search for: tls_verify_peer

.../ldap.motec.com.au" has a valid init Opening cache file at /var/lib/samba/login_cache.tdb init_sam_from_ldap: Entry found for user: user1 ---8<---*snip*---8<--- init_sam_from_ldap: Entry found for user: lastuser Next rid = 13001 Program received signal SIGSEGV, Segmentation fault. lpcfg_tls_verify_peer (lp_ctx=0x0) at default/lib/param/param_functions.c:355 355 FN_GLOBAL_INTEGER(tls_verify_peer, tls_verify_peer) (gdb) Any help appreciated. Kind regards, Tom -- Tom Robinson IT Manager/System Administrator MoTeC Pty Ltd 121 Merrindale Drive Croydon South 3136 Victoria Australia T: +61 3...

...extern enum log_to log_to; -extern int newstyle; +extern bool newstyle; extern const char *port; -extern int readonly; +extern bool readonly; extern const char *selinux_label; +extern int threads; extern int tls; extern const char *tls_certificates_dir; extern const char *tls_psk; -extern int tls_verify_peer; +extern bool tls_verify_peer; extern char *unixsocket; -extern int verbose; -extern int threads; +extern bool verbose; extern volatile int quit; extern int quit_fd; -extern int forked_into_background; +extern bool forked_into_background; extern struct backend *backend; #define for_each_...

...); - if (err < 0) { - nbdkit_error ("gnutls_credentials_set: %s", gnutls_strerror (err)); - goto error; - } - - /* If verify peer is enabled, tell GnuTLS to request the client - * certificates. (Note the default is to not request or verify - * certificates). - */ - if (tls_verify_peer) { + /* If verify peer is enabled, tell GnuTLS to request the client + * certificates. (Note the default is to not request or verify + * certificates). + */ + if (tls_verify_peer) { #ifdef HAVE_GNUTLS_SESSION_SET_VERIFY_CERT - gnutls_certificate_server_set_request (*session,...

This is ready for review but needs a bit more real-world testing before I'd be happy about it going upstream. It also needs tests. It does interoperate with qemu, at least in my limited tests. Rich.

...'Replicators' S-1-5-32-552 listed but then not found: Unable to enumerate members for alias, (-1073741487,The specified local group does not exist.) Exporting users Skipping wellknown rid=500 (for username=root) Next rid = 13001 Program received signal SIGSEGV, Segmentation fault. lpcfg_tls_verify_peer (lp_ctx=0x0) at default/lib/param/param_functions.c:352 352 FN_GLOBAL_INTEGER(tls_verify_peer, tls_verify_peer) (gdb) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signat...

v2: * Improved documentation. * Added a test (interop with qemu client).

...r = NULL; static char *random_fifo = NULL; -enum { HELP_OPTION = CHAR_MAX + 1 }; +enum { + HELP_OPTION = CHAR_MAX + 1, + DUMP_CONFIG_OPTION, + DUMP_PLUGIN_OPTION, + EXIT_WITH_PARENT_OPTION, + FILTER_OPTION, + RUN_OPTION, + SELINUX_LABEL_OPTION, + TLS_OPTION, + TLS_CERTIFICATES_OPTION, + TLS_VERIFY_PEER_OPTION, +}; static const char *short_options = "e:fg:i:nop:P:rst:u:U:vV"; static const struct option long_options[] = { - { "help", 0, NULL, HELP_OPTION }, - { "dump-config",0, NULL, 0 }, - { "dump-plugin",0, NULL, 0 }, - { "exit-with-parent...

...rkers = 0; while (!quit && get_status (conn) > 0) recv_request_send_reply (conn); } diff --git a/src/internal.h b/src/internal.h index 1fc5d69..b79c12c 100644 --- a/src/internal.h +++ b/src/internal.h @@ -103,6 +103,7 @@ extern const char *tls_certificates_dir; extern int tls_verify_peer; extern char *unixsocket; extern int verbose; +extern int threads; extern volatile int quit; @@ -151,6 +152,7 @@ extern void plugin_lock_connection (void); extern void plugin_unlock_connection (void); extern void plugin_lock_request (struct connection *conn); extern void plugin_unlock_reque...

...er/main.c +++ b/server/main.c @@ -45,6 +45,11 @@ #include <syslog.h> #include <sys/types.h> #include <sys/stat.h> +#include <sys/socket.h> + +#ifdef HAVE_LINUX_VM_SOCKETS_H +#include <linux/vm_sockets.h> +#endif #include <pthread.h> @@ -85,6 +90,7 @@ bool tls_verify_peer; /* --tls-verify-peer */ char *unixsocket; /* -U */ const char *user, *group; /* -u & -g */ bool verbose; /* -v */ +bool vsock; /* --vsock */ unsigned int socket_activation /* $LISTEN_FDS and $LISTEN_PID set */; /* The...

v1 was discussed here: https://www.redhat.com/archives/libguestfs/2019-October/thread.html#00100 v2: - Bind to VMADDR_CID_ANY (instead of HOST) and update the documentation accordingly. - Don't bother with SOCK_CLOEXEC fallback path that can never be used. Rich.

