From a5ac28cc2b6cfd78e6c40dec460ada8abe5c6643 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 28 Jul 2022 10:11:29 +0100 Subject: [PATCH] Rebase to new stable branch version 1.12.6 resolves: rhbz#2059288 Fix remote TLS failures resolves: rhbz#2111524 (and 2111813) --- 0001-Add-nbddump-tool.patch | 10 +- ...sually-separate-columns-0-7-and-8-15.patch | 2 +- 0003-dump-Fix-build-on-i686.patch | 2 +- 0004-dump-Fix-tests-on-Debian-10.patch | 2 +- ...mp-data.sh-Test-requires-nbdkit-1.22.patch | 2 +- ...referred-block-size-in-the-operation.patch | 2 +- ...Use-preferred-block-size-for-copying.patch | 4 +- ...mp-Add-another-example-to-the-manual.patch | 2 +- ...to-Use-GNUTLS_NO_SIGNAL-if-available.patch | 93 ++++++++++++++++ ...ore-TLS-premature-termination-after-.patch | 100 ++++++++++++++++++ libnbd.spec | 11 +- sources | 4 +- 12 files changed, 216 insertions(+), 18 deletions(-) create mode 100644 0009-lib-crypto-Use-GNUTLS_NO_SIGNAL-if-available.patch create mode 100644 0010-lib-crypto.c-Ignore-TLS-premature-termination-after-.patch diff --git a/0001-Add-nbddump-tool.patch b/0001-Add-nbddump-tool.patch index 63c8c68..5600ba9 100644 --- a/0001-Add-nbddump-tool.patch +++ b/0001-Add-nbddump-tool.patch @@ -1,4 +1,4 @@ -From 3cdec593e221231333d0dcdab0556e0c149ac606 Mon Sep 17 00:00:00 2001 +From 90fd39da16256407b9229cd17a830739b03629d6 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 30 Jun 2022 09:07:27 +0100 Subject: [PATCH] Add nbddump tool @@ -151,10 +151,10 @@ index a740be9..a342003 100644 complete -o default -F _nbdinfo nbdinfo complete -o default -F _nbdsh nbdsh diff --git a/configure.ac b/configure.ac -index 2b28678..488f3b0 100644 +index b1bfaac..49ca8ab 100644 --- a/configure.ac +++ b/configure.ac -@@ -570,6 +570,7 @@ AC_CONFIG_FILES([Makefile +@@ -574,6 +574,7 @@ AC_CONFIG_FILES([Makefile common/utils/Makefile copy/Makefile docs/Makefile @@ -163,7 +163,7 @@ index 2b28678..488f3b0 100644 fuse/Makefile fuzzing/Makefile diff --git a/copy/nbdcopy.pod b/copy/nbdcopy.pod -index 54e4391..94c713f 100644 +index 7fe3fd1..fd10f7c 100644 --- a/copy/nbdcopy.pod +++ b/copy/nbdcopy.pod @@ -285,7 +285,7 @@ Some examples follow. @@ -175,7 +175,7 @@ index 54e4391..94c713f 100644 =head2 nbdcopy -- [ qemu-nbd -f qcow2 disk.qcow2 ] [ nbdkit memory 1G ] -@@ -311,6 +311,7 @@ server will match a hole in the other. +@@ -299,6 +299,7 @@ so this command has no overall effect, but is useful for testing. =head1 SEE ALSO L, diff --git a/0002-dump-Visually-separate-columns-0-7-and-8-15.patch b/0002-dump-Visually-separate-columns-0-7-and-8-15.patch index ca8727d..67fc1af 100644 --- a/0002-dump-Visually-separate-columns-0-7-and-8-15.patch +++ b/0002-dump-Visually-separate-columns-0-7-and-8-15.patch @@ -1,4 +1,4 @@ -From cf2edbb9e5ff7d37b089d6c96df001eec74984c4 Mon Sep 17 00:00:00 2001 +From ec947323528725fcf12b5b9ba32b02d36dbd9621 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 30 Jun 2022 21:09:39 +0100 Subject: [PATCH] dump: Visually separate columns 0-7 and 8-15 diff --git a/0003-dump-Fix-build-on-i686.patch b/0003-dump-Fix-build-on-i686.patch