[Libguestfs] [libnbd PATCH] api: Add nbd_supports_tls

Richard W.M. Jones rjones at redhat.com
Wed Jun 5 19:26:42 UTC 2019 

On Wed, Jun 05, 2019 at 09:15:32AM -0500, Eric Blake wrote:
> This is slightly redundant with just trying nbd_set_tls(nbd, 2) then
> checking for failure; however, this function does not set errors and
> looks more similar to nbd_supports_uri.
> ---
> 
> This is borderline enough that I figured I'd post it to check if we want it.
> 
>  generator/generator | 45 ++++++++++++++++++++++++++++++++++++++-------
>  interop/interop.c   |  4 ++++
>  lib/handle.c        | 12 ++++++++++++
>  3 files changed, 54 insertions(+), 7 deletions(-)
> 
> diff --git a/generator/generator b/generator/generator
> index ea6eea4..d21e786 100755
> --- a/generator/generator
> +++ b/generator/generator
> @@ -971,7 +971,9 @@ the path to the certificates directory (C<nbd_set_tls_certificates>),
>  the username (C<nbd_set_tls_username>) and/or
>  the Pre-Shared Keys (PSK) file (C<nbd_set_tls_psk_file>).  For now,
>  when using C<nbd_connect_uri>, any URI query parameters related to
> -TLS are not handled automatically.
> +TLS are not handled automatically.  Setting the level higher than
> +zero will fail if libnbd was not compiled against gnutls; you can
> +test whether this is the case with C<nbd_supports_tls>.
> 
>  For more information see L<libnbd(3)/ENCRYPTION AND AUTHENTICATION>.";
>    };
> @@ -995,7 +997,11 @@ set and TLS is used then a compiled in default is used.
>  For root this is C</etc/pki/libnbd/>.  For non-root this is
>  C<$HOME/.pki/libnbd> and C<$HOME/.config/pki/libnbd>.  If
>  none of these directories can be found then the system
> -trusted CAs are used.";
> +trusted CAs are used.
> +
> +This function may be called regardless of whether TLS is
> +supported, but will have no effect unless C<nbd_set_tls>
> +is also used to request or require TLS.";
>    };
> 
>  (* Can't implement this because we need a way to return string that
> @@ -1018,7 +1024,11 @@ Get the current TLS directory.  See C<nbd_set_tls_certificates>.";
>  Set this flag to control whether libnbd will verify the identity
>  of the server from the server's certificate and the certificate
>  authority.  This defaults to true when connecting to TCP servers
> -using TLS certificate authentication, and false otherwise.";
> +using TLS certificate authentication, and false otherwise.
> +
> +This function may be called regardless of whether TLS is
> +supported, but will have no effect unless C<nbd_set_tls>
> +is also used to request or require TLS.";
>    };
> 
>    "get_tls_verify_peer", {
> @@ -1037,7 +1047,11 @@ Get the verify peer flag.";
>      longdesc = "\
>  Set the TLS client username.  This is used
>  if authenticating with PSK over TLS is enabled.
> -If not set then the local username is used.";
> +If not set then the local username is used.
> +
> +This function may be called regardless of whether TLS is
> +supported, but will have no effect unless C<nbd_set_tls>
> +is also used to request or require TLS.";
>    };
> 
>    "get_tls_username", {
> @@ -1057,7 +1071,11 @@ Get the current TLS username.  See C<nbd_set_tls_username>.";
>  Set the TLS Pre-Shared Keys (PSK) filename.  This is used
>  if trying to authenticate to the server using with a pre-shared
>  key.  There is no default so if this is not set then PSK
> -authentication cannot be used to connect to the server.";
> +authentication cannot be used to connect to the server.
> +
> +This function may be called regardless of whether TLS is
> +supported, but will have no effect unless C<nbd_set_tls>
> +is also used to request or require TLS.";
>    };
> 
>  (* Can't implement this because we need a way to return string that
> @@ -1112,7 +1130,9 @@ C<nbd_connect_tcp> or C<nbd_connect_unix>.  This call returns when
>  the connection has been made.
> 
>  This call will fail if libnbd was not compiled with libxml2; you can
> -test whether this is the case with C<nbd_supports_uri>.";
> +test whether this is the case with C<nbd_supports_uri>.  Support for
> +URIs that require TLS will fail if libnbd was not compiled with
> +gnutls; you can test whether this is the case with C<nbd_supports_tls>.";
>    };
> 
>    "connect_unix", {
> @@ -1497,7 +1517,9 @@ and completed the NBD handshake by calling C<nbd_aio_is_ready>,
>  on the connection.
> 
>  This call will fail if libnbd was not compiled with libxml2; you can
> -test whether this is the case with C<nbd_supports_uri>.";
> +test whether this is the case with C<nbd_supports_uri>.  Support for
> +URIs that require TLS will fail if libnbd was not compiled with
> +gnutls; you can test whether this is the case with C<nbd_supports_tls>.";
>    };
> 
>    "aio_connect_unix", {
> @@ -1876,6 +1898,15 @@ The release number is incremented for each release along a particular
>  branch.";
>    };
> 
> +  "supports_tls", {
> +    default_call with
> +    args = []; ret = RBool; is_locked = false; may_set_error = false;
> +    shortdesc = "return true if libnbd was compiled with support for TLS";
> +    longdesc = "\
> +Returns true if libnbd was compiled with gnutls which is required
> +to support TLS encryption, or false if not.  See C<nbd_set_tls>.";
> +  };
> +
>    "supports_uri", {
>      default_call with
>      args = []; ret = RBool; is_locked = false; may_set_error = false;
> diff --git a/interop/interop.c b/interop/interop.c
> index 24f79cc..5d129a0 100644
> --- a/interop/interop.c
> +++ b/interop/interop.c
> @@ -71,6 +71,10 @@ main (int argc, char *argv[])
>    /* Require TLS on the handle and fail if not available or if the
>     * handshake fails.
>     */
> +  if (nbd_supports_tls (nbd) != 1) {
> +    fprintf (stderr, "skip: compiled without TLS supports\n");
> +    exit (77);
> +  }
>    if (nbd_set_tls (nbd, 2) == -1) {
>      fprintf (stderr, "%s\n", nbd_get_error ());
>      exit (EXIT_FAILURE);
> diff --git a/lib/handle.c b/lib/handle.c
> index cc311ba..e40b274 100644
> --- a/lib/handle.c
> +++ b/lib/handle.c
> @@ -227,6 +227,18 @@ nbd_unlocked_get_version (struct nbd_handle *h)
>    return PACKAGE_VERSION;
>  }
> 
> +/* NB: is_locked = false, may_set_error = false. */
> +int
> +nbd_unlocked_supports_tls (struct nbd_handle *h)
> +{
> +#ifdef HAVE_GNUTLS
> +  return 1;
> +#else
> +  return 0;
> +#endif
> +}
> +
> +/* NB: is_locked = false, may_set_error = false. */
>  int
>  nbd_unlocked_supports_uri (struct nbd_handle *h)
>  {

ACK

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v

More information about the Libguestfs mailing list