search for: crypto_negotiate_tls

...ection_set_close (struct connection *, connection_close_function /* crypto.c */ #define root_tls_certificates_dir sysconfdir "/pki/" PACKAGE_NAME -extern void crypto_init (int tls_set_on_cli); +extern void crypto_init (bool tls_set_on_cli); extern void crypto_free (void); extern int crypto_negotiate_tls (struct connection *conn, int sockin, int sockout); diff --git a/server/connections.c b/server/connections.c index 0d1bd74..0a89315 100644 --- a/server/connections.c +++ b/server/connections.c @@ -78,13 +78,13 @@ struct connection { uint32_t cflags; uint64_t exportsize; uint16_t eflags;...

...ion *conn) close (sockin); if (sockout >= 0 && sockin != sockout) close (sockout); + + gnutls_deinit (*session); + free (session); + connection_set_crypto_session (conn, NULL); } /* Upgrade an existing connection to TLS. Also this should do access @@ -505,6 +509,7 @@ crypto_negotiate_tls (struct connection *conn, int sockin, int sockout) error: gnutls_deinit (*session); free (session); + connection_set_crypto_session (conn, NULL); return -1; } -- 2.19.0.rc0

...\ + nbdkit_debug ((fs), ##__VA_ARGS__); \ + } while (0) + /* Maximum read or write request that we will handle. */ #define MAX_REQUEST_SIZE (64 * 1024 * 1024) @@ -286,13 +300,6 @@ extern void crypto_init (bool tls_set_on_cli); extern void crypto_free (void); extern int crypto_negotiate_tls (int sockin, int sockout); -/* debug.c */ -#define debug(fs, ...) \ - do { \ - if_verbose \ - nbdkit_debug ((fs), ##__VA_ARGS__); \ - } while (0)...

...switch (crypto_auth) { + case CRYPTO_AUTH_CERTIFICATES: + gnutls_certificate_free_credentials (x509_creds); + break; + case CRYPTO_AUTH_PSK: + gnutls_psk_free_server_credentials (psk_creds); + break; + } + } gnutls_global_deinit (); } @@ -335,6 +398,7 @@ int crypto_negotiate_tls (struct connection *conn, int sockin, int sockout) { gnutls_session_t *session; + CLEANUP_FREE char *priority = NULL; int err; /* Create the GnuTLS session. */ @@ -351,33 +415,61 @@ crypto_negotiate_tls (struct connection *conn, int sockin, int sockout) return -1; } - err =...

...L); + + if (cork) + gnutls_record_cork (session); + else if (gnutls_record_uncork (session, GNUTLS_RECORD_WAIT) < 0) + return -1; + + return 0; +} + /* There's no place in the NBD protocol to send back errors from * close, so this function ignores errors. */ @@ -504,6 +522,7 @@ crypto_negotiate_tls (struct connection *conn, int sockin, int sockout) */ conn->crypto_session = session; conn->recv = crypto_recv; + conn->cork = crypto_cork; conn->send = crypto_send; conn->close = crypto_close; return 0; -- 2.20.1

Hi, few miscellaneous fixes for nbdkit. Thanks, Pino Toscano (3): build: use AC_MSG_RESULT for $PERL_LDOPTS crypto: add missing '{' tests: fix generation of PKI test data configure.ac | 1 + src/crypto.c | 2 +- tests/Makefile.am | 10 +++++----- 3 files changed, 7 insertions(+), 6 deletions(-) -- 2.13.6

This is ready for review but needs a bit more real-world testing before I'd be happy about it going upstream. It also needs tests. It does interoperate with qemu, at least in my limited tests. Rich.

...long as nbdkit always returns the same @@ -268,9 +258,7 @@ extern int protocol_recv_request_send_reply (struct connection *conn) #define root_tls_certificates_dir sysconfdir "/pki/" PACKAGE_NAME extern void crypto_init (bool tls_set_on_cli); extern void crypto_free (void); -extern int crypto_negotiate_tls (struct connection *conn, - int sockin, int sockout) - __attribute__((__nonnull__ (1))); +extern int crypto_negotiate_tls (int sockin, int sockout); /* debug.c */ #define debug(fs, ...) \ @@ -332,44 +320,39 @@ struct backend {...

v1 was here: https://www.redhat.com/archives/libguestfs/2020-February/msg00081.html v2 replaces struct connection *conn = GET_CONN; with GET_CONN; which sets conn implicitly and asserts that it is non-NULL. If we actually want to test if conn is non-NULL or behave differently, then you must use threadlocal_get_conn() instead, and some existing uses do that. Rich.