index 6ddde74..7ec277e 100644 --- a/0003-dump-Fix-build-on-i686.patch +++ b/0003-dump-Fix-build-on-i686.patch @@ -1,4 +1,4 @@ -From b8e1b582e417de651fac93416624990361213263 Mon Sep 17 00:00:00 2001 +From 590e3a010d2c840314702883e44ec9841e3383c6 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 30 Jun 2022 22:27:43 +0100 Subject: [PATCH] dump: Fix build on i686 diff --git a/0004-dump-Fix-tests-on-Debian-10.patch b/0004-dump-Fix-tests-on-Debian-10.patch index ff03295..cdb908a 100644 --- a/0004-dump-Fix-tests-on-Debian-10.patch +++ b/0004-dump-Fix-tests-on-Debian-10.patch @@ -1,4 +1,4 @@ -From 4aff2e5be9fab82fb9ae0841ef2696cc75a5bb66 Mon Sep 17 00:00:00 2001 +From e7a2815412891d5c13b5b5f0e9aa61882880c87f Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 30 Jun 2022 22:31:00 +0100 Subject: [PATCH] dump: Fix tests on Debian 10 diff --git a/0005-dump-dump-data.sh-Test-requires-nbdkit-1.22.patch b/0005-dump-dump-data.sh-Test-requires-nbdkit-1.22.patch index c0d5350..d868281 100644 --- a/0005-dump-dump-data.sh-Test-requires-nbdkit-1.22.patch +++ b/0005-dump-dump-data.sh-Test-requires-nbdkit-1.22.patch @@ -1,4 +1,4 @@ -From 36a78e18ce7312c714d11f1d62a163526ce01107 Mon Sep 17 00:00:00 2001 +From 7c669783b1b3fab902ce34d7914b62617ed8b263 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 30 Jun 2022 22:35:05 +0100 Subject: [PATCH] dump/dump-data.sh: Test requires nbdkit 1.22 diff --git a/0006-copy-Store-the-preferred-block-size-in-the-operation.patch b/0006-copy-Store-the-preferred-block-size-in-the-operation.patch index cae669a..893a026 100644 --- a/0006-copy-Store-the-preferred-block-size-in-the-operation.patch +++ b/0006-copy-Store-the-preferred-block-size-in-the-operation.patch @@ -1,4 +1,4 @@ -From 392818d207a34b6d70adfc4285e3d01ce368195b Mon Sep 17 00:00:00 2001 +From 8dce43a3ea7a529bc37cbe5607a8d52186cc8169 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Tue, 28 Jun 2022 18:27:58 +0100 Subject: [PATCH] copy: Store the preferred block size in the operations struct diff --git a/0007-copy-Use-preferred-block-size-for-copying.patch b/0007-copy-Use-preferred-block-size-for-copying.patch index c039d43..577f8f1 100644 --- a/0007-copy-Use-preferred-block-size-for-copying.patch +++ b/0007-copy-Use-preferred-block-size-for-copying.patch @@ -1,4 +1,4 @@ -From 6ff003b58c8ca3339e1169ce7cfdea0bd0c69c38 Mon Sep 17 00:00:00 2001 +From c8626acc63c4ae1c6cf5d1505e0209ac10f44e81 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Tue, 28 Jun 2022 21:58:55 +0100 Subject: [PATCH] copy: Use preferred block size for copying @@ -437,7 +437,7 @@ index 06cdb8e..9267545 100644 /* Wait for in flight NBD requests to finish. */ diff --git a/copy/nbdcopy.pod b/copy/nbdcopy.pod -index 94c713f..501d6fb 100644 +index fd10f7c..f06d112 100644 --- a/copy/nbdcopy.pod +++ b/copy/nbdcopy.pod @@ -182,8 +182,9 @@ Set the maximum number of requests in flight per NBD connection. diff --git a/0008-dump-Add-another-example-to-the-manual.patch b/0008-dump-Add-another-example-to-the-manual.patch index ead2f15..1a4eb5b 100644 --- a/0008-dump-Add-another-example-to-the-manual.patch +++ b/0008-dump-Add-another-example-to-the-manual.patch @@ -1,4 +1,4 @@ -From eada47ee5a81cf74cd8079f5c1e791dec9701d9d Mon Sep 17 00:00:00 2001 +From 5d21b00dbdd1e1a04317bf16afb8f4d2ceaa470f Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Sat, 2 Jul 2022 17:12:46 +0100 Subject: [PATCH] dump: Add another example to the manual diff --git a/0009-lib-crypto-Use-GNUTLS_NO_SIGNAL-if-available.patch b/0009-lib-crypto-Use-GNUTLS_NO_SIGNAL-if-available.patch new file mode 100644 index 0000000..e33ee16 --- /dev/null +++ b/0009-lib-crypto-Use-GNUTLS_NO_SIGNAL-if-available.patch @@ -0,0 +1,93 @@ +From a432e773e0cdc24cb27ccdda4111744ea2c3b819 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Wed, 27 Jul 2022 17:08:14 +0100 +Subject: [PATCH] lib/crypto: Use GNUTLS_NO_SIGNAL if available + +libnbd has long used MSG_NOSIGNAL to avoid receiving SIGPIPE if we +accidentally write on a closed socket, which is a nice alternative to +using a SIGPIPE signal handler. However with TLS connections, gnutls +did not use this flag and so programs using libnbd + TLS would receive +SIGPIPE in some situations, notably if the server closed the +connection abruptly while we were trying to write something. + +GnuTLS 3.4.2 introduces GNUTLS_NO_SIGNAL which does the same thing. +Use this flag if available. + +RHEL 7 has an older gnutls which lacks this flag. To avoid qemu-nbd +interop tests failing (rarely, but more often with a forthcoming +change to TLS shutdown behaviour), register a SIGPIPE signal handler +in the test if the flag is missing. +--- + configure.ac | 15 +++++++++++++++ + interop/interop.c | 10 ++++++++++ + lib/crypto.c | 7 ++++++- + 3 files changed, 31 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 49ca8ab..6bd9e1b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -179,6 +179,21 @@ AS_IF([test "$GNUTLS_LIBS" != ""],[ + gnutls_session_set_verify_cert \ + gnutls_transport_is_ktls_enabled \ + ]) ++ AC_MSG_CHECKING([if gnutls has GNUTLS_NO_SIGNAL]) ++ AC_COMPILE_IFELSE( ++ [AC_LANG_PROGRAM([ ++ #include ++ gnutls_session_t session; ++ ], [ ++ gnutls_init(&session, GNUTLS_CLIENT|GNUTLS_NO_SIGNAL); ++ ]) ++ ], [ ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE([HAVE_GNUTLS_NO_SIGNAL], [1], ++ [GNUTLS_NO_SIGNAL found at compile time]) ++ ], [ ++ AC_MSG_RESULT([no]) ++ ]) + LIBS="$old_LIBS" + ]) + +diff --git a/interop/interop.c b/interop/interop.c +index b41f3ca..036545b 100644 +--- a/interop/interop.c ++++ b/interop/interop.c +@@ -84,6 +84,16 @@ main (int argc, char *argv[]) + REQUIRES + #endif + ++ /* Ignore SIGPIPE. We only need this for GnuTLS < 3.4.2, since ++ * newer GnuTLS has the GNUTLS_NO_SIGNAL flag which adds ++ * MSG_NOSIGNAL to each write call. ++ */ ++#if !HAVE_GNUTLS_NO_SIGNAL ++#if TLS ++ signal (SIGPIPE, SIG_IGN); ++#endif ++#endif ++ + /* Create a large sparse temporary file. */ + #ifdef NEEDS_TMPFILE + int fd = mkstemp (TMPFILE); +diff --git a/lib/crypto.c b/lib/crypto.c +index 1272888..ca9520e 100644 +--- a/lib/crypto.c ++++ b/lib/crypto.c +@@ -588,7 +588,12 @@ nbd_internal_crypto_create_session (struct nbd_handle *h, + gnutls_psk_client_credentials_t pskcreds = NULL; + gnutls_certificate_credentials_t xcreds = NULL; + +- err = gnutls_init (&session, GNUTLS_CLIENT|GNUTLS_NONBLOCK); ++ err = gnutls_init (&session, ++ GNUTLS_CLIENT | GNUTLS_NONBLOCK ++#if HAVE_GNUTLS_NO_SIGNAL ++ | GNUTLS_NO_SIGNAL ++#endif ++ ); + if (err < 0) { + set_error (errno, "gnutls_init: %s", gnutls_strerror (err)); + return NULL; +-- +2.31.1 + diff --git a/0010-lib-crypto.c-Ignore-TLS-premature-termination-after-.patch b/0010-lib-crypto.c-Ignore-TLS-premature-termination-after-.patch new file mode 100644 index 0000000..cc91332 --- /dev/null +++ b/0010-lib-crypto.c-Ignore-TLS-premature-termination-after-.patch @@ -0,0 +1,100 @@ +From 8bbee9c0ff052cf8ab5ba81fd1b67e3c45e7012a Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Wed, 27 Jul 2022 16:07:37 +0100 +Subject: [PATCH] lib/crypto.c: Ignore TLS premature termination after write + shutdown + +qemu-nbd doesn't call gnutls_bye to cleanly shut down the connection +after we send NBD_CMD_DISC. When copying from a qemu-nbd server (or +any operation which calls nbd_shutdown) you will see errors like this: + + $ nbdcopy nbds://foo?tls-certificates=/var/tmp/pki null: + nbds://foo?tls-certificates=/var/tmp/pki: nbd_shutdown: gnutls_record_recv: The TLS connection was non-properly terminated. + +Relatedly you may also see: + + nbd_shutdown: gnutls_record_recv: Error in the pull function. + +This commit suppresses the error in the case where we know that we +have shut down writes (which happens after NBD_CMD_DISC has been sent +on the wire). +--- + interop/interop.c | 9 --------- + lib/crypto.c | 17 +++++++++++++++++ + lib/internal.h | 1 + + 3 files changed, 18 insertions(+), 9 deletions(-) + +diff --git a/interop/interop.c b/interop/interop.c +index 036545b..cce9407 100644 +--- a/interop/interop.c ++++ b/interop/interop.c +@@ -226,19 +226,10 @@ main (int argc, char *argv[]) + + /* XXX In future test more operations here. */ + +-#if !TLS +- /* XXX qemu doesn't shut down the connection nicely (using +- * gnutls_bye) and because of this the following call will fail +- * with: +- * +- * nbd_shutdown: gnutls_record_recv: The TLS connection was +- * non-properly terminated. +- */ + if (nbd_shutdown (nbd, 0) == -1) { + fprintf (stderr, "%s\n", nbd_get_error ()); + exit (EXIT_FAILURE); + } +-#endif + + nbd_close (nbd); + +diff --git a/lib/crypto.c b/lib/crypto.c +index ca9520e..aa5d820 100644 +--- a/lib/crypto.c ++++ b/lib/crypto.c +@@ -187,6 +187,22 @@ tls_recv (struct nbd_handle *h, struct socket *sock, void *buf, size_t len) + errno = EAGAIN; + return -1; + } ++ if (h->tls_shut_writes && ++ (r == GNUTLS_E_PULL_ERROR || r == GNUTLS_E_PREMATURE_TERMINATION)) { ++ /* qemu-nbd doesn't call gnutls_bye to cleanly shut down the ++ * connection after we send NBD_CMD_DISC, instead it simply ++ * closes the connection. On the client side we see ++ * "gnutls_record_recv: The TLS connection was non-properly ++ * terminated" or "gnutls_record_recv: Error in the pull ++ * function.". ++ * ++ * If we see