From: "Daniel P. Berrange" <berrange@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>, Josh Durgin <jdurgin@redhat.com>,
qemu-block@nongnu.org, Jeff Cody <jcody@redhat.com>,
qemu-devel@nongnu.org, Ronnie Sahlberg <ronniesahlberg@gmail.com>
Subject: Re: [Qemu-devel] [PATCH v2 3/3] iscsi: add support for getting CHAP password via QCryptoSecret API
Date: Mon, 21 Dec 2015 16:17:34 +0000 [thread overview]
Message-ID: <20151221161734.GG5316@redhat.com> (raw)
In-Reply-To: <567821B1.9060907@redhat.com>
On Mon, Dec 21, 2015 at 04:58:41PM +0100, Paolo Bonzini wrote:
>
>
> On 21/12/2015 15:59, Daniel P. Berrange wrote:
> > The iSCSI driver currently accepts the CHAP password in plain text
> > as a block driver property. This change adds a new "passwordid"
> > property that accepts the ID of a QCryptoSecret instance.
> >
> > $QEMU \
> > -object secret,id=sec0,filename=/home/berrange/example.pw \
> > -drive driver=iscsi,url=iscsi://example.com/target-foo/lun1,\
> > user=dan,passwordid=sec0
> >
> > Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> > ---
> > block/iscsi.c | 24 +++++++++++++++++++++++-
> > 1 file changed, 23 insertions(+), 1 deletion(-)
> >
> > diff --git a/block/iscsi.c b/block/iscsi.c
> > index bd1f1bf..96fa3e1 100644
> > --- a/block/iscsi.c
> > +++ b/block/iscsi.c
> > @@ -39,6 +39,7 @@
> > #include "sysemu/sysemu.h"
> > #include "qmp-commands.h"
> > #include "qapi/qmp/qstring.h"
> > +#include "crypto/secret.h"
> >
> > #include <iscsi/iscsi.h>
> > #include <iscsi/scsi-lowlevel.h>
> > @@ -1075,6 +1076,8 @@ static void parse_chap(struct iscsi_context *iscsi, const char *target,
> > QemuOpts *opts;
> > const char *user = NULL;
> > const char *password = NULL;
> > + const char *passwordid;
> > + char *secret = NULL;
> >
> > list = qemu_find_opts("iscsi");
> > if (!list) {
> > @@ -1094,8 +1097,20 @@ static void parse_chap(struct iscsi_context *iscsi, const char *target,
> > return;
> > }
> >
> > + passwordid = qemu_opt_get(opts, "passwordid");
> > password = qemu_opt_get(opts, "password");
> > - if (!password) {
> > + if (passwordid && password) {
> > + error_setg(errp, "'password' and 'passwordid' properties are "
> > + "mutually exclusive");
> > + return;
> > + }
> > + if (passwordid) {
> > + secret = qcrypto_secret_lookup_as_utf8(passwordid, errp);
>
> I'm not sure about the UTF-8 part (it should be binary), but I think we
> discussed this already. Apart from this, the patch is okay.
The password is passed into libiscsi using
iscsi_set_initiator_username_pwd()
which expects a NULL terminated string. This gives us a choice of
clamping the data to 7-bit ascii only, or using utf-8. We can't
pass it 8-bit data, as that can contain embedded NULs. So IIUC
using utf-8 is best thing here.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2015-12-21 16:17 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-21 14:59 [Qemu-devel] [PATCH v2 0/3] Use QCryptoSecret for block device passwords Daniel P. Berrange
2015-12-21 14:59 ` [Qemu-devel] [PATCH v2 1/3] rbd: add support for getting password from QCryptoSecret object Daniel P. Berrange
2015-12-21 15:57 ` Josh Durgin
2015-12-21 14:59 ` [Qemu-devel] [PATCH v2 2/3] curl: add support for HTTP authentication parameters Daniel P. Berrange
2015-12-21 14:59 ` [Qemu-devel] [PATCH v2 3/3] iscsi: add support for getting CHAP password via QCryptoSecret API Daniel P. Berrange
2015-12-21 15:58 ` Paolo Bonzini
2015-12-21 16:17 ` Daniel P. Berrange [this message]
2016-01-11 15:12 ` [Qemu-devel] [PATCH v2 0/3] Use QCryptoSecret for block device passwords Markus Armbruster
2016-01-11 15:28 ` Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151221161734.GG5316@redhat.com \
--to=berrange@redhat.com \
--cc=jcody@redhat.com \
--cc=jdurgin@redhat.com \
--cc=kwolf@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=ronniesahlberg@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).