[Libguestfs] [libnbd PATCH] api: Add nbd_supports_tls
Richard W.M. Jones
rjones at redhat.com
Wed Jun 5 19:26:42 UTC 2019
On Wed, Jun 05, 2019 at 09:15:32AM -0500, Eric Blake wrote:
> This is slightly redundant with just trying nbd_set_tls(nbd, 2) then
> checking for failure; however, this function does not set errors and
> looks more similar to nbd_supports_uri.
> ---
>
> This is borderline enough that I figured I'd post it to check if we want it.
>
> generator/generator | 45 ++++++++++++++++++++++++++++++++++++++-------
> interop/interop.c | 4 ++++
> lib/handle.c | 12 ++++++++++++
> 3 files changed, 54 insertions(+), 7 deletions(-)
>
> diff --git a/generator/generator b/generator/generator
> index ea6eea4..d21e786 100755
> --- a/generator/generator
> +++ b/generator/generator
> @@ -971,7 +971,9 @@ the path to the certificates directory (C<nbd_set_tls_certificates>),
> the username (C<nbd_set_tls_username>) and/or
> the Pre-Shared Keys (PSK) file (C<nbd_set_tls_psk_file>). For now,
> when using C<nbd_connect_uri>, any URI query parameters related to
> -TLS are not handled automatically.
> +TLS are not handled automatically. Setting the level higher than
> +zero will fail if libnbd was not compiled against gnutls; you can
> +test whether this is the case with C<nbd_supports_tls>.
>
> For more information see L<libnbd(3)/ENCRYPTION AND AUTHENTICATION>.";
> };
> @@ -995,7 +997,11 @@ set and TLS is used then a compiled in default is used.
> For root this is C</etc/pki/libnbd/>. For non-root this is
> C<$HOME/.pki/libnbd> and C<$HOME/.config/pki/libnbd>. If
> none of these directories can be found then the system
> -trusted CAs are used.";
> +trusted CAs are used.
> +
> +This function may be called regardless of whether TLS is
> +supported, but will have no effect unless C<nbd_set_tls>
> +is also used to request or require TLS.";
> };
>
> (* Can't implement this because we need a way to return string that
> @@ -1018,7 +1024,11 @@ Get the current TLS directory. See C<nbd_set_tls_certificates>.";
> Set this flag to control whether libnbd will verify the identity
> of the server from the server's certificate and the certificate
> authority. This defaults to true when connecting to TCP servers
> -using TLS certificate authentication, and false otherwise.";
> +using TLS certificate authentication, and false otherwise.
> +
> +This function may be called regardless of whether TLS is
> +supported, but will have no effect unless C<nbd_set_tls>
> +is also used to request or require TLS.";
> };
>
> "get_tls_verify_peer", {
> @@ -1037,7 +1047,11 @@ Get the verify peer flag.";
> longdesc = "\
> Set the TLS client username. This is used
> if authenticating with PSK over TLS is enabled.
> -If not set then the local username is used.";
> +If not set then the local username is used.
> +
> +This function may be called regardless of whether TLS is
> +supported, but will have no effect unless C<nbd_set_tls>
> +is also used to request or require TLS.";
> };
>
> "get_tls_username", {
> @@ -1057,7 +1071,11 @@ Get the current TLS username. See C<nbd_set_tls_username>.";
> Set the TLS Pre-Shared Keys (PSK) filename. This is used
> if trying to authenticate to the server using with a pre-shared
> key. There is no default so if this is not set then PSK
> -authentication cannot be used to connect to the server.";
> +authentication cannot be used to connect to the server.
> +
> +This function may be called regardless of whether TLS is
> +supported, but will have no effect unless C<nbd_set_tls>
> +is also used to request or require TLS.";
> };
>
> (* Can't implement this because we need a way to return string that
> @@ -1112,7 +1130,9 @@ C<nbd_connect_tcp> or C<nbd_connect_unix>. This call returns when
> the connection has been made.
>
> This call will fail if libnbd was not compiled with libxml2; you can
> -test whether this is the case with C<nbd_supports_uri>.";
> +test whether this is the case with C<nbd_supports_uri>. Support for
> +URIs that require TLS will fail if libnbd was not compiled with
> +gnutls; you can test whether this is the case with C<nbd_supports_tls>.";
> };
>
> "connect_unix", {
> @@ -1497,7 +1517,9 @@ and completed the NBD handshake by calling C<nbd_aio_is_ready>,
> on the connection.
>
> This call will fail if libnbd was not compiled with libxml2; you can
> -test whether this is the case with C<nbd_supports_uri>.";
> +test whether this is the case with C<nbd_supports_uri>. Support for
> +URIs that require TLS will fail if libnbd was not compiled with
> +gnutls; you can test whether this is the case with C<nbd_supports_tls>.";
> };
>
> "aio_connect_unix", {
> @@ -1876,6 +1898,15 @@ The release number is incremented for each release along a particular
> branch.";
> };
>
> + "supports_tls", {
> + default_call with
> + args = []; ret = RBool; is_locked = false; may_set_error = false;
> + shortdesc = "return true if libnbd was compiled with support for TLS";
> + longdesc = "\
> +Returns true if libnbd was compiled with gnutls which is required
> +to support TLS encryption, or false if not. See C<nbd_set_tls>.";
> + };
> +
> "supports_uri", {
> default_call with
> args = []; ret = RBool; is_locked = false; may_set_error = false;
> diff --git a/interop/interop.c b/interop/interop.c
> index 24f79cc..5d129a0 100644
> --- a/interop/interop.c
> +++ b/interop/interop.c
> @@ -71,6 +71,10 @@ main (int argc, char *argv[])
> /* Require TLS on the handle and fail if not available or if the
> * handshake fails.
> */
> + if (nbd_supports_tls (nbd) != 1) {
> + fprintf (stderr, "skip: compiled without TLS supports\n");
> + exit (77);
> + }
> if (nbd_set_tls (nbd, 2) == -1) {
> fprintf (stderr, "%s\n", nbd_get_error ());
> exit (EXIT_FAILURE);
> diff --git a/lib/handle.c b/lib/handle.c
> index cc311ba..e40b274 100644
> --- a/lib/handle.c
> +++ b/lib/handle.c
> @@ -227,6 +227,18 @@ nbd_unlocked_get_version (struct nbd_handle *h)
> return PACKAGE_VERSION;
> }
>
> +/* NB: is_locked = false, may_set_error = false. */
> +int
> +nbd_unlocked_supports_tls (struct nbd_handle *h)
> +{
> +#ifdef HAVE_GNUTLS
> + return 1;
> +#else
> + return 0;
> +#endif
> +}
> +
> +/* NB: is_locked = false, may_set_error = false. */
> int
> nbd_unlocked_supports_uri (struct nbd_handle *h)
> {
ACK
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
More information about the Libguestfs
mailing list