This is slightly redundant with just trying nbd_set_tls(nbd, 2) then checking for failure; however, this function does not set errors and looks more similar to nbd_supports_uri. --- This is borderline enough that I figured I'd post it to check if we want it. generator/generator | 45 ++++++++++++++++++++++++++++++++++++++------- interop/interop.c | 4 ++++ lib/handle.c | 12 ++++++++++++ 3 files changed, 54 insertions(+), 7 deletions(-) diff --git a/generator/generator b/generator/generator index ea6eea4..d21e786 100755 --- a/generator/generator +++ b/generator/generator @@ -971,7 +971,9 @@ the path to the certificates directory (C<nbd_set_tls_certificates>), the username (C<nbd_set_tls_username>) and/or the Pre-Shared Keys (PSK) file (C<nbd_set_tls_psk_file>). For now, when using C<nbd_connect_uri>, any URI query parameters related to -TLS are not handled automatically. +TLS are not handled automatically. Setting the level higher than +zero will fail if libnbd was not compiled against gnutls; you can +test whether this is the case with C<nbd_supports_tls>. For more information see L<libnbd(3)/ENCRYPTION AND AUTHENTICATION>."; }; @@ -995,7 +997,11 @@ set and TLS is used then a compiled in default is used. For root this is C</etc/pki/libnbd/>. For non-root this is C<$HOME/.pki/libnbd> and C<$HOME/.config/pki/libnbd>. If none of these directories can be found then the system -trusted CAs are used."; +trusted CAs are used. + +This function may be called regardless of whether TLS is +supported, but will have no effect unless C<nbd_set_tls> +is also used to request or require TLS."; }; (* Can't implement this because we need a way to return string that @@ -1018,7 +1024,11 @@ Get the current TLS directory. See C<nbd_set_tls_certificates>."; Set this flag to control whether libnbd will verify the identity of the server from the server's certificate and the certificate authority. This defaults to true when connecting to TCP servers -using TLS certificate authentication, and false otherwise."; +using TLS certificate authentication, and false otherwise. + +This function may be called regardless of whether TLS is +supported, but will have no effect unless C<nbd_set_tls> +is also used to request or require TLS."; }; "get_tls_verify_peer", { @@ -1037,7 +1047,11 @@ Get the verify peer flag."; longdesc = "\ Set the TLS client username. This is used if authenticating with PSK over TLS is enabled. -If not set then the local username is used."; +If not set then the local username is used. + +This function may be called regardless of whether TLS is +supported, but will have no effect unless C<nbd_set_tls> +is also used to request or require TLS."; }; "get_tls_username", { @@ -1057,7 +1071,11 @@ Get the current TLS username. See C<nbd_set_tls_username>."; Set the TLS Pre-Shared Keys (PSK) filename. This is used if trying to authenticate to the server using with a pre-shared key. There is no default so if this is not set then PSK -authentication cannot be used to connect to the server."; +authentication cannot be used to connect to the server. + +This function may be called regardless of whether TLS is +supported, but will have no effect unless C<nbd_set_tls> +is also used to request or require TLS."; }; (* Can't implement this because we need a way to return string that @@ -1112,7 +1130,9 @@ C<nbd_connect_tcp> or C<nbd_connect_unix>. This call returns when the connection has been made. This call will fail if libnbd was not compiled with libxml2; you can -test whether this is the case with C<nbd_supports_uri>."; +test whether this is the case with C<nbd_supports_uri>. Support for +URIs that require TLS will fail if libnbd was not compiled with +gnutls; you can test whether this is the case with C<nbd_supports_tls>."; }; "connect_unix", { @@ -1497,7 +1517,9 @@ and completed the NBD handshake by calling C<nbd_aio_is_ready>, on the connection. This call will fail if libnbd was not compiled with libxml2; you can -test whether this is the case with C<nbd_supports_uri>."; +test whether this is the case with C<nbd_supports_uri>. Support for +URIs that require TLS will fail if libnbd