search for: libnbd_tls_disable

...strcasecmp (value, "force") == 0) - tls = 2; + tls = LIBNBD_TLS_REQUIRE; else { - tls = nbdkit_parse_bool (value); - if (tls == -1) + r = nbdkit_parse_bool (value); + if (r == -1) exit (EXIT_FAILURE); + tls = r ? LIBNBD_TLS_ALLOW : LIBNBD_TLS_DISABLE; } } else if (strcmp (key, "tls-certificates") == 0) { @@ -245,8 +246,9 @@ nbdplug_config_complete (void) export = ""; if (tls == -1) - tls = tls_certificates || tls_verify >= 0 || tls_username || tls_psk; - if (tls > 0) { + tls = (tls_certificat...

Previous discussion: https://www.redhat.com/archives/libguestfs/2019-August/msg00102.html Last night I experimentally added support for URIs that contain the query parameter tls-psk-file, as part of rewriting the tests to cover more of the URI code. So you can now have a URI like: nbds://alice@localhost/?tls-psk-file=keys.psk However there's an obvious security problem here because now

...b050ce0 100644 --- a/generator/states-newstyle-opt-starttls.c +++ b/generator/states-newstyle-opt-starttls.c @@ -21,7 +21,7 @@ /* STATE MACHINE */ { NEWSTYLE.OPT_STARTTLS.START: /* If TLS was not requested we skip this option and go to the next one. */ - if (!h->tls) { + if (h->tls == LIBNBD_TLS_DISABLE) { SET_NEXT_STATE (%^OPT_STRUCTURED_REPLY.START); return 0; } @@ -88,13 +88,13 @@ return 0; } - /* Server refused to upgrade to TLS. If h->tls is not require (2) + /* Server refused to upgrade to TLS. If h->tls is not 'require' (2) * then we can...

...mitted_states = [ Created ]; + shortdesc = "set the allowed TLS settings in NBD URIs"; + longdesc = "\ +Set which TLS settings are allowed to appear in NBD URIs. The +default is to allow either non-TLS or TLS URIs. + +The C<tls> parameter can be: + +=over 4 + +=item C<LIBNBD_TLS_DISABLE> + +TLS URIs are not permitted, ie. a URI such as C<nbds://...> +will be rejected. + +=item C<LIBNBD_TLS_ALLOW> + +This is the default. TLS may be used or not, depending on +whether the URI uses C<nbds> or C<nbd>. + +=item C<LIBNBD_TLS_REQUIRE> + +TLS URIs are requ...

Previously nbd_set_tls had an integer argument which was 0 for disable, 1 for allow and 2 for require. This commit adds a proper enumerated type to describe this, defining LIBNBD_TLS_DISABLE = 0, LIBNBD_TLS_ALLOW = 1 and LIBNBD_TLS_REQUIRE = 2. (Note the C API doesn't change). In C the enumerated type is still defined and passed as an int (not as an enum). While we could define an enum type for this, there are ABI stability problems inherent in enums in C. In OCaml this is impl...

In the generated wrapper code this adds checks for all Enum parameters. Since only nbd_set_tls uses an Enum parameter, the only extra code generated by this change is: int nbd_set_tls (struct nbd_handle *h, int tls) { // ... switch (tls) { case LIBNBD_TLS_DISABLE: case LIBNBD_TLS_ALLOW: case LIBNBD_TLS_REQUIRE: break; default: set_error (EINVAL, "%s: invalid value for parameter: %d", "tls", tls); ret = -1; goto out; } This doesn't change the C API, but previously this paramete...

...) == 0) > - tls = 2; > + tls = LIBNBD_TLS_REQUIRE; > else { > - tls = nbdkit_parse_bool (value); > - if (tls == -1) > + r = nbdkit_parse_bool (value); > + if (r == -1) > exit (EXIT_FAILURE); > + tls = r ? LIBNBD_TLS_ALLOW : LIBNBD_TLS_DISABLE; Our feedback was the LIBNBD_TLS_ALLOW was really bad (I'm unconvinced because I prefer my stuff to work and TLS very often doesn't). Do you think we should use REQUIRE here as well? Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programm...

..."set the allowed TLS settings in NBD URIs"; > + longdesc = "\ > +Set which TLS settings are allowed to appear in NBD URIs. The > +default is to allow either non-TLS or TLS URIs. > + > +The C<tls> parameter can be: > + > +=over 4 > + > +=item C<LIBNBD_TLS_DISABLE> > + > +TLS URIs are not permitted, ie. a URI such as C<nbds://...> > +will be rejected. > + > +=item C<LIBNBD_TLS_ALLOW> > + > +This is the default. TLS may be used or not, depending on > +whether the URI uses C<nbds> or C<nbd>. > + > +=ite...

