1nbd_set_tls(3)                      LIBNBD                      nbd_set_tls(3)
2
3
4

NAME

6       nbd_set_tls - enable or require TLS (authentication and encryption)
7

SYNOPSIS

9        #include <libnbd.h>
10
11        int nbd_set_tls (struct nbd_handle *h, int tls);
12

DESCRIPTION

14       Enable or require TLS (authenticated and encrypted connections) to the
15       NBD server.  The possible settings are:
16
17       "LIBNBD_TLS_DISABLE"
18           Disable TLS.  (The default setting, unless using nbd_connect_uri(3)
19           with a URI that requires TLS)
20
21       "LIBNBD_TLS_ALLOW"
22           Enable TLS if possible.
23
24           This option is insecure (or best effort) in that in some cases it
25           will fall back to an unencrypted and/or unauthenticated connection
26           if TLS could not be established.  Use "LIBNBD_TLS_REQUIRE" below if
27           the connection must be encrypted.
28
29           Some servers will drop the connection if TLS fails so fallback may
30           not be possible.
31
32       "LIBNBD_TLS_REQUIRE"
33           Require an encrypted and authenticated TLS connection.  Always fail
34           to connect if the connection is not encrypted and authenticated.
35
36       As well as calling this you may also need to supply the path to the
37       certificates directory (nbd_set_tls_certificates(3)), the username
38       (nbd_set_tls_username(3)) and/or the Pre-Shared Keys (PSK) file
39       (nbd_set_tls_psk_file(3)).  For now, when using nbd_connect_uri(3), any
40       URI query parameters related to TLS are not handled automatically.
41       Setting the level higher than zero will fail if libnbd was not compiled
42       against gnutls; you can test whether this is the case with
43       nbd_supports_tls(3).
44

RETURN VALUE

46       If the call is successful the function returns 0.
47

ERRORS

49       On error "-1" is returned.
50
51       Refer to "ERROR HANDLING" in libnbd(3) for how to get further details
52       of the error.
53
54       The following parameters must not be NULL: "h".  For more information
55       see "Non-NULL parameters" in libnbd(3).
56

HANDLE STATE

58       The handle must be newly created, otherwise this call will return an
59       error.
60

VERSION

62       This function first appeared in libnbd 1.0.
63
64       If you need to test if this function is available at compile time check
65       if the following macro is defined:
66
67        #define LIBNBD_HAVE_NBD_SET_TLS 1
68

