qemu-nbd: add --tls-hostname option for TLS certificate validation
When using the --list option, qemu-nbd acts as an NBD client rather than a server. As such when using TLS, it has a need to validate the server certificate. This adds a --tls-hostname option which can be used to override the default hostname used for certificate validation. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20220304193610.3293146-5-berrange@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com>
This commit is contained in:
parent
a0cd6d2972
commit
003b2b2521
@ -169,6 +169,19 @@ driver options if ``--image-opts`` is specified.
|
|||||||
option; or provide the credentials needed for connecting as a client
|
option; or provide the credentials needed for connecting as a client
|
||||||
in list mode.
|
in list mode.
|
||||||
|
|
||||||
|
.. option:: --tls-hostname=hostname
|
||||||
|
|
||||||
|
When validating an x509 certificate received over a TLS connection,
|
||||||
|
the hostname that the NBD client used to connect will be checked
|
||||||
|
against information in the server provided certificate. Sometimes
|
||||||
|
it might be required to override the hostname used to perform this
|
||||||
|
check. For example, if the NBD client is using a tunnel from localhost
|
||||||
|
to connect to the remote server, the `--tls-hostname` option should
|
||||||
|
be used to set the officially expected hostname of the remote NBD
|
||||||
|
server. This can also be used if accessing NBD over a UNIX socket
|
||||||
|
where there is no inherent hostname available. This is only permitted
|
||||||
|
when acting as a NBD client with the `--list` option.
|
||||||
|
|
||||||
.. option:: --fork
|
.. option:: --fork
|
||||||
|
|
||||||
Fork off the server process and exit the parent once the server is running.
|
Fork off the server process and exit the parent once the server is running.
|
||||||
|
17
qemu-nbd.c
17
qemu-nbd.c
@ -69,6 +69,7 @@
|
|||||||
#define QEMU_NBD_OPT_TLSAUTHZ 264
|
#define QEMU_NBD_OPT_TLSAUTHZ 264
|
||||||
#define QEMU_NBD_OPT_PID_FILE 265
|
#define QEMU_NBD_OPT_PID_FILE 265
|
||||||
#define QEMU_NBD_OPT_SELINUX_LABEL 266
|
#define QEMU_NBD_OPT_SELINUX_LABEL 266
|
||||||
|
#define QEMU_NBD_OPT_TLSHOSTNAME 267
|
||||||
|
|
||||||
#define MBR_SIZE 512
|
#define MBR_SIZE 512
|
||||||
|
|
||||||
@ -542,6 +543,7 @@ int main(int argc, char **argv)
|
|||||||
{ "export-name", required_argument, NULL, 'x' },
|
{ "export-name", required_argument, NULL, 'x' },
|
||||||
{ "description", required_argument, NULL, 'D' },
|
{ "description", required_argument, NULL, 'D' },
|
||||||
{ "tls-creds", required_argument, NULL, QEMU_NBD_OPT_TLSCREDS },
|
{ "tls-creds", required_argument, NULL, QEMU_NBD_OPT_TLSCREDS },
|
||||||
|
{ "tls-hostname", required_argument, NULL, QEMU_NBD_OPT_TLSHOSTNAME },
|
||||||
{ "tls-authz", required_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ },
|
{ "tls-authz", required_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ },
|
||||||
{ "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS },
|
{ "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS },
|
||||||
{ "trace", required_argument, NULL, 'T' },
|
{ "trace", required_argument, NULL, 'T' },
|
||||||
@ -568,6 +570,7 @@ int main(int argc, char **argv)
|
|||||||
strList *bitmaps = NULL;
|
strList *bitmaps = NULL;
|
||||||
bool alloc_depth = false;
|
bool alloc_depth = false;
|
||||||
const char *tlscredsid = NULL;
|
const char *tlscredsid = NULL;
|
||||||
|
const char *tlshostname = NULL;
|
||||||
bool imageOpts = false;
|
bool imageOpts = false;
|
||||||
bool writethrough = false; /* Client will flush as needed. */
|
bool writethrough = false; /* Client will flush as needed. */
|
||||||
bool fork_process = false;
|
bool fork_process = false;
|
||||||
@ -747,6 +750,9 @@ int main(int argc, char **argv)
|
|||||||
case QEMU_NBD_OPT_TLSCREDS:
|
case QEMU_NBD_OPT_TLSCREDS:
|
||||||
tlscredsid = optarg;
|
tlscredsid = optarg;
|
||||||
break;
|
break;
|
||||||
|
case QEMU_NBD_OPT_TLSHOSTNAME:
|
||||||
|
tlshostname = optarg;
|
||||||
|
break;
|
||||||
case QEMU_NBD_OPT_IMAGE_OPTS:
|
case QEMU_NBD_OPT_IMAGE_OPTS:
|
||||||
imageOpts = true;
|
imageOpts = true;
|
||||||
break;
|
break;
|
||||||
@ -835,6 +841,10 @@ int main(int argc, char **argv)
|
|||||||
error_report("TLS authorization is incompatible with export list");
|
error_report("TLS authorization is incompatible with export list");
|
||||||
exit(EXIT_FAILURE);
|
exit(EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
|
if (tlshostname && !list) {
|
||||||
|
error_report("TLS hostname is only supported with export list");
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
tlscreds = nbd_get_tls_creds(tlscredsid, list, &local_err);
|
tlscreds = nbd_get_tls_creds(tlscredsid, list, &local_err);
|
||||||
if (local_err) {
|
if (local_err) {
|
||||||
error_reportf_err(local_err, "Failed to get TLS creds: ");
|
error_reportf_err(local_err, "Failed to get TLS creds: ");
|
||||||
@ -845,6 +855,10 @@ int main(int argc, char **argv)
|
|||||||
error_report("--tls-authz is not permitted without --tls-creds");
|
error_report("--tls-authz is not permitted without --tls-creds");
|
||||||
exit(EXIT_FAILURE);
|
exit(EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
|
if (tlshostname) {
|
||||||
|
error_report("--tls-hostname is not permitted without --tls-creds");
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (selinux_label) {
|
if (selinux_label) {
|
||||||
@ -861,7 +875,8 @@ int main(int argc, char **argv)
|
|||||||
|
|
||||||
if (list) {
|
if (list) {
|
||||||
saddr = nbd_build_socket_address(sockpath, bindto, port);
|
saddr = nbd_build_socket_address(sockpath, bindto, port);
|
||||||
return qemu_nbd_client_list(saddr, tlscreds, bindto);
|
return qemu_nbd_client_list(saddr, tlscreds,
|
||||||
|
tlshostname ? tlshostname : bindto);
|
||||||
}
|
}
|
||||||
|
|
||||||
#if !HAVE_NBD_DEVICE
|
#if !HAVE_NBD_DEVICE
|
||||||
|
Loading…
Reference in New Issue
Block a user