was not compiled with +gnutls; you can test whether this is the case with C<nbd_supports_tls>."; }; "aio_connect_unix", { @@ -1876,6 +1898,15 @@ The release number is incremented for each release along a particular branch."; }; + "supports_tls", { + default_call with + args = []; ret = RBool; is_locked = false; may_set_error = false; + shortdesc = "return true if libnbd was compiled with support for TLS"; + longdesc = "\ +Returns true if libnbd was compiled with gnutls which is required +to support TLS encryption, or false if not. See C<nbd_set_tls>."; + }; + "supports_uri", { default_call with args = []; ret = RBool; is_locked = false; may_set_error = false; diff --git a/interop/interop.c b/interop/interop.c index 24f79cc..5d129a0 100644 --- a/interop/interop.c +++ b/interop/interop.c @@ -71,6 +71,10 @@ main (int argc, char *argv[]) /* Require TLS on the handle and fail if not available or if the * handshake fails. */ + if (nbd_supports_tls (nbd) != 1) { + fprintf (stderr, "skip: compiled without TLS supports\n"); + exit (77); + } if (nbd_set_tls (nbd, 2) == -1) { fprintf (stderr, "%s\n", nbd_get_error ()); exit (EXIT_FAILURE); diff --git a/lib/handle.c b/lib/handle.c index cc311ba..e40b274 100644 --- a/lib/handle.c +++ b/lib/handle.c @@ -227,6 +227,18 @@ nbd_unlocked_get_version (struct nbd_handle *h) return PACKAGE_VERSION; } +/* NB: is_locked = false, may_set_error = false. */ +int +nbd_unlocked_supports_tls (struct nbd_handle *h) +{ +#ifdef HAVE_GNUTLS + return 1; +#else + return 0; +#endif +} + +/* NB: is_locked = false, may_set_error = false. */ int nbd_unlocked_supports_uri (struct nbd_handle *h) { -- 2.20.1
Richard W.M. Jones
2019-Jun-05 19:26 UTC
Re: [Libguestfs] [libnbd PATCH] api: Add nbd_supports_tls
On Wed, Jun 05, 2019 at 09:15:32AM -0500, Eric Blake wrote:> This is slightly redundant with just trying nbd_set_tls(nbd, 2) then > checking for failure; however, this function does not set errors and > looks more similar to nbd_supports_uri. > --- > > This is borderline enough that I figured I'd post it to check if we want it. > > generator/generator | 45 ++++++++++++++++++++++++++++++++++++++------- > interop/interop.c | 4 ++++ > lib/handle.c | 12 ++++++++++++ > 3 files changed, 54 insertions(+), 7 deletions(-) > > diff --git a/generator/generator b/generator/generator > index ea6eea4..d21e786 100755 > --- a/generator/generator > +++ b/generator/generator > @@ -971,7 +971,9 @@ the path to the certificates directory (C<nbd_set_tls_certificates>), > the username (C<nbd_set_tls_username>) and/or > the Pre-Shared Keys (PSK) file (C<nbd_set_tls_psk_file>). For now, > when using C<nbd_connect_uri>, any URI query parameters related to > -TLS are not handled automatically. > +TLS are not handled automatically. Setting the level higher than > +zero will fail if libnbd was not compiled against gnutls; you can > +test whether this is the case with C<nbd_supports_tls>. > > For more information see L<libnbd(3)/ENCRYPTION AND AUTHENTICATION>."; > }; > @@ -995,7 +997,11 @@ set and TLS is used then a compiled in default is used. > For root this is C</etc/pki/libnbd/>. For non-root this is > C<$HOME/.pki/libnbd> and C<$HOME/.config/pki/libnbd>. If > none of these directories can be found then the system > -trusted CAs are used."; > +trusted CAs are used. > + > +This function may be called regardless of whether TLS is > +supported, but will have no effect unless C<nbd_set_tls> > +is also used to request or require TLS."; > }; > > (* Can't implement this because we need a way to return string that > @@ -1018,7 +1024,11 @@ Get the current TLS directory. See C<nbd_set_tls_certificates>."; > Set this flag to control whether libnbd will verify the identity > of the server from the server's certificate and the certificate > authority. This defaults to true when connecting to TCP servers > -using TLS certificate authentication, and false otherwise."; > +using TLS certificate authentication, and false otherwise. > + > +This function may be called regardless of whether TLS is > +supported, but will have no effect unless C<nbd_set_tls> > +is also used to request or