[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 05/15] block/nbd: don't restrict TLS usage to IP sockets
From: |
Eric Blake |
Subject: |
[PULL 05/15] block/nbd: don't restrict TLS usage to IP sockets |
Date: |
Mon, 7 Mar 2022 19:44:09 -0600 |
From: Daniel P. Berrangé <berrange@redhat.com>
The TLS usage for NBD was restricted to IP sockets because validating
x509 certificates requires knowledge of the hostname that the client
is connecting to.
TLS does not have to use x509 certificates though, as PSK (pre-shared
keys) provide an alternative credential option. These have no
requirement for a hostname and can thus be trivially used for UNIX
sockets.
Furthermore, with the ability to overide the default hostname for
TLS validation in the previous patch, it is now also valid to want
to use x509 certificates with FD passing and UNIX sockets.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220304193610.3293146-6-berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
---
block/nbd.c | 8 ++------
blockdev-nbd.c | 6 ------
qemu-nbd.c | 8 +++-----
3 files changed, 5 insertions(+), 17 deletions(-)
diff --git a/block/nbd.c b/block/nbd.c
index 0a9b6cde5bd3..34b9429de387 100644
--- a/block/nbd.c
+++ b/block/nbd.c
@@ -1839,13 +1839,9 @@ static int nbd_process_options(BlockDriverState *bs,
QDict *options,
goto error;
}
- /* TODO SOCKET_ADDRESS_KIND_FD where fd has AF_INET or AF_INET6 */
- if (s->saddr->type != SOCKET_ADDRESS_TYPE_INET) {
- error_setg(errp, "TLS only supported over IP sockets");
- goto error;
- }
s->tlshostname = g_strdup(qemu_opt_get(opts, "tls-hostname"));
- if (!s->tlshostname) {
+ if (!s->tlshostname &&
+ s->saddr->type == SOCKET_ADDRESS_TYPE_INET) {
s->tlshostname = g_strdup(s->saddr->u.inet.host);
}
}
diff --git a/blockdev-nbd.c b/blockdev-nbd.c
index bdfa7ed3a5a9..9840d25a8298 100644
--- a/blockdev-nbd.c
+++ b/blockdev-nbd.c
@@ -148,12 +148,6 @@ void nbd_server_start(SocketAddress *addr, const char
*tls_creds,
if (!nbd_server->tlscreds) {
goto error;
}
-
- /* TODO SOCKET_ADDRESS_TYPE_FD where fd has AF_INET or AF_INET6 */
- if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
- error_setg(errp, "TLS is only supported with IPv4/IPv6");
- goto error;
- }
}
nbd_server->tlsauthz = g_strdup(tls_authz);
diff --git a/qemu-nbd.c b/qemu-nbd.c
index 18d281aba3d1..713e7557a9eb 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -808,7 +808,9 @@ int main(int argc, char **argv)
socket_activation = check_socket_activation();
if (socket_activation == 0) {
- setup_address_and_port(&bindto, &port);
+ if (!sockpath) {
+ setup_address_and_port(&bindto, &port);
+ }
} else {
/* Using socket activation - check user didn't use -p etc. */
const char *err_msg = socket_activation_validate_opts(device, sockpath,
@@ -829,10 +831,6 @@ int main(int argc, char **argv)
}
if (tlscredsid) {
- if (sockpath) {
- error_report("TLS is only supported with IPv4/IPv6");
- exit(EXIT_FAILURE);
- }
if (device) {
error_report("TLS is not supported with a host device");
exit(EXIT_FAILURE);
--
2.35.1
- [PULL 00/15] NBD patches for 7.0-rc0, Eric Blake, 2022/03/07
- [PULL 01/15] crypto: mandate a hostname when checking x509 creds on a client, Eric Blake, 2022/03/07
- [PULL 03/15] block/nbd: support override of hostname for TLS certificate validation, Eric Blake, 2022/03/07
- [PULL 02/15] block: pass desired TLS hostname through from block driver client, Eric Blake, 2022/03/07
- [PULL 05/15] block/nbd: don't restrict TLS usage to IP sockets,
Eric Blake <=
- [PULL 04/15] qemu-nbd: add --tls-hostname option for TLS certificate validation, Eric Blake, 2022/03/07
- [PULL 06/15] tests/qemu-iotests: add QEMU_IOTESTS_REGEN=1 to update reference file, Eric Blake, 2022/03/07
- [PULL 07/15] tests/qemu-iotests: expand _filter_nbd rules, Eric Blake, 2022/03/07
- [PULL 12/15] tests/qemu-iotests: validate NBD TLS with UNIX sockets and PSK, Eric Blake, 2022/03/07
- [PULL 10/15] tests/qemu-iotests: validate NBD TLS with hostname mismatch, Eric Blake, 2022/03/07
- [PULL 09/15] tests/qemu-iotests: convert NBD TLS test to use standard filters, Eric Blake, 2022/03/07
- [PULL 08/15] tests/qemu-iotests: introduce filter for qemu-nbd export list, Eric Blake, 2022/03/07
- [PULL 11/15] tests/qemu-iotests: validate NBD TLS with UNIX sockets, Eric Blake, 2022/03/07
- [PULL 14/15] qemu-io: Utilize 64-bit status during map, Eric Blake, 2022/03/07
- [PULL 13/15] nbd/server: Minor cleanups, Eric Blake, 2022/03/07