From: "Daniel P. Berrange" <berrange@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>, Josh Durgin <jdurgin@redhat.com>,
qemu-block@nongnu.org, Jeff Cody <jcody@redhat.com>,
qemu-devel@nongnu.org, Ronnie Sahlberg <ronniesahlberg@gmail.com>
Subject: Re: [Qemu-devel] [PATCH v2 3/3] iscsi: add support for getting CHAP password via QCryptoSecret API
Date: Mon, 21 Dec 2015 16:17:34 +0000 [thread overview]
Message-ID: <20151221161734.GG5316@redhat.com> (raw)
In-Reply-To: <567821B1.9060907@redhat.com>
On Mon, Dec 21, 2015 at 04:58:41PM +0100, Paolo Bonzini wrote:
>
>
> On 21/12/2015 15:59, Daniel P. Berrange wrote:
> > The iSCSI driver currently accepts the CHAP password in plain text
> > as a block driver property. This change adds a new "passwordid"
> > property that accepts the ID of a QCryptoSecret instance.
> >
> > $QEMU \
> > -object secret,id=sec0,filename=/home/berrange/example.pw \
> > -drive driver=iscsi,url=iscsi://example.com/target-foo/lun1,\
> > user=dan,passwordid=sec0
> >
> > Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> > ---
> > block/iscsi.c | 24 +++++++++++++++++++++++-
> > 1 file changed, 23 insertions(+), 1 deletion(-)
> >
> > diff --git a/block/iscsi.c b/block/iscsi.c
> > index bd1f1bf..96fa3e1 100644
> > --- a/block/iscsi.c
> > +++ b/block/iscsi.c
> > @@ -39,6 +39,7 @@
> > #include "sysemu/sysemu.h"
> > #include "qmp-commands.h"
> > #include "qapi/qmp/qstring.h"
> > +#include "crypto/secret.h"
> >
> > #include <iscsi/iscsi.h>
> > #include <iscsi/scsi-lowlevel.h>
> > @@ -1075,6 +1076,8 @@ static void parse_chap(struct iscsi_context *iscsi, const char *target,
> > QemuOpts *opts;
> > const char *user = NULL;
> > const char *password = NULL;
> > + const char *passwordid;
> > + char *secret = NULL;
> >
> > list = qemu_find_opts("iscsi");
> > if (!list) {
> > @@ -1094,8 +1097,20 @@ static void parse_chap(struct iscsi_context *iscsi, const char *target,
> > return;
> > }
> >
> > + passwordid = qemu_opt_get(opts, "passwordid");
> > password = qemu_opt_get(opts, "password");
> > - if (!password) {
> > + if (passwordid && password) {
> > + error_setg(errp, "'password' and 'passwordid' properties are "
> > + "mutually exclusive");
> > + return;
> > + }
> > + if (passwordid) {
> > + secret = qcrypto_secret_lookup_as_utf8(passwordid, errp);
>
> I'm not sure about the UTF-8 part (it should be binary), but I think we
> discussed this already. Apart from this, the patch is okay.
The password is passed into libiscsi using
iscsi_set_initiator_username_pwd()
which expects a NULL terminated string. This gives us a choice of
clamping the data to 7-bit ascii only, or using utf-8. We can't
pass it 8-bit data, as that can contain embedded NULs. So IIUC
using utf-8 is best thing here.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2015-12-21 16:17 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-21 14:59 [Qemu-devel] [PATCH v2 0/3] Use QCryptoSecret for block device passwords Daniel P. Berrange
2015-12-21 14:59 ` [Qemu-devel] [PATCH v2 1/3] rbd: add support for getting password from QCryptoSecret object Daniel P. Berrange
2015-12-21 15:57 ` Josh Durgin
2015-12-21 14:59 ` [Qemu-devel] [PATCH v2 2/3] curl: add support for HTTP authentication parameters Daniel P. Berrange
2015-12-21 14:59 ` [Qemu-devel] [PATCH v2 3/3] iscsi: add support for getting CHAP password via QCryptoSecret API Daniel P. Berrange
2015-12-21 15:58 ` Paolo Bonzini
2015-12-21 16:17 ` Daniel P. Berrange [this message]
2016-01-11 15:12 ` [Qemu-devel] [PATCH v2 0/3] Use QCryptoSecret for block device passwords Markus Armbruster
2016-01-11 15:28 ` Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151221161734.GG5316@redhat.com \
--to=berrange@redhat.com \
--cc=jcody@redhat.com \
--cc=jdurgin@redhat.com \
--cc=kwolf@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=ronniesahlberg@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.