From 003b2b252112572cd8c92bffe5e532a53b28d1e4 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrangé" Date: Fri, 4 Mar 2022 19:36:02 +0000 Subject: qemu-nbd: add --tls-hostname option for TLS certificate validation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When using the --list option, qemu-nbd acts as an NBD client rather than a server. As such when using TLS, it has a need to validate the server certificate. This adds a --tls-hostname option which can be used to override the default hostname used for certificate validation. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé Message-Id: <20220304193610.3293146-5-berrange@redhat.com> Signed-off-by: Eric Blake --- qemu-nbd.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'qemu-nbd.c') diff --git a/qemu-nbd.c b/qemu-nbd.c index c6c20df68a..18d281aba3 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -69,6 +69,7 @@ #define QEMU_NBD_OPT_TLSAUTHZ 264 #define QEMU_NBD_OPT_PID_FILE 265 #define QEMU_NBD_OPT_SELINUX_LABEL 266 +#define QEMU_NBD_OPT_TLSHOSTNAME 267 #define MBR_SIZE 512 @@ -542,6 +543,7 @@ int main(int argc, char **argv) { "export-name", required_argument, NULL, 'x' }, { "description", required_argument, NULL, 'D' }, { "tls-creds", required_argument, NULL, QEMU_NBD_OPT_TLSCREDS }, + { "tls-hostname", required_argument, NULL, QEMU_NBD_OPT_TLSHOSTNAME }, { "tls-authz", required_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ }, { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS }, { "trace", required_argument, NULL, 'T' }, @@ -568,6 +570,7 @@ int main(int argc, char **argv) strList *bitmaps = NULL; bool alloc_depth = false; const char *tlscredsid = NULL; + const char *tlshostname = NULL; bool imageOpts = false; bool writethrough = false; /* Client will flush as needed. */ bool fork_process = false; @@ -747,6 +750,9 @@ int main(int argc, char **argv) case QEMU_NBD_OPT_TLSCREDS: tlscredsid = optarg; break; + case QEMU_NBD_OPT_TLSHOSTNAME: + tlshostname = optarg; + break; case QEMU_NBD_OPT_IMAGE_OPTS: imageOpts = true; break; @@ -835,6 +841,10 @@ int main(int argc, char **argv) error_report("TLS authorization is incompatible with export list"); exit(EXIT_FAILURE); } + if (tlshostname && !list) { + error_report("TLS hostname is only supported with export list"); + exit(EXIT_FAILURE); + } tlscreds = nbd_get_tls_creds(tlscredsid, list, &local_err); if (local_err) { error_reportf_err(local_err, "Failed to get TLS creds: "); @@ -845,6 +855,10 @@ int main(int argc, char **argv) error_report("--tls-authz is not permitted without --tls-creds"); exit(EXIT_FAILURE); } + if (tlshostname) { + error_report("--tls-hostname is not permitted without --tls-creds"); + exit(EXIT_FAILURE); + } } if (selinux_label) { @@ -861,7 +875,8 @@ int main(int argc, char **argv) if (list) { saddr = nbd_build_socket_address(sockpath, bindto, port); - return qemu_nbd_client_list(saddr, tlscreds, bindto); + return qemu_nbd_client_list(saddr, tlscreds, + tlshostname ? tlshostname : bindto); } #if !HAVE_NBD_DEVICE -- cgit 1.4.1 From e8ae8b1a75e8f6420c37be31797bd13aa7e95778 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrangé" Date: Fri, 4 Mar 2022 19:36:03 +0000 Subject: block/nbd: don't restrict TLS usage to IP sockets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The TLS usage for NBD was restricted to IP sockets because validating x509 certificates requires knowledge of the hostname that the client is connecting to. TLS does not have to use x509 certificates though, as PSK (pre-shared keys) provide an alternative credential option. These have no requirement for a hostname and can thus be trivially used for UNIX sockets. Furthermore, with the ability to overide the default hostname for TLS validation in the previous patch, it is now also valid to want to use x509 certificates with FD passing and UNIX sockets. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé Message-Id: <20220304193610.3293146-6-berrange@redhat.com> Signed-off-by: Eric Blake --- block/nbd.c | 8 ++------ blockdev-nbd.c | 6 ------ qemu-nbd.c | 8 +++----- 3 files changed, 5 insertions(+), 17 deletions(-) (limited to 'qemu-nbd.c') diff --git a/block/nbd.c b/block/nbd.c index 0a9b6cde5b..34b9429de3 100644 --- a/block/nbd.c +++ b/block/nbd.c @@ -1839,13 +1839,9 @@ static int nbd_process_options(BlockDriverState *bs, QDict *options, goto error; } - /* TODO SOCKET_ADDRESS_KIND_FD where fd has AF_INET or AF_INET6 */ - if (s->saddr->type != SOCKET_ADDRESS_TYPE_INET) { - error_setg(errp, "TLS only supported over IP sockets"); - goto error; - } s->tlshostname = g_strdup(qemu_opt_get(opts, "tls-hostname")); - if (!s->tlshostname) { + if (!s->tlshostname && + s->saddr->type == SOCKET_ADDRESS_TYPE_INET) { s->tlshostname = g_strdup(s->saddr->u.inet.host); } } diff --git a/blockdev-nbd.c b/blockdev-nbd.c index bdfa7ed3a5..9840d25a82 100644 --- a/blockdev-nbd.c +++ b/blockdev-nbd.c @@ -148,12 +148,6 @@ void nbd_server_start(SocketAddress *addr, const char *tls_creds, if (!nbd_server->tlscreds) { goto error; } - - /* TODO SOCKET_ADDRESS_TYPE_FD where fd has AF_INET or AF_INET6 */ - if (addr->type != SOCKET_ADDRESS_TYPE_INET) { - error_setg(errp, "TLS is only supported with IPv4/IPv6"); - goto error; - } } nbd_server->tlsauthz = g_strdup(tls_authz); diff --git a/qemu-nbd.c b/qemu-nbd.c index 18d281aba3..713e7557a9 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -808,7 +808,9 @@ int main(int argc, char **argv) socket_activation = check_socket_activation(); if (socket_activation == 0) { - setup_address_and_port(&bindto, &port); + if (!sockpath) { + setup_address_and_port(&bindto, &port); + } } else { /* Using socket activation - check user didn't use -p etc. */ const char *err_msg = socket_activation_validate_opts(device, sockpath, @@ -829,10 +831,6 @@ int main(int argc, char **argv) } if (tlscredsid) { - if (sockpath) { - error_report("TLS is only supported with IPv4/IPv6"); - exit(EXIT_FAILURE); - } if (device) { error_report("TLS is not supported with a host device"); exit(EXIT_FAILURE); -- cgit 1.4.1