From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Kevin Wolf" <kwolf@redhat.com>,
"Vladimir Sementsov-Ogievskiy" <vsementsov@virtuozzo.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
qemu-block@nongnu.org, "Markus Armbruster" <armbru@redhat.com>,
"Hanna Reitz" <hreitz@redhat.com>,
"Eric Blake" <eblake@redhat.com>
Subject: [PATCH 04/12] qemu-nbd: add --tls-hostname option for TLS certificate validation
Date: Thu, 3 Mar 2022 16:03:22 +0000 [thread overview]
Message-ID: <20220303160330.2979753-5-berrange@redhat.com> (raw)
In-Reply-To: <20220303160330.2979753-1-berrange@redhat.com>
When using the --list option, qemu-nbd acts as an NBD client rather
than a server. As such when using TLS, it has a need to validate
the server certificate. This adds a --tls-hostname option which can
be used to override the default hostname used for certificate
validation.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
docs/tools/qemu-nbd.rst | 14 ++++++++++++++
qemu-nbd.c | 17 ++++++++++++++++-
2 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/docs/tools/qemu-nbd.rst b/docs/tools/qemu-nbd.rst
index 6031f96893..acce54a39d 100644
--- a/docs/tools/qemu-nbd.rst
+++ b/docs/tools/qemu-nbd.rst
@@ -169,6 +169,20 @@ driver options if ``--image-opts`` is specified.
option; or provide the credentials needed for connecting as a client
in list mode.
+.. option:: --tls-hostname=hostname
+
+ When validating an x509 certificate received over a TLS connection,
+ the hostname that the NBD client used to connect will be checked
+ against information in the server provided certificate. Sometimes
+ it might be required to override the hostname used to perform this
+ check. For example if the NBD client is using a tunnel from localhost
+ to connect to the remote server. In this case the `--tls-hostname`
+ option should be used to set the officially expected hostname of
+ the remote NBD server. This can also be used if accessing NBD over
+ a UNIX socket where there is no inherant hostname available. This
+ only is only permitted when acting as a NBD client with the `--list`
+ option.
+
.. option:: --fork
Fork off the server process and exit the parent once the server is running.
diff --git a/qemu-nbd.c b/qemu-nbd.c
index c6c20df68a..be8043fb00 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -69,6 +69,7 @@
#define QEMU_NBD_OPT_TLSAUTHZ 264
#define QEMU_NBD_OPT_PID_FILE 265
#define QEMU_NBD_OPT_SELINUX_LABEL 266
+#define QEMU_NBD_OPT_TLSHOSTNAME 267
#define MBR_SIZE 512
@@ -542,6 +543,7 @@ int main(int argc, char **argv)
{ "export-name", required_argument, NULL, 'x' },
{ "description", required_argument, NULL, 'D' },
{ "tls-creds", required_argument, NULL, QEMU_NBD_OPT_TLSCREDS },
+ { "tls-hostname", required_argument, NULL, QEMU_NBD_OPT_TLSHOSTNAME },
{ "tls-authz", required_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ },
{ "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS },
{ "trace", required_argument, NULL, 'T' },
@@ -568,6 +570,7 @@ int main(int argc, char **argv)
strList *bitmaps = NULL;
bool alloc_depth = false;
const char *tlscredsid = NULL;
+ const char *tlshostname = NULL;
bool imageOpts = false;
bool writethrough = false; /* Client will flush as needed. */
bool fork_process = false;
@@ -747,6 +750,9 @@ int main(int argc, char **argv)
case QEMU_NBD_OPT_TLSCREDS:
tlscredsid = optarg;
break;
