[Nbd] [PATCHv2 4/6] Add options for TLS support for server
- To: "nbd-general@lists.sourceforge.net" <nbd-general@lists.sourceforge.net>
- Cc: Wouter Verhelst <w@...112...>
- Subject: [Nbd] [PATCHv2 4/6] Add options for TLS support for server
- From: Alex Bligh <alex@...872...>
- Date: Mon, 11 Apr 2016 18:15:37 +0100
- Message-id: <1460394939-24868-5-git-send-email-alex@...872...>
- In-reply-to: <1460394939-24868-1-git-send-email-alex@...872...>
- References: <1460394939-24868-1-git-send-email-alex@...872...>
Signed-off-by: Alex Bligh <alex@...872...>
---
man/nbd-server.5.in.sgml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++
nbd-server.c | 8 ++++++
nbdsrv.h | 1 +
3 files changed, 74 insertions(+)
diff --git a/man/nbd-server.5.in.sgml b/man/nbd-server.5.in.sgml
index 41235e0..0249eec 100644
--- a/man/nbd-server.5.in.sgml
+++ b/man/nbd-server.5.in.sgml
@@ -264,6 +264,57 @@ manpage.1: manpage.sgml
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>keyfile</option></term>
+ <listitem>
+ <para>
+ Optional; string
+ </para>
+ <para>If this option is set, it should contain a path to
+ a PEM format X.509 private key used for TLS negotiation
+ with the client. This option must be set to enable TLS.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>certfile</option></term>
+ <listitem>
+ <para>
+ Optional; string
+ </para>
+ <para>If this option is set, it should contain a path to
+ a PEM format X.509 public certificate used for TLS negotiation
+ with the client. If <option>keyfile</option> is set but
+ <option>certfile</option> is not set, then the server will
+ attempt to read the certificate from the path specified
+ by <option>keyfile</option>.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>cacertfile</option></term>
+ <listitem>
+ <para>
+ Optional; string
+ </para>
+ <para>If this option is set, it should contain a path to
+ a PEM format X.509 CA certificate used for validating client
+ certificates supplied by the client. If this option is not
+ set then client certificates will not be checked.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>tlsonly</option></term>
+ <listitem>
+ <para>Optional; boolean.</para>
+ <para>When this option is enabled,
+ <command>nbd-server</command> will only serve exports
+ using the TLS extension. If this option is not supplied,
+ TLS is optional, unless <option>tlsonly</option> is set
+ in the section corresponding to the specific export.
+ In order for TLS to work at all, the <option>keyfile</option>
+ option must be specified in the generic section.</para>
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
<refsect1>
@@ -831,6 +882,20 @@ manpage.1: manpage.sgml
</variablelist>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>tlsonly</option></term>
+ <listitem>
+ <para>Optional; boolean.</para>
+ <para>When this option is enabled,
+ <command>nbd-server</command> will only serve the export
+ using the TLS extension. If this option is not supplied,
+ TLS is optional, unless <option>tlsonly</option> is set
+ in the generic section. In order for TLS to work at all,
+ the <option>keyfile</option> option must be specified in
+ the generic section.</para>
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
diff --git a/nbd-server.c b/nbd-server.c
index 4edb883..729156b 100644
--- a/nbd-server.c
+++ b/nbd-server.c
@@ -239,6 +239,9 @@ struct generic_conf {
gchar *modernaddr; /**< address of the modern socket */
gchar *modernport; /**< port of the modern socket */
gchar *unixsock; /**< file name of the unix domain socket */
+ gchar *certfile; /**< certificate file */
+ gchar *keyfile; /**< key file */
+ gchar *cacertfile; /**< CA certificate file */
gint flags; /**< global flags */
gint threads; /**< maximum number of parallel threads we want to run */
};
@@ -626,6 +629,7 @@ GArray* parse_cfile(gchar* f, struct generic_conf *const genconf, bool expect_ge
{ "trim", FALSE, PARAM_BOOL, &(s.flags), F_TRIM },
{ "listenaddr", FALSE, PARAM_STRING, &(s.listenaddr), 0 },
{ "maxconnections", FALSE, PARAM_INT, &(s.max_connections), 0 },
+ { "tlsonly", FALSE, PARAM_BOOL, &(s.flags), F_TLSONLY },
};
const int lp_size=sizeof(lp)/sizeof(PARAM);
struct generic_conf genconftmp;
@@ -639,6 +643,10 @@ GArray* parse_cfile(gchar* f, struct generic_conf *const genconf, bool expect_ge
{ "allowlist", FALSE, PARAM_BOOL, &(genconftmp.flags), F_LIST },
{ "unixsock", FALSE, PARAM_STRING, &(genconftmp.unixsock), 0 },
{ "max_threads", FALSE, PARAM_INT, &(genconftmp.threads), 0 },
+ { "certfile", FALSE, PARAM_STRING, &(genconftmp.certfile), 0 },
+ { "keyfile", FALSE, PARAM_STRING, &(genconftmp.keyfile), 0 },
+ { "cacertfile", FALSE, PARAM_STRING, &(genconftmp.cacertfile), 0 },
+ { "tlsonly", FALSE, PARAM_BOOL, &(genconftmp.flags), F_TLSONLY },
};
PARAM* p=gp;
int p_size=sizeof(gp)/sizeof(PARAM);
diff --git a/nbdsrv.h b/nbdsrv.h
index f3be738..fefd063 100644
--- a/nbdsrv.h
+++ b/nbdsrv.h
@@ -141,6 +141,7 @@ typedef enum {
#define F_TRIM 2048 /**< Whether server wants TRIM (discard) to be sent by the client */
#define F_FIXED 4096 /**< Client supports fixed new-style protocol (and can thus send us extra options */
#define F_TREEFILES 8192 /**< flag to tell us a file is exported using -t */
+#define F_TLSONLY 16384 /**< Whether export should be TLS only */
/* Functions */
--
1.9.1
Reply to: