diff options
| author | Daniel P. Berrangé <berrange@redhat.com> | 2022-03-04 19:36:01 +0000 |
|---|---|---|
| committer | Eric Blake <eblake@redhat.com> | 2022-03-07 15:58:42 -0600 |
| commit | a0cd6d297283bedffafce939dce38f3d06f3e2cd (patch) | |
| tree | 5dbf9afbef43551e5928944e86987f1cec4854b6 | |
| parent | 046f98d0753872b1e3189689da16c68e1f6c78c2 (diff) | |
block/nbd: support override of hostname for TLS certificate validation
When connecting to an NBD server with TLS and x509 credentials,
the client must validate the hostname it uses for the connection,
against that published in the server's certificate. If the client
is tunnelling its connection over some other channel, however, the
hostname it uses may not match the info reported in the server's
certificate. In such a case, the user needs to explicitly set an
override for the hostname to use for certificate validation.
This is achieved by adding a 'tls-hostname' property to the NBD
block driver.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220304193610.3293146-4-berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
| -rw-r--r-- | block/nbd.c | 18 | ||||
| -rw-r--r-- | qapi/block-core.json | 3 |
2 files changed, 18 insertions, 3 deletions
diff --git a/block/nbd.c b/block/nbd.c index f046349055..0a9b6cde5b 100644 --- a/block/nbd.c +++ b/block/nbd.c @@ -90,9 +90,10 @@ typedef struct BDRVNBDState { uint32_t reconnect_delay; uint32_t open_timeout; SocketAddress *saddr; - char *export, *tlscredsid; + char *export; + char *tlscredsid; QCryptoTLSCreds *tlscreds; - const char *tlshostname; + char *tlshostname; char *x_dirty_bitmap; bool alloc_depth; @@ -121,6 +122,8 @@ static void nbd_clear_bdrvstate(BlockDriverState *bs) s->export = NULL; g_free(s->tlscredsid); s->tlscredsid = NULL; + g_free(s->tlshostname); + s->tlshostname = NULL; g_free(s->x_dirty_bitmap); s->x_dirty_bitmap = NULL; } @@ -1766,6 +1769,11 @@ static QemuOptsList nbd_runtime_opts = { .help = "ID of the TLS credentials to use", }, { + .name = "tls-hostname", + .type = QEMU_OPT_STRING, + .help = "Override hostname for validating TLS x509 certificate", + }, + { .name = "x-dirty-bitmap", .type = QEMU_OPT_STRING, .help = "experimental: expose named dirty bitmap in place of " @@ -1836,7 +1844,10 @@ static int nbd_process_options(BlockDriverState *bs, QDict *options, error_setg(errp, "TLS only supported over IP sockets"); goto error; } - s->tlshostname = s->saddr->u.inet.host; + s->tlshostname = g_strdup(qemu_opt_get(opts, "tls-hostname")); + if (!s->tlshostname) { + s->tlshostname = g_strdup(s->saddr->u.inet.host); + } } s->x_dirty_bitmap = g_strdup(qemu_opt_get(opts, "x-dirty-bitmap")); @@ -2038,6 +2049,7 @@ static const char *const nbd_strong_runtime_opts[] = { "port", "export", "tls-creds", + "tls-hostname", "server.", NULL diff --git a/qapi/block-core.json b/qapi/block-core.json index f13b5ff942..e89f2dfb5b 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -4079,6 +4079,8 @@ # # @tls-creds: TLS credentials ID # +# @tls-hostname: TLS hostname override for certificate validation (Since 7.0) +# # @x-dirty-bitmap: A metadata context name such as "qemu:dirty-bitmap:NAME" # or "qemu:allocation-depth" to query in place of the # traditional "base:allocation" block status (see @@ -4109,6 +4111,7 @@ 'data': { 'server': 'SocketAddress', '*export': 'str', '*tls-creds': 'str', + '*tls-hostname': 'str', '*x-dirty-bitmap': { 'type': 'str', 'features': [ 'unstable' ] }, '*reconnect-delay': 'uint32', '*open-timeout': 'uint32' } } |