.\" Automatically generated by Podwrapper::Man 1.6.1 (Pod::Simple 3.40) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" ======================================================================== .\" .IX Title "nbd_set_tls 3" .TH nbd_set_tls 3 "2021-02-09" "libnbd-1.6.1" "LIBNBD" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" nbd_set_tls \- enable or require TLS (authentication and encryption) .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& int nbd_set_tls (struct nbd_handle *h, int tls); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" Enable or require \s-1TLS\s0 (authenticated and encrypted connections) to the \&\s-1NBD\s0 server. The possible settings are: .ie n .IP """LIBNBD_TLS_DISABLE""" 4 .el .IP "\f(CWLIBNBD_TLS_DISABLE\fR" 4 .IX Item "LIBNBD_TLS_DISABLE" Disable \s-1TLS.\s0 (The default setting, unless using \fBnbd_connect_uri\fR\|(3) with a \s-1URI\s0 that requires \s-1TLS\s0) .ie n .IP """LIBNBD_TLS_ALLOW""" 4 .el .IP "\f(CWLIBNBD_TLS_ALLOW\fR" 4 .IX Item "LIBNBD_TLS_ALLOW" Enable \s-1TLS\s0 if possible. .Sp This option is insecure (or best effort) in that in some cases it will fall back to an unencrypted and/or unauthenticated connection if \s-1TLS\s0 could not be established. Use \&\f(CW\*(C`LIBNBD_TLS_REQUIRE\*(C'\fR below if the connection must be encrypted. .Sp Some servers will drop the connection if \s-1TLS\s0 fails so fallback may not be possible. .ie n .IP """LIBNBD_TLS_REQUIRE""" 4 .el .IP "\f(CWLIBNBD_TLS_REQUIRE\fR" 4 .IX Item "LIBNBD_TLS_REQUIRE" Require an encrypted and authenticated \s-1TLS\s0 connection. Always fail to connect if the connection is not encrypted and authenticated. .PP As well as calling this you may also need to supply the path to the certificates directory (\fBnbd_set_tls_certificates\fR\|(3)), the username (\fBnbd_set_tls_username\fR\|(3)) and/or the Pre-Shared Keys (\s-1PSK\s0) file (\fBnbd_set_tls_psk_file\fR\|(3)). For now, when using \fBnbd_connect_uri\fR\|(3), any \s-1URI\s0 query parameters related to \&\s-1TLS\s0 are not handled automatically. Setting the level higher than zero will fail if libnbd was not compiled against gnutls; you can test whether this is the case with \fBnbd_supports_tls\fR\|(3). .SH "RETURN VALUE" .IX Header "RETURN VALUE" If the call is successful the function returns \f(CW0\fR. .SH "ERRORS" .IX Header "ERRORS" On error \f(CW\*(C`\-1\*(C'\fR is returned. .PP Refer to \*(L"\s-1ERROR HANDLING\*(R"\s0 in \fBlibnbd\fR\|(3) for how to get further details of the error. .SH "HANDLE STATE" .IX Header "HANDLE STATE" The handle must be newly created, otherwise this call will return an error. .SH "VERSION" .IX Header "VERSION" This function first appeared in libnbd 1.0. .PP If you need to test if this function is available at compile time check if the following macro is defined: .PP .Vb 1 \& #define LIBNBD_HAVE_NBD_SET_TLS 1 .Ve .SH "EXAMPLE" .IX Header "EXAMPLE" This example is also available as \fIexamples/encryption.c\fR in the libnbd source code. .PP .Vb 10 \& /* An example showing how to connect to a server which is \& * using TLS encryption. \& * \& * This requires nbdkit, and psktool from gnutls. \& * \& * Both libnbd and nbdkit support TLS\-PSK which is a \& * simpler\-to\-deploy form of encryption. (Of course \& * certificate\-based encryption is also supported, but \& * it’s harder to make a self\-contained example). \& */ \& \& #include \& #include \& #include \& #include \& \& #include \& \& #define TMPDIR "/tmp/XXXXXX" \& #define KEYS "keys.psk" \& #define USERNAME "alice" \& \& static char