1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
|
=head1 NAME
nbd_set_tls - enable or require TLS (authentication and encryption)
=head1 SYNOPSIS
#include <libnbd.h>
int nbd_set_tls (
struct nbd_handle *h, int tls
);
=head1 DESCRIPTION
Enable or require TLS
(authenticated and encrypted connections) to the
NBD server. The possible settings are:
=over 4
=item C<LIBNBD_TLS_DISABLE>
Disable TLS. (The default setting, unless using L<nbd_connect_uri(3)> with
a URI that requires TLS).
This setting is also necessary if you use L<nbd_set_opt_mode(3)>
and want to interact in plaintext with a server that implements
the NBD protocol's C<SELECTIVETLS> mode, prior to enabling TLS
with L<nbd_opt_starttls(3)>. Most NBD servers with TLS support
prefer the NBD protocol's C<FORCEDTLS> mode, so this sort of
manual interaction tends to be useful mainly during integration
testing.
=item C<LIBNBD_TLS_ALLOW>
Enable TLS if possible.
This option is insecure (or best effort) in that in some cases
it will fall back to an unencrypted and/or unauthenticated
connection if TLS could not be established. Use
C<LIBNBD_TLS_REQUIRE> below if the connection must be
encrypted.
Some servers will drop the connection if TLS fails
so fallback may not be possible.
=item C<LIBNBD_TLS_REQUIRE>
Require an encrypted and authenticated TLS connection.
Always fail to connect if the connection is not encrypted
and authenticated.
=back
As well as calling this you may also need to supply
the path to the certificates directory (L<nbd_set_tls_certificates(3)>),
the username (L<nbd_set_tls_username(3)>) and/or
the Pre-Shared Keys (PSK) file (L<nbd_set_tls_psk_file(3)>). For now,
when using L<nbd_connect_uri(3)>, any URI query parameters related to
TLS are not handled automatically. Setting the level higher than
zero will fail if libnbd was not compiled against gnutls; you can
test whether this is the case with L<nbd_supports_tls(3)>.
=head1 RETURN VALUE
If the call is successful the function returns C<0>.
=head1 ERRORS
On error C<-1> is returned.
Refer to L<libnbd(3)/ERROR HANDLING>
for how to get further details of the error.
The following parameters must not be NULL: C<h>.
For more information see L<libnbd(3)/Non-NULL parameters>.
=head1 HANDLE STATE
nbd_set_tls
can be called when the handle is in the following state:
┌─────────────────────────────────────┬─────────────────────────┐
│ Handle created, before connecting │ ✅ allowed │
│ Connecting │ ❌ error │
│ Connecting & handshaking (opt_mode) │ ❌ error │
│ Connected to the server │ ❌ error │
│ Connection shut down │ ❌ error │
│ Handle dead │ ❌ error │
└─────────────────────────────────────┴─────────────────────────┘
=head1 VERSION
This function first appeared in libnbd 1.0.
If you need to test if this function is available at compile time
check if the following macro is defined:
#define LIBNBD_HAVE_NBD_SET_TLS 1
=head1 EXAMPLE
This example is also available as F<examples/encryption.c>
in the libnbd source code.
/* An example showing how to connect to a server which is
* using TLS encryption.
*
* This requires nbdkit, and psktool from gnutls.
*
* Both libnbd and nbdkit support TLS-PSK which is a
* simpler-to-deploy form of encryption. (Of course
* certificate-based encryption is also supported, but
* it’s harder to make a self-contained example).
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <libnbd.h>
#define TMPDIR "/tmp/XXXXXX"
#define KEYS "keys.psk"
#define USERNAME "alice"
static char dir[] = TMPDIR;
static char keys[] = TMPDIR "/" KEYS;
static char cmd[] =
"psktool -u " USERNAME " -p " TMPDIR "/" KEYS;
/* Remove the temporary keys file when the program
* exits.
*/
static void
cleanup_keys (void)
{
unlink (keys);
rmdir (dir);
}
/* Create the temporary keys file to share with the
* server.
*/
static void
create_keys (void)
{
size_t i;
if (mkdtemp (dir) == NULL) {
perror ("mkdtemp");
exit (EXIT_FAILURE);
}
i = strlen (cmd) - strlen (TMPDIR) - strlen (KEYS) - 1;
memcpy (&cmd[i], dir, strlen (TMPDIR));
memcpy (keys, dir, strlen (TMPDIR));
if (system (cmd) != 0) {
fprintf (stderr, "psktool command failed\n");
exit (EXIT_FAILURE);
}
atexit (cleanup_keys);
}
int
main (int argc, char *argv[])
{
struct nbd_handle *nbd;
char buf[512];
create_keys ();
/* Create the libnbd handle. */
nbd = nbd_create ();
if (nbd == NULL) {
fprintf (stderr, "%s\n", nbd_get_error ());
exit (EXIT_FAILURE);
}
/* Enable TLS in the client. */
if (nbd_set_tls (nbd, LIBNBD_TLS_REQUIRE) == -1) {
fprintf (stderr, "%s\n", nbd_get_error ());
exit (EXIT_FAILURE);
}
/* Enable TLS-PSK and pass the keys filename. */
if (nbd_set_tls_psk_file (nbd, keys) == -1) {
fprintf (stderr, "%s\n", nbd_get_error ());
exit (EXIT_FAILURE);
}
/* Set the local username for authentication. */
if (nbd_set_tls_username (nbd, USERNAME) == -1) {
fprintf (stderr, "%s\n", nbd_get_error ());
exit (EXIT_FAILURE);
}
/* Run nbdkit as a subprocess, enabling and requiring
* TLS-PSK encryption.
*/
char *args[] = {
"nbdkit", "-s", "--exit-with-parent",
"--tls", "require", "--tls-psk", keys,
"pattern", "size=1M", NULL
};
if (nbd_connect_command (nbd, args) == -1) {
fprintf (stderr, "%s\n", nbd_get_error ());
exit (EXIT_FAILURE);
}
/* Read the first sector. */
if (nbd_pread (nbd, buf, sizeof buf, 0, 0) == -1) {
fprintf (stderr, "%s\n", nbd_get_error ());
exit (EXIT_FAILURE);
}
/* TLS connections must be shut down. */
if (nbd_shutdown (nbd, 0) == -1) {
fprintf (stderr, "%s\n", nbd_get_error ());
exit (EXIT_FAILURE);
}
/* Close the libnbd handle. */
nbd_close (nbd);
exit (EXIT_SUCCESS);
}
=head1 SEE ALSO
L<nbd_connect_uri(3)>,
L<nbd_create(3)>,
L<nbd_get_tls(3)>,
L<nbd_get_tls_negotiated(3)>,
L<nbd_opt_starttls(3)>,
L<nbd_set_opt_mode(3)>,
L<nbd_set_tls_certificates(3)>,
L<nbd_set_tls_priority(3)>,
L<nbd_set_tls_psk_file(3)>,
L<nbd_set_tls_username(3)>,
L<nbd_supports_tls(3)>,
L<libnbd(3)/ENCRYPTION AND AUTHENTICATION>,
L<libnbd(3)>.
=head1 AUTHORS
Eric Blake
Richard W.M. Jones
=head1 COPYRIGHT
Copyright Red Hat
|
