1nbd_set_tls(3) LIBNBD nbd_set_tls(3)
2
3
4
6 nbd_set_tls - enable or require TLS (authentication and encryption)
7
9 #include <libnbd.h>
10
11 int nbd_set_tls (
12 struct nbd_handle *h, int tls
13 );
14
16 Enable or require TLS (authenticated and encrypted connections) to the
17 NBD server. The possible settings are:
18
19 "LIBNBD_TLS_DISABLE"
20 Disable TLS. (The default setting, unless using nbd_connect_uri(3)
21 with a URI that requires TLS).
22
23 This setting is also necessary if you use nbd_set_opt_mode(3) and
24 want to interact in plaintext with a server that implements the NBD
25 protocol's "SELECTIVETLS" mode, prior to enabling TLS with
26 nbd_opt_starttls(3). Most NBD servers with TLS support prefer the
27 NBD protocol's "FORCEDTLS" mode, so this sort of manual interaction
28 tends to be useful mainly during integration testing.
29
30 "LIBNBD_TLS_ALLOW"
31 Enable TLS if possible.
32
33 This option is insecure (or best effort) in that in some cases it
34 will fall back to an unencrypted and/or unauthenticated connection
35 if TLS could not be established. Use "LIBNBD_TLS_REQUIRE" below if
36 the connection must be encrypted.
37
38 Some servers will drop the connection if TLS fails so fallback may
39 not be possible.
40
41 "LIBNBD_TLS_REQUIRE"
42 Require an encrypted and authenticated TLS connection. Always fail
43 to connect if the connection is not encrypted and authenticated.
44
45 As well as calling this you may also need to supply the path to the
46 certificates directory (nbd_set_tls_certificates(3)), the username
47 (nbd_set_tls_username(3)) and/or the Pre-Shared Keys (PSK) file
48 (nbd_set_tls_psk_file(3)). For now, when using nbd_connect_uri(3), any
49 URI query parameters related to TLS are not handled automatically.
50 Setting the level higher than zero will fail if libnbd was not compiled
51 against gnutls; you can test whether this is the case with
52 nbd_supports_tls(3).
53
55 If the call is successful the function returns 0.
56
58 On error -1 is returned.
59
60 Refer to "ERROR HANDLING" in libnbd(3) for how to get further details
61 of the error.
62
63 The following parameters must not be NULL: "h". For more information
64 see "Non-NULL parameters" in libnbd(3).
65
67 The handle must be newly created, otherwise this call will return an
68 error.
69
71 This function first appeared in libnbd 1.0.
72
73 If you need to test if this function is available at compile time check
74 if the following macro is defined:
75
76 #define LIBNBD_HAVE_NBD_SET_TLS 1
77
79 This example is also available as examples/encryption.c in the libnbd
80 source code.
81
82 /* An example showing how to connect to a server which is
83 * using TLS encryption.
84 *
85 * This requires nbdkit, and psktool from gnutls.
86 *
87 * Both libnbd and nbdkit support TLS-PSK which is a
88 * simpler-to-deploy form of encryption. (Of course
89 * certificate-based encryption is also supported, but
90 * it’s harder to make a self-contained example).
91 */
92
93 #include <stdio.h>
94 #include <stdlib.h>
95 #include <string.h>
96 #include <unistd.h>
97
98 #include <libnbd.h>
99
100 #define TMPDIR "/tmp/XXXXXX"
101 #define KEYS "keys.psk"
102 #define USERNAME "alice"
103
104 static char dir[] = TMPDIR;
105 static char keys[] = TMPDIR "/" KEYS;
106 static char cmd[] =
107 "psktool -u " USERNAME " -p " TMPDIR "/" KEYS;
108
109 /* Remove the temporary keys file when the program
110 * exits.
111 */
112 static void
113 cleanup_keys (void)
114 {
115 unlink (keys);
116 rmdir (dir);
117 }
118
119 /* Create the temporary keys file to share with the
120 * server.