dir[] = TMPDIR; \& static char keys[] = TMPDIR "/" KEYS; \& static char cmd[] = \& "psktool \-u " USERNAME " \-p " TMPDIR "/" KEYS; \& \& /* Remove the temporary keys file when the program \& * exits. \& */ \& static void \& cleanup_keys (void) \& { \& unlink (keys); \& rmdir (dir); \& } \& \& /* Create the temporary keys file to share with the \& * server. \& */ \& static void \& create_keys (void) \& { \& size_t i; \& \& if (mkdtemp (dir) == NULL) { \& perror ("mkdtemp"); \& exit (EXIT_FAILURE); \& } \& i = strlen (cmd) \- strlen (TMPDIR) \- strlen (KEYS) \- 1; \& memcpy (&cmd[i], dir, strlen (TMPDIR)); \& memcpy (keys, dir, strlen (TMPDIR)); \& \& if (system (cmd) != 0) { \& fprintf (stderr, "psktool command failed\en"); \& exit (EXIT_FAILURE); \& } \& \& atexit (cleanup_keys); \& } \& \& int \& main (int argc, char *argv[]) \& { \& struct nbd_handle *nbd; \& char buf[512]; \& \& create_keys (); \& \& /* Create the libnbd handle. */ \& nbd = nbd_create (); \& if (nbd == NULL) { \& fprintf (stderr, "%s\en", nbd_get_error ()); \& exit (EXIT_FAILURE); \& } \& \& /* Enable TLS in the client. */ \& if (nbd_set_tls (nbd, LIBNBD_TLS_REQUIRE) == \-1) { \& fprintf (stderr, "%s\en", nbd_get_error ()); \& exit (EXIT_FAILURE); \& } \& \& /* Enable TLS\-PSK and pass the keys filename. */ \& if (nbd_set_tls_psk_file (nbd, keys) == \-1) { \& fprintf (stderr, "%s\en", nbd_get_error ()); \& exit (EXIT_FAILURE); \& } \& \& /* Set the local username for authentication. */ \& if (nbd_set_tls_username (nbd, USERNAME) == \-1) { \& fprintf (stderr, "%s\en", nbd_get_error ()); \& exit (EXIT_FAILURE); \& } \& \& /* Run nbdkit as a subprocess, enabling and requiring \& * TLS\-PSK encryption. \& */ \& char *args[] = { \& "nbdkit", "\-s", "\-\-exit\-with\-parent", \& "\-\-tls", "require", "\-\-tls\-psk", keys, \& "pattern", "size=1M", NULL \& }; \& if (nbd_connect_command (nbd, args) == \-1) { \& fprintf (stderr, "%s\en", nbd_get_error ()); \& exit (EXIT_FAILURE); \& } \& \& /* Read the first sector. */ \& if (nbd_pread (nbd, buf, sizeof buf, 0, 0) == \-1) { \& fprintf (stderr, "%s\en", nbd_get_error ()); \& exit (EXIT_FAILURE); \& } \& \& /* TLS connections must be shut down. */ \& if (nbd_shutdown (nbd, 0) == \-1) { \& fprintf (stderr, "%s\en", nbd_get_error ()); \& exit (EXIT_FAILURE); \& } \& \& /* Close the libnbd handle. */ \& nbd_close (nbd); \& \& exit (EXIT_SUCCESS); \& } .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBnbd_connect_uri\fR\|(3), \&\fBnbd_create\fR\|(3), \&\fBnbd_get_tls\fR\|(3), \&\fBnbd_get_tls_negotiated\fR\|(3), \&\fBnbd_set_tls_certificates\fR\|(3), \&\fBnbd_set_tls_psk_file\fR\|(3), \&\fBnbd_set_tls_username\fR\|(3), \&\fBnbd_supports_tls\fR\|(3), \&\*(L"\s-1ENCRYPTION AND AUTHENTICATION\*(R"\s0 in \fBlibnbd\fR\|(3), \&\fBlibnbd\fR\|(3). .SH "AUTHORS" .IX Header "AUTHORS" Eric Blake .PP Richard W.M. Jones .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright (C) 2019\-2020 Red Hat Inc. .SH "LICENSE" .IX Header "LICENSE" This library is free software; you can redistribute it and/or modify it under the terms of the \s-1GNU\s0 Lesser General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. .PP This library is distributed in the hope that it will be useful, but \s-1WITHOUT ANY WARRANTY\s0; without even the implied warranty of \&\s-1MERCHANTABILITY\s0 or \s-1FITNESS FOR A PARTICULAR PURPOSE.\s0 See the \s-1GNU\s0 Lesser General Public License for more details. .PP You should have received a copy of the \s-1GNU\s0 Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, \s-1MA 02110\-1301 USA\s0