From a432e773e0cdc24cb27ccdda4111744ea2c3b819 Mon Sep 17 00:00:00 2001

From: "Richard W.M. Jones" <rjones@redhat.com>

Date: Wed, 27 Jul 2022 17:08:14 +0100

Subject: [PATCH] lib/crypto: Use GNUTLS_NO_SIGNAL if available

libnbd has long used MSG_NOSIGNAL to avoid receiving SIGPIPE if we

accidentally write on a closed socket, which is a nice alternative to

using a SIGPIPE signal handler.  However with TLS connections, gnutls

did not use this flag and so programs using libnbd + TLS would receive

SIGPIPE in some situations, notably if the server closed the

connection abruptly while we were trying to write something.

GnuTLS 3.4.2 introduces GNUTLS_NO_SIGNAL which does the same thing.

Use this flag if available.

RHEL 7 has an older gnutls which lacks this flag.  To avoid qemu-nbd

interop tests failing (rarely, but more often with a forthcoming

change to TLS shutdown behaviour), register a SIGPIPE signal handler

in the test if the flag is missing.

---

 configure.ac      | 15 +++++++++++++++

 interop/interop.c | 10 ++++++++++

 lib/crypto.c      |  7 ++++++-

 3 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac

index 49ca8ab..6bd9e1b 100644

--- a/configure.ac

+++ b/configure.ac

@@ -179,6 +179,21 @@ AS_IF([test "$GNUTLS_LIBS" != ""],[

         gnutls_session_set_verify_cert \

         gnutls_transport_is_ktls_enabled \

     ])

+    AC_MSG_CHECKING([if gnutls has GNUTLS_NO_SIGNAL])

+    AC_COMPILE_IFELSE(

+        [AC_LANG_PROGRAM([

+            #include <gnutls/gnutls.h>

+            gnutls_session_t session;

+         ], [

+            gnutls_init(&session, GNUTLS_CLIENT|GNUTLS_NO_SIGNAL);

+         ])

+    ], [

+        AC_MSG_RESULT([yes])

+        AC_DEFINE([HAVE_GNUTLS_NO_SIGNAL], [1],

+                  [GNUTLS_NO_SIGNAL found at compile time])

+    ], [

+        AC_MSG_RESULT([no])

+    ])

     LIBS="$old_LIBS"

 ])

diff --git a/interop/interop.c b/interop/interop.c

index b41f3ca..036545b 100644

--- a/interop/interop.c

+++ b/interop/interop.c

@@ -84,6 +84,16 @@ main (int argc, char *argv[])

   REQUIRES

 #endif

+  /* Ignore SIGPIPE.  We only need this for GnuTLS < 3.4.2, since

+   * newer GnuTLS has the GNUTLS_NO_SIGNAL flag which adds

+   * MSG_NOSIGNAL to each write call.

+   */

+#if !HAVE_GNUTLS_NO_SIGNAL

+#if TLS

+  signal (SIGPIPE, SIG_IGN);

+#endif

+#endif

+

   /* Create a large sparse temporary file. */

 #ifdef NEEDS_TMPFILE

   int fd = mkstemp (TMPFILE);

diff --git a/lib/crypto.c b/lib/crypto.c

index 1272888..ca9520e 100644

--- a/lib/crypto.c

+++ b/lib/crypto.c

@@ -588,7 +588,12 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,

   gnutls_psk_client_credentials_t pskcreds = NULL;

   gnutls_certificate_credentials_t xcreds = NULL;

-  err = gnutls_init (&session, GNUTLS_CLIENT|GNUTLS_NONBLOCK);

+  err = gnutls_init (&session,

+                     GNUTLS_CLIENT | GNUTLS_NONBLOCK

+#if HAVE_GNUTLS_NO_SIGNAL

+                     | GNUTLS_NO_SIGNAL

+#endif

+                     );

   if (err < 0) {

     set_error (errno, "gnutls_init: %s", gnutls_strerror (err));

     return NULL;

-- 

2.31.1