The third patch is a large but mechanical change which gets rid of passing around struct connection * entirely within the server, preferring instead to reference the connection through thread-local storage. I hope this is a gateway to simplifying other parts of the code. Rich.

...ection *, + connection_close_function) + __attribute__((__nonnull__ (1, 2))); /* crypto.c */ #define root_tls_certificates_dir sysconfdir "/pki/" PACKAGE_NAME extern void crypto_init (bool tls_set_on_cli); extern void crypto_free (void); -extern int crypto_negotiate_tls (struct connection *conn, int sockin, int sockout); +extern int crypto_negotiate_tls (struct connection *conn, + int sockin, int sockout) + __attribute__((__nonnull__ (1))); /* debug.c */ #define debug nbdkit_debug @@ -206,33 +226,48 @@ struct backend { }; /...

v2: * Improved documentation. * Added a test (interop with qemu client).

...e out of hot paths. + */ +#if defined(__GNUC__) +#define unlikely(x) __builtin_expect (!!(x), 0) +#define if_verbose if (unlikely (verbose)) +#else +#define unlikely(x) (x) +#define if_verbose if (verbose) +#endif + #ifdef __APPLE__ #define UNIX_PATH_MAX 104 #else @@ -262,7 +273,11 @@ extern int crypto_negotiate_tls (struct connection *conn, __attribute__((__nonnull__ (1))); /* debug.c */ -#define debug nbdkit_debug +#define debug(fs, ...) \ + do { \ + if_verbose \ + nbdk...

...request (conn, cmd, flags, offset, count, buf); - plugin_unlock_request (conn); + unlock_request (conn); } /* Send the reply packet. */ diff --git a/src/internal.h b/src/internal.h index 73bc09e..068204b 100644 --- a/src/internal.h +++ b/src/internal.h @@ -144,17 +144,13 @@ extern int crypto_negotiate_tls (struct connection *conn, int sockin, int sockou /* plugins.c */ extern void plugin_register (const char *_filename, void *_dl, struct nbdkit_plugin *(*plugin_init) (void)); extern void plugin_cleanup (void); +extern int plugin_thread_model (void); extern const char *plugin_name (void); extern...

...request (conn, cmd, flags, offset, count, buf); - plugin_unlock_request (conn); + unlock_request (conn); } /* Send the reply packet. */ diff --git a/src/internal.h b/src/internal.h index 73bc09e..068204b 100644 --- a/src/internal.h +++ b/src/internal.h @@ -144,17 +144,13 @@ extern int crypto_negotiate_tls (struct connection *conn, int sockin, int sockou /* plugins.c */ extern void plugin_register (const char *_filename, void *_dl, struct nbdkit_plugin *(*plugin_init) (void)); extern void plugin_cleanup (void); +extern int plugin_thread_model (void); extern const char *plugin_name (void); extern...

v1 was here: https://www.redhat.com/archives/libguestfs/2019-January/msg00008.html In v2 I have provided two patches: The first patch extends attribute((nonnull)) to most internal functions, but not to the external API. The second patch uses a macro so that attribute((format)) is only used in the public API on GCC or Clang. At least in theory these headers could be used by a C compiler which

Slightly RFC, as I need more time to investigate why Unix sockets appeared to degrade with this patch. But as TCP sockets (over loopback to localhost) and TLS sessions (regardless of underlying Unix or TCP) both showed improvements, this looks like a worthwhile series. Eric Blake (2): server: Add support for corking server: Cork around grouped transmission send()s server/internal.h | 3

Our use of "%m" in various error messages is testament to the project's initial life on Linux - but other than Cygwin, I know of no other platforms supporting that glibc extension. We COULD audit the code and manually turn "%m" into "%s"/strerror(errno), but that's a lot of churn. Instead, let's fix the few outliers that can't be easily wrapped, then

v1 -> v2: - Fixed everything mentioned in the review. Rich.

Somewhat invasive but mostly mechanical change to how plugins are called. This patch is in preparation for adding a second backend subtype for filters. Rich.