[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v2 04/12] qemu-nbd: add --tls-hostname option for TLS certificate
From: |
Daniel P . Berrangé |
Subject: |
[PATCH v2 04/12] qemu-nbd: add --tls-hostname option for TLS certificate validation |
Date: |
Fri, 4 Mar 2022 19:36:02 +0000 |
When using the --list option, qemu-nbd acts as an NBD client rather
than a server. As such when using TLS, it has a need to validate
the server certificate. This adds a --tls-hostname option which can
be used to override the default hostname used for certificate
validation.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
docs/tools/qemu-nbd.rst | 13 +++++++++++++
qemu-nbd.c | 17 ++++++++++++++++-
2 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/docs/tools/qemu-nbd.rst b/docs/tools/qemu-nbd.rst
index 6031f96893..2b8c90c354 100644
--- a/docs/tools/qemu-nbd.rst
+++ b/docs/tools/qemu-nbd.rst
@@ -169,6 +169,19 @@ driver options if ``--image-opts`` is specified.
option; or provide the credentials needed for connecting as a client
in list mode.
+.. option:: --tls-hostname=hostname
+
+ When validating an x509 certificate received over a TLS connection,
+ the hostname that the NBD client used to connect will be checked
+ against information in the server provided certificate. Sometimes
+ it might be required to override the hostname used to perform this
+ check. For example, if the NBD client is using a tunnel from localhost
+ to connect to the remote server, the `--tls-hostname` option should
+ be used to set the officially expected hostname of the remote NBD
+ server. This can also be used if accessing NBD over a UNIX socket
+ where there is no inherent hostname available. This is only permitted
+ when acting as a NBD client with the `--list` option.
+
.. option:: --fork
Fork off the server process and exit the parent once the server is running.
diff --git a/qemu-nbd.c b/qemu-nbd.c
index c6c20df68a..18d281aba3 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -69,6 +69,7 @@
#define QEMU_NBD_OPT_TLSAUTHZ 264
#define QEMU_NBD_OPT_PID_FILE 265
#define QEMU_NBD_OPT_SELINUX_LABEL 266
+#define QEMU_NBD_OPT_TLSHOSTNAME 267
#define MBR_SIZE 512
@@ -542,6 +543,7 @@ int main(int argc, char **argv)
{ "export-name", required_argument, NULL, 'x' },
{ "description", required_argument, NULL, 'D' },
{ "tls-creds", required_argument, NULL, QEMU_NBD_OPT_TLSCREDS },
+ { "tls-hostname", required_argument, NULL, QEMU_NBD_OPT_TLSHOSTNAME },
{ "tls-authz", required_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ },
{ "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS },
{ "trace", required_argument, NULL, 'T' },
@@ -568,6 +570,7 @@ int main(int argc, char **argv)
strList *bitmaps = NULL;
bool alloc_depth = false;
const char *tlscredsid = NULL;
+ const char *tlshostname = NULL;
bool imageOpts = false;
bool writethrough = false; /* Client will flush as needed. */
bool fork_process = false;
@@ -747,6 +750,9 @@ int main(int argc, char **argv)
case QEMU_NBD_OPT_TLSCREDS:
tlscredsid = optarg;
break;
+ case QEMU_NBD_OPT_TLSHOSTNAME:
+ tlshostname = optarg;
+ break;
case QEMU_NBD_OPT_IMAGE_OPTS:
imageOpts = true;
break;
@@ -835,6 +841,10 @@ int main(int argc, char **argv)
error_report("TLS authorization is incompatible with export list");
exit(EXIT_FAILURE);
}
+ if (tlshostname && !list) {
+ error_report("TLS hostname is only supported with export list");
+ exit(EXIT_FAILURE);
+ }
tlscreds = nbd_get_tls_creds(tlscredsid, list, &local_err);
if (local_err) {
error_reportf_err(local_err, "Failed to get TLS creds: ");
@@ -845,6 +855,10 @@ int main(int argc, char **argv)
error_report("--tls-authz is not permitted without --tls-creds");
exit(EXIT_FAILURE);
}
+ if (tlshostname) {
+ error_report("--tls-hostname is not permitted without
--tls-creds");
+ exit(EXIT_FAILURE);
+ }
}
if (selinux_label) {
@@ -861,7 +875,8 @@ int main(int argc, char **argv)
if (list) {
saddr = nbd_build_socket_address(sockpath, bindto, port);
- return qemu_nbd_client_list(saddr, tlscreds, bindto);
+ return qemu_nbd_client_list(saddr, tlscreds,
+ tlshostname ? tlshostname : bindto);
}
#if !HAVE_NBD_DEVICE
--
2.34.1
- [PATCH v2 00/12] nbd: enable use of TLS on non-TCP transports and other TLS improvements, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 01/12] crypto: mandate a hostname when checking x509 creds on a client, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 03/12] block/nbd: support override of hostname for TLS certificate validation, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 05/12] block/nbd: don't restrict TLS usage to IP sockets, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 02/12] block: pass desired TLS hostname through from block driver client, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 04/12] qemu-nbd: add --tls-hostname option for TLS certificate validation,
Daniel P . Berrangé <=
- [PATCH v2 10/12] tests/qemu-iotests: validate NBD TLS with hostname mismatch, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 11/12] tests/qemu-iotests: validate NBD TLS with UNIX sockets, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 08/12] tests/qemu-iotests: introduce filter for qemu-nbd export list, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 06/12] tests/qemu-iotests: add QEMU_IOTESTS_REGEN=1 to update reference file, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 09/12] tests/qemu-iotests: convert NBD TLS test to use standard filters, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 07/12] tests/qemu-iotests: expand _filter_nbd rules, Daniel P . Berrangé, 2022/03/04
- [PATCH v2 12/12] tests/qemu-iotests: validate NBD TLS with UNIX sockets and PSK, Daniel P . Berrangé, 2022/03/04