aboutsummaryrefslogtreecommitdiff
path: root/block
diff options
context:
space:
mode:
authorDaniel P. Berrangé <berrange@redhat.com>2022-03-04 19:36:03 +0000
committerEric Blake <eblake@redhat.com>2022-03-07 15:58:42 -0600
commite8ae8b1a75e8f6420c37be31797bd13aa7e95778 (patch)
treee8184f49199a8a0ecc046a11c0e293bf3e644eb3 /block
parent003b2b252112572cd8c92bffe5e532a53b28d1e4 (diff)
block/nbd: don't restrict TLS usage to IP sockets
The TLS usage for NBD was restricted to IP sockets because validating x509 certificates requires knowledge of the hostname that the client is connecting to. TLS does not have to use x509 certificates though, as PSK (pre-shared keys) provide an alternative credential option. These have no requirement for a hostname and can thus be trivially used for UNIX sockets. Furthermore, with the ability to overide the default hostname for TLS validation in the previous patch, it is now also valid to want to use x509 certificates with FD passing and UNIX sockets. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20220304193610.3293146-6-berrange@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com>
Diffstat (limited to 'block')
-rw-r--r--block/nbd.c8
1 files changed, 2 insertions, 6 deletions
diff --git a/block/nbd.c b/block/nbd.c
index 0a9b6cde5b..34b9429de3 100644
--- a/block/nbd.c
+++ b/block/nbd.c
@@ -1839,13 +1839,9 @@ static int nbd_process_options(BlockDriverState *bs, QDict *options,
goto error;
}
- /* TODO SOCKET_ADDRESS_KIND_FD where fd has AF_INET or AF_INET6 */
- if (s->saddr->type != SOCKET_ADDRESS_TYPE_INET) {
- error_setg(errp, "TLS only supported over IP sockets");
- goto error;
- }
s->tlshostname = g_strdup(qemu_opt_get(opts, "tls-hostname"));
- if (!s->tlshostname) {
+ if (!s->tlshostname &&
+ s->saddr->type == SOCKET_ADDRESS_TYPE_INET) {
s->tlshostname = g_strdup(s->saddr->u.inet.host);
}
}