121 */
122 static void
123 create_keys (void)
124 {
125 size_t i;
126
127 if (mkdtemp (dir) == NULL) {
128 perror ("mkdtemp");
129 exit (EXIT_FAILURE);
130 }
131 i = strlen (cmd) - strlen (TMPDIR) - strlen (KEYS) - 1;
132 memcpy (&cmd[i], dir, strlen (TMPDIR));
133 memcpy (keys, dir, strlen (TMPDIR));
134
135 if (system (cmd) != 0) {
136 fprintf (stderr, "psktool command failed\n");
137 exit (EXIT_FAILURE);
138 }
139
140 atexit (cleanup_keys);
141 }
142
143 int
144 main (int argc, char *argv[])
145 {
146 struct nbd_handle *nbd;
147 char buf[512];
148
149 create_keys ();
150
151 /* Create the libnbd handle. */
152 nbd = nbd_create ();
153 if (nbd == NULL) {
154 fprintf (stderr, "%s\n", nbd_get_error ());
155 exit (EXIT_FAILURE);
156 }
157
158 /* Enable TLS in the client. */
159 if (nbd_set_tls (nbd, LIBNBD_TLS_REQUIRE) == -1) {
160 fprintf (stderr, "%s\n", nbd_get_error ());
161 exit (EXIT_FAILURE);
162 }
163
164 /* Enable TLS-PSK and pass the keys filename. */
165 if (nbd_set_tls_psk_file (nbd, keys) == -1) {
166 fprintf (stderr, "%s\n", nbd_get_error ());
167 exit (EXIT_FAILURE);
168 }
169
170 /* Set the local username for authentication. */
171 if (nbd_set_tls_username (nbd, USERNAME) == -1) {
172 fprintf (stderr, "%s\n", nbd_get_error ());
173 exit (EXIT_FAILURE);
174 }
175
176 /* Run nbdkit as a subprocess, enabling and requiring
177 * TLS-PSK encryption.
178 */
179 char *args[] = {
180 "nbdkit", "-s", "--exit-with-parent",
181 "--tls", "require", "--tls-psk", keys,
182 "pattern", "size=1M", NULL
183 };
184 if (nbd_connect_command (nbd, args) == -1) {
185 fprintf (stderr, "%s\n", nbd_get_error ());
186 exit (EXIT_FAILURE);
187 }
188
189 /* Read the first sector. */
190 if (nbd_pread (nbd, buf, sizeof buf, 0, 0) == -1) {
191 fprintf (stderr, "%s\n", nbd_get_error ());
192 exit (EXIT_FAILURE);
193 }
194
195 /* TLS connections must be shut down. */
196 if (nbd_shutdown (nbd, 0) == -1) {
197 fprintf (stderr, "%s\n", nbd_get_error ());
198 exit (EXIT_FAILURE);
199 }
200
201 /* Close the libnbd handle. */
202 nbd_close (nbd);
203
204 exit (EXIT_SUCCESS);
205 }
206
208 nbd_connect_uri(3), nbd_create(3), nbd_get_tls(3),
209 nbd_get_tls_negotiated(3), nbd_opt_starttls(3), nbd_set_opt_mode(3),
210 nbd_set_tls_certificates(3), nbd_set_tls_psk_file(3),
211 nbd_set_tls_username(3), nbd_supports_tls(3), "ENCRYPTION AND
212 AUTHENTICATION" in libnbd(3), libnbd(3).
213
215 Eric Blake
216
217 Richard W.M. Jones
218
220 Copyright Red Hat
221
223 This library is free software; you can redistribute it and/or modify it
224 under the terms of the GNU Lesser General Public License as published
225 by the Free Software Foundation; either version 2 of the License, or
226 (at your option) any later version.
227
228 This library is distributed in the hope that it will be useful, but
229 WITHOUT ANY WARRANTY; without even the implied warranty of
230 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
231 Lesser General Public License for more details.
232
233 You should have received a copy of the GNU Lesser General Public
234 License along with this library; if not, write to the Free Software
235 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
236 02110-1301 USA
237
238
239
240libnbd-1.16.5 2023-09-26 nbd_set_tls(3)