EXAMPLE

70       This example is also available as examples/encryption.c in the libnbd
71       source code.
72
73        /* An example showing how to connect to a server which is
74         * using TLS encryption.
75         *
76         * This requires nbdkit, and psktool from gnutls.
77         *
78         * Both libnbd and nbdkit support TLS-PSK which is a
79         * simpler-to-deploy form of encryption.  (Of course
80         * certificate-based encryption is also supported, but
81         * it’s harder to make a self-contained example).
82         */
83
84        #include <stdio.h>
85        #include <stdlib.h>
86        #include <string.h>
87        #include <unistd.h>
88
89        #include <libnbd.h>
90
91        #define TMPDIR "/tmp/XXXXXX"
92        #define KEYS "keys.psk"
93        #define USERNAME "alice"
94
95        static char dir[] = TMPDIR;
96        static char keys[] = TMPDIR "/" KEYS;
97        static char cmd[] =
98          "psktool -u " USERNAME " -p " TMPDIR "/" KEYS;
99
100        /* Remove the temporary keys file when the program
101         * exits.
102         */
103        static void
104        cleanup_keys (void)
105        {
106          unlink (keys);
107          rmdir (dir);
108        }
109
110        /* Create the temporary keys file to share with the
111         * server.
112         */
113        static void
114        create_keys (void)
115        {
116          size_t i;
117
118          if (mkdtemp (dir) == NULL) {
119            perror ("mkdtemp");
120            exit (EXIT_FAILURE);
121          }
122          i = strlen (cmd) - strlen (TMPDIR) - strlen (KEYS) - 1;
123          memcpy (&cmd[i], dir, strlen (TMPDIR));
124          memcpy (keys, dir, strlen (TMPDIR));
125
126          if (system (cmd) != 0) {
127            fprintf (stderr, "psktool command failed\n");
128            exit (EXIT_FAILURE);
129          }
130
131          atexit (cleanup_keys);
132        }
133
134        int
135        main (int argc, char *argv[])
136        {
137          struct nbd_handle *nbd;
138          char buf[512];
139
140          create_keys ();
141
142          /* Create the libnbd handle. */
143          nbd = nbd_create ();
144          if (nbd == NULL) {
145            fprintf (stderr, "%s\n", nbd_get_error ());
146            exit (EXIT_FAILURE);
147          }
148
149          /* Enable TLS in the client. */
150          if (nbd_set_tls (nbd, LIBNBD_TLS_REQUIRE) == -1) {
151            fprintf (stderr, "%s\n", nbd_get_error ());
152            exit (EXIT_FAILURE);
153          }
154
155          /* Enable TLS-PSK and pass the keys filename. */
156          if (nbd_set_tls_psk_file (nbd, keys) == -1) {
157            fprintf (stderr, "%s\n", nbd_get_error ());
158            exit (EXIT_FAILURE);
159          }
160
161          /* Set the local username for authentication. */
162          if (nbd_set_tls_username (nbd, USERNAME) == -1) {
163            fprintf (stderr, "%s\n", nbd_get_error ());
164            exit (EXIT_FAILURE);
165          }
166
167          /* Run nbdkit as a subprocess, enabling and requiring
168           * TLS-PSK encryption.
169           */
170          char *args[] = {
171            "nbdkit", "-s", "--exit-with-parent",
172            "--tls", "require", "--tls-psk", keys,
173            "pattern", "size=1M", NULL
174          };
175          if (nbd_connect_command (nbd, args) == -1) {
176            fprintf (stderr, "%s\n", nbd_get_error ());
177            exit (EXIT_FAILURE);
178          }
179
180          /* Read the first sector. */
181          if (nbd_pread (nbd, buf, sizeof buf, 0, 0) == -1) {
182            fprintf (stderr, "%s\n", nbd_get_error ());
183            exit (EXIT_FAILURE);
184          }
185
186          /* TLS connections must be shut down. */
187          if (nbd_shutdown (nbd, 0) == -1) {
188            fprintf (stderr, "%s\n", nbd_get_error ());
189            exit (EXIT_FAILURE);
190          }
191
192          /* Close the libnbd handle. */
193          nbd_close (nbd);
194
195          exit (EXIT_SUCCESS);
196        }
197

SEE ALSO

199       nbd_connect_uri(3), nbd_create(3), nbd_get_tls(3),
200       nbd_get_tls_negotiated(3), nbd_set_tls_certificates(3),
201       nbd_set_tls_psk_file(3), nbd_set_tls_username(3), nbd_supports_tls(3),
202       "ENCRYPTION AND AUTHENTICATION" in libnbd(3), libnbd(3).
203

AUTHORS

205       Eric Blake
206
207       Richard W.M. Jones
208

210       Copyright (C) 2019-2021 Red Hat Inc.
211

LICENSE

213       This library is free software; you can redistribute it and/or modify it
214       under the terms of the GNU Lesser General Public License as published
215       by the Free Software Foundation; either version 2 of the License, or
216       (at your option) any later version.
217
218       This library is distributed in the hope that it will be useful, but
219       WITHOUT ANY WARRANTY; without even the implied warranty of
220       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
221       Lesser General Public License for more details.
222
223       You should have received a copy of the GNU Lesser General Public
224       License along with this library; if not, write to the Free Software
225       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
226       02110-1301 USA
227
228
229
230libnbd-1.14.2                     2023-01-03                    nbd_set_tls(3)
Impressum