require TLS."; > }; > > "get_tls_verify_peer", { > @@ -1037,7 +1047,11 @@ Get the verify peer flag."; > longdesc = "\ > Set the TLS client username. This is used > if authenticating with PSK over TLS is enabled. > -If not set then the local username is used."; > +If not set then the local username is used. > + > +This function may be called regardless of whether TLS is > +supported, but will have no effect unless C<nbd_set_tls> > +is also used to request or require TLS."; > }; > > "get_tls_username", { > @@ -1057,7 +1071,11 @@ Get the current TLS username. See C<nbd_set_tls_username>."; > Set the TLS Pre-Shared Keys (PSK) filename. This is used > if trying to authenticate to the server using with a pre-shared > key. There is no default so if this is not set then PSK > -authentication cannot be used to connect to the server."; > +authentication cannot be used to connect to the server. > + > +This function may be called regardless of whether TLS is > +supported, but will have no effect unless C<nbd_set_tls> > +is also used to request or require TLS."; > }; > > (* Can't implement this because we need a way to return string that > @@ -1112,7 +1130,9 @@ C<nbd_connect_tcp> or C<nbd_connect_unix>. This call returns when > the connection has been made. > > This call will fail if libnbd was not compiled with libxml2; you can > -test whether this is the case with C<nbd_supports_uri>."; > +test whether this is the case with C<nbd_supports_uri>. Support for > +URIs that require TLS will fail if libnbd was not compiled with > +gnutls; you can test whether this is the case with C<nbd_supports_tls>."; > }; > > "connect_unix", { > @@ -1497,7 +1517,9 @@ and completed the NBD handshake by calling C<nbd_aio_is_ready>, > on the connection. > > This call will fail if libnbd was not compiled with libxml2; you can > -test whether this is the case with C<nbd_supports_uri>."; > +test whether this is the case with C<nbd_supports_uri>. Support for > +URIs that require TLS will fail if libnbd was not compiled with > +gnutls; you can test whether this is the case with C<nbd_supports_tls>."; > }; > > "aio_connect_unix", { > @@ -1876,6 +1898,15 @@ The release number is incremented for each release along a particular > branch."; > }; > > + "supports_tls", { > + default_call with > + args = []; ret = RBool; is_locked = false; may_set_error = false; > + shortdesc = "return true if libnbd was compiled with support for TLS"; > + longdesc = "\ > +Returns true if libnbd was compiled with gnutls which is required > +to support TLS encryption, or false if not. See C<nbd_set_tls>."; > + }; > + > "supports_uri", { > default_call with > args = []; ret = RBool; is_locked = false; may_set_error = false; > diff --git a/interop/interop.c b/interop/interop.c > index 24f79cc..5d129a0 100644 > --- a/interop/interop.c > +++ b/interop/interop.c > @@ -71,6 +71,10 @@ main (int argc, char *argv[]) > /* Require TLS on the handle and fail if not available or if the > * handshake fails. > */ > + if (nbd_supports_tls (nbd) != 1) { > + fprintf (stderr, "skip: compiled without TLS supports\n"); > + exit (77); > + } > if (nbd_set_tls (nbd, 2) == -1) { > fprintf (stderr, "%s\n", nbd_get_error ()); > exit (EXIT_FAILURE); > diff --git a/lib/handle.c b/lib/handle.c > index cc311ba..e40b274 100644 > --- a/lib/handle.c > +++ b/lib/handle.c > @@ -227,6 +227,18 @@ nbd_unlocked_get_version (struct nbd_handle *h) > return PACKAGE_VERSION; > } > > +/* NB: is_locked = false, may_set_error = false. */ > +int > +nbd_unlocked_supports_tls (struct nbd_handle *h) > +{ > +#ifdef HAVE_GNUTLS > + return 1; > +#else > + return 0; > +#endif > +} > + > +/* NB: is_locked = false, may_set_error = false. */ > int > nbd_unlocked_supports_uri (struct nbd_handle *h) > {ACK Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v
Maybe Matching Threads
- [libnbd PATCH 0/2] Drop generated file from git
- [PATCH libnbd 0/9] Add Enum and Flags types.
- [libnbd PATCH 2/2] docs: Drop docs/Makefile.inc from git
- [PATCH libnbd] docs: Change docs/Makefile.inc back to a regular include, readd to git.
- [PATCH libnbd 4/5] interop: Add -DTLS_MODE to the test.