This largish series adds several new features to the generator. Enum maps to enumerated types (like enum in C). The only current use for this is replacing the nbd_set_tls (nbd, 0/1/2) parameter with LIBNBD_TLS_DISABLE, LIBNBD_TLS_ALLOW, LIBNBD_TLS_REQUIRE (and natural equivalents in other programming languages). Flags maps to any uint32_t bitmask. It is basically a non-optional, generalized variation on OFlags with some nice features. Two commits also add checking so that we check that the Enum, Flags or OFla...

...3)>), because in this +mode we try to use TLS but fall back to unencrypted if it was +not available. This function will tell you if TLS was +negotiated or not. + +In C<LIBNBD_TLS_REQUIRE> mode (the most secure) the connection +would have failed if TLS could not be negotiated, and in +C<LIBNBD_TLS_DISABLE> mode TLS is not tried."; + see_also = ["L<nbd_set_tls(3)>"; "L<nbd_get_tls(3)>"]; }; "set_tls_certificates", { @@ -2527,6 +2552,7 @@ let first_version = [ "can_fast_zero", (1, 2); "set_request_structured_replies&quot...

...t-starttls.c index d220c4f..2d74e5f 100644 --- a/generator/states-newstyle-opt-starttls.c +++ b/generator/states-newstyle-opt-starttls.c @@ -22,7 +22,7 @@ STATE_MACHINE { NEWSTYLE.OPT_STARTTLS.START: /* If TLS was not requested we skip this option and go to the next one. */ if (h->tls == LIBNBD_TLS_DISABLE) { - SET_NEXT_STATE (%^OPT_STRUCTURED_REPLY.START); + SET_NEXT_STATE (%^OPT_LIST.START); return 0; } @@ -101,7 +101,7 @@ STATE_MACHINE { debug (h, "server refused TLS (%s), continuing with unencrypted connection", reply == NBD_REP_ERR_POLICY ?...

Well, the golang changes (patch 1 and 2/3 of v1) were already committed, all that was left was the OCaml changes. I'm a lot happier with how things turned out with an UNKNOWN constructor in the OCaml variants. Eric Blake (3): tests: Enhance coverage of enum/flag range checking ocaml: Support unknown values for Enum/Flags ocaml: Typesafe returns for REnum/RFlags generator/OCaml.ml

...pt-starttls.c index e497548c..1e2997a3 100644 --- a/generator/states-newstyle-opt-starttls.c +++ b/generator/states-newstyle-opt-starttls.c @@ -26,7 +26,7 @@ NEWSTYLE.OPT_STARTTLS.START: else { /* If TLS was not requested we skip this option and go to the next one. */ if (h->tls == LIBNBD_TLS_DISABLE) { - SET_NEXT_STATE (%^OPT_STRUCTURED_REPLY.START); + SET_NEXT_STATE (%^OPT_EXTENDED_HEADERS.START); return 0; } assert (CALLBACK_IS_NULL (h->opt_cb.completion)); @@ -128,7 +128,7 @@ NEWSTYLE.OPT_STARTTLS.CHECK_REPLY: SET_NEXT_STATE (%.NEGOTIATING); else {...

Proposal for new APIs to list exports. The general shape of the API can probably best be seen from the examples/list-exports.c example. Rich.

Another series on top of my exportname filter, marking off another todo bullet point. With this, you can now use the NBD plugin as a transparent passthrough of all export names served by the remote server in both directions (list advertisement server to client, and export name from client to server). Eric Blake (3): nbd: Implement .default_export, .export_description nbd: Add

This is a subset of my v2 posting, but limited to just the NBD_OPT_LIST handling. The biggest change since v2 is the addition of added unit testing in all four language bindings (C, python, ocaml, golang). The tests require nbdkit built from git on PATH, and may not be entirely idiomatic, but I at least validated that they catch issues (for example, adding an exit statement near the end of the

Well, I'm not quite done (I still want to get nbdinfo to work on a single nbd connection for all cases when reading the heads of the file is not required), but I'm happy with patches 1-11, and 12-13 show where I'm headed for getting NBD_OPT_INFO to work. Posting now to see if some of the earlier patches are ready to commit while I continue working on the latter half. Eric Blake (13):

It's been several weeks since I posted v2 (I got distracted by improving libnbd to better test things, which in turn surfaced some major memory leak problems in nbdsh that are now fixed). Many of the patches are minor rebases from v2, with the biggest changes being fallout from: - patch 2: rename nbdkit_add_default_export to nbdkit_use_default_export - overall: this missed 1.22, so update