This is a series of patches to libnbd and nbdkit adding AF_VSOCK support. On the host side it allows you to start an nbdkit instance which listens on a virtio-vsock socket: $ ./nbdkit -fv --vsock memory 1G ... nbdkit: debug: bound to vsock 2:10809 On the guest side you can then use libnbd to connect to the server: $ ./run nbdsh -c 'h.connect_vsock(2, 10809)' -c

...; + return 0; + } if (nbd_internal_set_size_and_flags (h, exportsize, eflags) == -1) { SET_NEXT_STATE (%.DEAD); diff --git a/lib/handle.c b/lib/handle.c index bc4206c..8ca2e5a 100644 --- a/lib/handle.c +++ b/lib/handle.c @@ -64,6 +64,8 @@ nbd_create (void) h->unique = 1; h->tls_verify_peer = true; h->request_sr = true; + h->gflags = (LIBNBD_HANDSHAKE_FLAG_FIXED_NEWSTYLE | + LIBNBD_HANDSHAKE_FLAG_NO_ZEROES); s = getenv ("LIBNBD_DEBUG"); h->debug = s && strcmp (s, "1") == 0; @@ -258,6 +260,22 @@ nbd_unlocked_get_request_stru...

...te there is some magic here, since qemu and guestfish URLs have a different format, so nbdkit tries to guess which you are running. If diff --git a/server/internal.h b/server/internal.h index 68c53366..1dd84ccb 100644 --- a/server/internal.h +++ b/server/internal.h @@ -129,6 +129,7 @@ extern bool tls_verify_peer; extern char *unixsocket; extern const char *user, *group; extern bool verbose; +extern bool vsock; extern int saved_stdin; extern int saved_stdout; diff --git a/server/captive.c b/server/captive.c index f8107604..a5b227c4 100644 --- a/server/captive.c +++ b/server/captive.c @@ -72,7 +72,7 @@...

...| 12 ------------ server/main.c | 38 +++++++++++++++++++++++++++++++++++++- 5 files changed, 52 insertions(+), 24 deletions(-) diff --git a/server/internal.h b/server/internal.h index 67eb6a32..79e1906c 100644 --- a/server/internal.h +++ b/server/internal.h @@ -132,6 +132,8 @@ extern bool tls_verify_peer; extern char *unixsocket; extern const char *user, *group; extern bool verbose; +extern int orig_in; +extern int orig_out; /* Linked list of backends. Each backend struct is followed by either * a filter or plugin struct. "top" points to the first one. They diff --git a/server/b...

On Fri, 2017-02-17 at 07:48 +1100, Tom Robinson via samba wrote: > Anyone? Can you please post a gdb backtrace --full? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 862 bytes Desc: This is a digitally signed message part URL:

...(* These calls are proposed for a future version of libnbd, but * have not been added to any released version so far. diff --git a/lib/handle.c b/lib/handle.c index 1d4a527..cdbca86 100644 --- a/lib/handle.c +++ b/lib/handle.c @@ -64,6 +64,11 @@ nbd_create (void) h->unique = 1; h->tls_verify_peer = true; h->request_sr = true; + + h->uri_allow_transports = (uint32_t) -1; + h->uri_allow_tls = LIBNBD_TLS_ALLOW; + h->uri_allow_local_file = false; + h->gflags = (LIBNBD_HANDSHAKE_FLAG_FIXED_NEWSTYLE | LIBNBD_HANDSHAKE_FLAG_NO_ZEROES); @@ -360,3 +365,24 @@...

...tests/test-layers-plugin.c | 12 +++++++++++- tests/test-layers.c | 4 +++- 7 files changed, 60 insertions(+), 25 deletions(-) diff --git a/server/internal.h b/server/internal.h index 67eb6a32..79e1906c 100644 --- a/server/internal.h +++ b/server/internal.h @@ -132,6 +132,8 @@ extern bool tls_verify_peer; extern char *unixsocket; extern const char *user, *group; extern bool verbose; +extern int orig_in; +extern int orig_out; /* Linked list of backends. Each backend struct is followed by either * a filter or plugin struct. "top" points to the first one. They diff --git a/server/b...

..._NEW_VERSION); h->sbuf.option.option = htobe32 (NBD_OPT_STRUCTURED_REPLY); h->sbuf.option.optlen = htobe32 (0); diff --git a/lib/handle.c b/lib/handle.c index f8cc83a..c23ef01 100644 --- a/lib/handle.c +++ b/lib/handle.c @@ -63,6 +63,7 @@ nbd_create (void) h->unique = 1; h->tls_verify_peer = true; + h->request_sr = true; s = getenv ("LIBNBD_DEBUG"); h->debug = s && strcmp (s, "1") == 0; @@ -242,6 +243,20 @@ nbd_unlocked_add_meta_context (struct nbd_handle *h, const char *name) return 0; } +int +nbd_unlocked_set_request_structured_replies...

Previous discussion: https://www.redhat.com/archives/libguestfs/2019-August/msg00102.html Last night I experimentally added support for URIs that contain the query parameter tls-psk-file, as part of rewriting the tests to cover more of the URI code. So you can now have a URI like: nbds://alice@localhost/?tls-psk-file=keys.psk However there's an obvious security problem here because now

I've posted some of these patches or ideas before; but now I'm confident enough with the series that it should be ready to push; at any rate, I can now run test-socket-activation in a tight loop without triggering any crashes or hangs. With this in place, I'm going back to work on making the nbd forwarder wort with the parallel thread model. Eric Blake (8): sockets: Use