_tls>
+is also used to request or require TLS.";
   };

 (* Can't implement this because we need a way to return string that
@@ -1112,7 +1130,9 @@ C<nbd_connect_tcp> or C<nbd_connect_unix>.  This call returns when
 the connection has been made.

 This call will fail if libnbd was not compiled with libxml2; you can
-test whether this is the case with C<nbd_supports_uri>.";
+test whether this is the case with C<nbd_supports_uri>.  Support for
+URIs that require TLS will fail if libnbd was not compiled with
+gnutls; you can test whether this is the case with C<nbd_supports_tls>.";
   };

   "connect_unix", {
@@ -1497,7 +1517,9 @@ and completed the NBD handshake by calling C<nbd_aio_is_ready>,
 on the connection.

 This call will fail if libnbd was not compiled with libxml2; you can
-test whether this is the case with C<nbd_supports_uri>.";
+test whether this is the case with C<nbd_supports_uri>.  Support for
+URIs that require TLS will fail if libnbd was not compiled with
+gnutls; you can test whether this is the case with C<nbd_supports_tls>.";
   };

   "aio_connect_unix", {
@@ -1876,6 +1898,15 @@ The release number is incremented for each release along a particular
 branch.";
   };

+  "supports_tls", {
+    default_call with
+    args = []; ret = RBool; is_locked = false; may_set_error = false;
+    shortdesc = "return true if libnbd was compiled with support for TLS";
+    longdesc = "\
+Returns true if libnbd was compiled with gnutls which is required
+to support TLS encryption, or false if not.  See C<nbd_set_tls>.";
+  };
+
   "supports_uri", {
     default_call with
     args = []; ret = RBool; is_locked = false; may_set_error = false;
diff --git a/interop/interop.c b/interop/interop.c
index 24f79cc..5d129a0 100644
--- a/interop/interop.c
+++ b/interop/interop.c
@@ -71,6 +71,10 @@ main (int argc, char *argv[])
   /* Require TLS on the handle and fail if not available or if the
    * handshake fails.
    */
+  if (nbd_supports_tls (nbd) != 1) {
+    fprintf (stderr, "skip: compiled without TLS supports\n");
+    exit (77);
+  }
   if (nbd_set_tls (nbd, 2) == -1) {
     fprintf (stderr, "%s\n", nbd_get_error ());
     exit (EXIT_FAILURE);
diff --git a/lib/handle.c b/lib/handle.c
index cc311ba..e40b274 100644
--- a/lib/handle.c
+++ b/lib/handle.c
@@ -227,6 +227,18 @@ nbd_unlocked_get_version (struct nbd_handle *h)
   return PACKAGE_VERSION;
 }

+/* NB: is_locked = false, may_set_error = false. */
+int
+nbd_unlocked_supports_tls (struct nbd_handle *h)
+{
+#ifdef HAVE_GNUTLS
+  return 1;
+#else
+  return 0;
+#endif
+}
+
+/* NB: is_locked = false, may_set_error = false. */
 int
 nbd_unlocked_supports_uri (struct nbd_handle *h)
 {
-- 
2.20.1

More information about the Libguestfs mailing list