+ case QEMU_NBD_OPT_TLSHOSTNAME:
+ tlshostname = optarg;
+ break;
case QEMU_NBD_OPT_IMAGE_OPTS:
imageOpts = true;
break;
@@ -835,6 +841,10 @@ int main(int argc, char **argv)
error_report("TLS authorization is incompatible with export list");
exit(EXIT_FAILURE);
}
+ if (tlshostname && !list) {
+ error_report("TLS hostname is only required with export list");
+ exit(EXIT_FAILURE);
+ }
tlscreds = nbd_get_tls_creds(tlscredsid, list, &local_err);
if (local_err) {
error_reportf_err(local_err, "Failed to get TLS creds: ");
@@ -845,6 +855,10 @@ int main(int argc, char **argv)
error_report("--tls-authz is not permitted without --tls-creds");
exit(EXIT_FAILURE);
}
+ if (tlshostname) {
+ error_report("--tls-hostname is not permitted without --tls-creds");
+ exit(EXIT_FAILURE);
+ }
}
if (selinux_label) {
@@ -861,7 +875,8 @@ int main(int argc, char **argv)
if (list) {
saddr = nbd_build_socket_address(sockpath, bindto, port);
- return qemu_nbd_client_list(saddr, tlscreds, bindto);
+ return qemu_nbd_client_list(saddr, tlscreds,
+ tlshostname ? tlshostname : bindto);
}
#if !HAVE_NBD_DEVICE
--
2.34.1
next prev parent reply other threads:[~2022-03-03 16:21 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-03 16:03 [PATCH 00/12] nbd: enable use of TLS on non-TCP transports and other TLS improvements Daniel P. Berrangé
2022-03-03 16:03 ` [PATCH 01/12] crypto: mandate a hostname when checking x509 creds on a client Daniel P. Berrangé
2022-03-03 20:10 ` Eric Blake
2022-03-03 16:03 ` [PATCH 02/12] block: pass desired TLS hostname through from block driver client Daniel P. Berrangé
2022-03-03 20:14 ` Eric Blake
2022-03-04 19:19 ` Daniel P. Berrangé
2022-03-03 16:03 ` [PATCH 03/12] block/nbd: support override of hostname for TLS certificate validation Daniel P. Berrangé
2022-03-03 21:46 ` Eric Blake
2022-03-03 16:03 ` Daniel P. Berrangé [this message]
2022-03-03 22:47 ` [PATCH 04/12] qemu-nbd: add --tls-hostname option " Eric Blake
2022-03-03 16:03 ` [PATCH 05/12] block/nbd: don't restrict TLS usage to IP sockets Daniel P. Berrangé
2022-03-04 15:54 ` Eric Blake
2022-03-03 16:03 ` [PATCH 06/12] tests/qemu-iotests: add QEMU_IOTESTS_REGEN=1 to update reference file Daniel P. Berrangé
2022-03-04 16:36 ` Eric Blake
2022-03-03 16:03 ` [PATCH 07/12] tests/qemu-iotests: expand _filter_nbd rules Daniel P. Berrangé
2022-03-04 16:41 ` Eric Blake
2022-03-03 16:03 ` [PATCH 08/12] tests/qemu-iotests: introduce filter for qemu-nbd export list Daniel P. Berrangé
2022-03-04 16:43 ` Eric Blake
2022-03-04 19:32 ` Daniel P. Berrangé
2022-03-03 16:03 ` [PATCH 09/12] tests/qemu-iotests: convert NBD TLS test to use standard filters Daniel P. Berrangé
2022-03-04 16:45 ` Eric Blake
2022-03-03 16:03 ` [PATCH 10/12] tests/qemu-iotests: validate NBD TLS with hostname mismatch Daniel P. Berrangé
2022-03-04 16:49 ` Eric Blake
2022-03-03 16:03 ` [PATCH 11/12] tests/qemu-iotests: validate NBD TLS with UNIX sockets Daniel P. Berrangé
2022-03-04 16:50 ` Eric Blake
2022-03-03 16:03 ` [PATCH 12/12] tests/qemu-iotests: validate NBD TLS with UNIX sockets and PSK Daniel P. Berrangé
2022-03-04 16:51 ` Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220303160330.2979753-5-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=eblake@redhat.com \
--cc=hreitz@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=vsementsov@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).