these errors after we shut down the write side ++ * (h->tls_shut_writes), which happens after we have sent ++ * NBD_CMD_DISC on the wire, downgrade them to a debug message. ++ */ ++ debug (h, "gnutls_record_recv: %s", gnutls_strerror (r)); ++ return 0; /* EOF */ ++ } + set_error (0, "gnutls_record_recv: %s", gnutls_strerror (r)); + errno = EIO; + return -1; +@@ -234,6 +250,7 @@ tls_shut_writes (struct nbd_handle *h, struct socket *sock) + return false; + if (r != 0) + debug (h, "ignoring gnutls_bye failure: %s", gnutls_strerror (r)); ++ h->tls_shut_writes = true; + return sock->u.tls.oldsock->ops->shut_writes (h, sock->u.tls.oldsock); + } + +diff --git a/lib/internal.h b/lib/internal.h +index 6aaced3..f1b4c63 100644 +--- a/lib/internal.h ++++ b/lib/internal.h +@@ -307,6 +307,7 @@ struct nbd_handle { + struct command *reply_cmd; + + bool disconnect_request; /* True if we've queued NBD_CMD_DISC */ ++ bool tls_shut_writes; /* Used by lib/crypto.c to track disconnect. */ + }; + + struct meta_context { +-- +2.31.1 + diff --git a/libnbd.spec b/libnbd.spec index 2a6b0a1..06155a2 100644 --- a/libnbd.spec +++ b/libnbd.spec @@ -11,7 +11,7 @@ %global source_directory 1.12-stable Name: libnbd -Version: 1.12.5 +Version: 1.12.6 Release: 1%{?dist} Summary: NBD client library in userspace @@ -40,6 +40,8 @@ Patch0005: 0005-dump-dump-data.sh-Test-requires-nbdkit-1.22.patch Patch0006: 0006-copy-Store-the-preferred-block-size-in-the-operation.patch Patch0007: 0007-copy-Use-preferred-block-size-for-copying.patch Patch0008: 0008-dump-Add-another-example-to-the-manual.patch +Patch0009: 0009-lib-crypto-Use-GNUTLS_NO_SIGNAL-if-available.patch +Patch0010: 0010-lib-crypto.c-Ignore-TLS-premature-termination-after-.patch %if 0%{patches_touch_autotools} BuildRequires: autoconf, automake, libtool @@ -336,12 +338,15 @@ make %{?_smp_mflags} check || { %changelog -* Tue Jul 12 2022 Richard W.M. Jones - 1.12.5-1 -- Rebase to new stable branch version 1.12.5 +* Thu Jul 28 2022 Richard W.M. Jones - 1.12.6-1 +- Rebase to new stable branch version 1.12.6 resolves: rhbz#2059288 - New tool: nbddump - nbdcopy: Use preferred block size for copying related: rhbz#2047660 +- Fix remote TLS failures + resolves: rhbz#2111524 + (and 2111813) * Thu Feb 10 2022 Richard W.M. Jones - 1.10.5-1 - Rebase to new stable branch version 1.10.5 diff --git a/sources b/sources index b47d21a..99dc05a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (libnbd-1.12.5.tar.gz) = 1ea8c0d0a8a95c42c91d72623d0ade58f37c9acafcd8793b33884929673b943669ebec6ffb8b6e6c5cb296c84241bf6f3f5619f0efea6d1fbdd7c161be6232b3 -SHA512 (libnbd-1.12.5.tar.gz.sig) = 0b4dbde0e357fcd22e47176306024f8137726ede9284f89d9bc10baeab75fa4d9bcc0013f804e2f350ad32bad788a177dadd5252f2270edfb5012e6ec7b675bb +SHA512 (libnbd-1.12.6.tar.gz) = e6494ac013378b2d57458ea243b99b5ae7dad8894fab2811e4c92ff83fcc5f05aa19a52531f1ba0ed14a4d6d02d38d70d3dc6db813106dc946e51d077d37a756 +SHA512 (libnbd-1.12.6.tar.gz.sig) = 87ea0875bf0bcbdb66747f9608a78aaf6f5fc7539c8550d432a5bc0e856338686f61a5340b4fc070d493cab7279e7af66d984de2d7907f8c81019a8bab500263