[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 02/12] block: pass desired TLS hostname through from block dr
|
From: |
Eric Blake |
|
Subject: |
Re: [PATCH 02/12] block: pass desired TLS hostname through from block driver client |
|
Date: |
Thu, 3 Mar 2022 14:14:34 -0600 |
|
User-agent: |
NeoMutt/20211029-378-f757a4 |
On Thu, Mar 03, 2022 at 04:03:20PM +0000, Daniel P. Berrangé wrote:
> In
>
> commit a71d597b989fd701b923f09b3c20ac4fcaa55e81
> Author: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
> Date: Thu Jun 10 13:08:00 2021 +0300
>
> block/nbd: reuse nbd_co_do_establish_connection() in nbd_open()
>
> the use of the 'hostname' field from the BDRVNBDState struct was
> lost, and 'nbd_connect' just hardcoded it to match the IP socket
> address. This was a harmless bug at the time since we block use
> with anything other than IP sockets.
>
> Shortly though, We want to allow the caller to override the hostname
s/We/we/
> used in the TLS certificate checks. This is to allow for TLS
> when doing port forwarding or tunneling. Thus we need to reinstate
> the passing along of the 'hostname'.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> block/nbd.c | 7 ++++---
> include/block/nbd.h | 3 ++-
> nbd/client-connection.c | 12 +++++++++---
> 3 files changed, 15 insertions(+), 7 deletions(-)
Nice - this a great step towards fixing a longstanding annoyance of
mine that libnbd and nbdkit support TLS over Unix sockets, but qemu
didn't.
> @@ -1875,7 +1875,8 @@ static int nbd_open(BlockDriverState *bs, QDict
> *options, int flags,
> }
>
> s->conn = nbd_client_connection_new(s->saddr, true, s->export,
> - s->x_dirty_bitmap, s->tlscreds);
> + s->x_dirty_bitmap, s->tlscreds,
> + s->tlshostname);
>
> if (s->open_timeout) {
> nbd_client_connection_enable_retry(s->conn);
> diff --git a/include/block/nbd.h b/include/block/nbd.h
> index 78d101b774..a98eb665da 100644
> --- a/include/block/nbd.h
> +++ b/include/block/nbd.h
> @@ -415,7 +415,8 @@ NBDClientConnection *nbd_client_connection_new(const
> SocketAddress *saddr,
> bool do_negotiation,
> const char *export_name,
> const char *x_dirty_bitmap,
> - QCryptoTLSCreds *tlscreds);
> + QCryptoTLSCreds *tlscreds,
> + const char *tlshostname);
We already have a lot of parameters; does it make sense to bundle
tlshostname into the QCryptoTLSCreds struct at all? But that would
change the QAPI (or maybe you do it later in the series), it is not a
show-stopper to this patch.
Reviewed-by: Eric Blake <eblake@redhat.com>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
- [PATCH 00/12] nbd: enable use of TLS on non-TCP transports and other TLS improvements, Daniel P . Berrangé, 2022/03/03
- [PATCH 01/12] crypto: mandate a hostname when checking x509 creds on a client, Daniel P . Berrangé, 2022/03/03
- [PATCH 03/12] block/nbd: support override of hostname for TLS certificate validation, Daniel P . Berrangé, 2022/03/03
- [PATCH 04/12] qemu-nbd: add --tls-hostname option for TLS certificate validation, Daniel P . Berrangé, 2022/03/03
- [PATCH 02/12] block: pass desired TLS hostname through from block driver client, Daniel P . Berrangé, 2022/03/03
- Re: [PATCH 02/12] block: pass desired TLS hostname through from block driver client,
Eric Blake <=
- [PATCH 05/12] block/nbd: don't restrict TLS usage to IP sockets, Daniel P . Berrangé, 2022/03/03
- [PATCH 06/12] tests/qemu-iotests: add QEMU_IOTESTS_REGEN=1 to update reference file, Daniel P . Berrangé, 2022/03/03
- [PATCH 07/12] tests/qemu-iotests: expand _filter_nbd rules, Daniel P . Berrangé, 2022/03/03
- [PATCH 09/12] tests/qemu-iotests: convert NBD TLS test to use standard filters, Daniel P . Berrangé, 2022/03/03
- [PATCH 08/12] tests/qemu-iotests: introduce filter for qemu-nbd export list, Daniel P . Berrangé, 2022/03/03