From: Eric Blake <eblake@redhat.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>,
Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>,
qemu-block@nongnu.org, qemu-devel@nongnu.org,
Markus Armbruster <armbru@redhat.com>,
Hanna Reitz <hreitz@redhat.com>
Subject: Re: [PATCH 02/12] block: pass desired TLS hostname through from block driver client
Date: Thu, 3 Mar 2022 14:14:34 -0600 [thread overview]
Message-ID: <20220303201434.gioet2wepccja7ag@redhat.com> (raw)
In-Reply-To: <20220303160330.2979753-3-berrange@redhat.com>
On Thu, Mar 03, 2022 at 04:03:20PM +0000, Daniel P. Berrangé wrote:
> In
>
> commit a71d597b989fd701b923f09b3c20ac4fcaa55e81
> Author: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
> Date: Thu Jun 10 13:08:00 2021 +0300
>
> block/nbd: reuse nbd_co_do_establish_connection() in nbd_open()
>
> the use of the 'hostname' field from the BDRVNBDState struct was
> lost, and 'nbd_connect' just hardcoded it to match the IP socket
> address. This was a harmless bug at the time since we block use
> with anything other than IP sockets.
>
> Shortly though, We want to allow the caller to override the hostname
s/We/we/
> used in the TLS certificate checks. This is to allow for TLS
> when doing port forwarding or tunneling. Thus we need to reinstate
> the passing along of the 'hostname'.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> block/nbd.c | 7 ++++---
> include/block/nbd.h | 3 ++-
> nbd/client-connection.c | 12 +++++++++---
> 3 files changed, 15 insertions(+), 7 deletions(-)
Nice - this a great step towards fixing a longstanding annoyance of
mine that libnbd and nbdkit support TLS over Unix sockets, but qemu
didn't.
> @@ -1875,7 +1875,8 @@ static int nbd_open(BlockDriverState *bs, QDict *options, int flags,
> }
>
> s->conn = nbd_client_connection_new(s->saddr, true, s->export,
> - s->x_dirty_bitmap, s->tlscreds);
> + s->x_dirty_bitmap, s->tlscreds,
> + s->tlshostname);
>
> if (s->open_timeout) {
> nbd_client_connection_enable_retry(s->conn);
> diff --git a/include/block/nbd.h b/include/block/nbd.h
> index 78d101b774..a98eb665da 100644
> --- a/include/block/nbd.h
> +++ b/include/block/nbd.h
> @@ -415,7 +415,8 @@ NBDClientConnection *nbd_client_connection_new(const SocketAddress *saddr,
> bool do_negotiation,
> const char *export_name,
> const char *x_dirty_bitmap,
> - QCryptoTLSCreds *tlscreds);
> + QCryptoTLSCreds *tlscreds,
> + const char *tlshostname);
We already have a lot of parameters; does it make sense to bundle
tlshostname into the QCryptoTLSCreds struct at all? But that would
change the QAPI (or maybe you do it later in the series), it is not a
show-stopper to this patch.
Reviewed-by: Eric Blake <eblake@redhat.com>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
next prev parent reply other threads:[~2022-03-03 20:16 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-03 16:03 [PATCH 00/12] nbd: enable use of TLS on non-TCP transports and other TLS improvements Daniel P. Berrangé
2022-03-03 16:03 ` [PATCH 01/12] crypto: mandate a hostname when checking x509 creds on a client Daniel P. Berrangé
2022-03-03 20:10 ` Eric Blake
2022-03-03 16:03 ` [PATCH 02/12] block: pass desired TLS hostname through from block driver client Daniel P. Berrangé
2022-03-03 20:14 ` Eric Blake [this message]
2022-03-04 19:19 ` Daniel P. Berrangé
2022-03-03 16:03 ` [PATCH 03/12] block/nbd: support override of hostname for TLS certificate validation Daniel P. Berrangé
2022-03-03 21:46 ` Eric Blake
2022-03-03 16:03 ` [PATCH 04/12] qemu-nbd: add --tls-hostname option " Daniel P. Berrangé
2022-03-03 22:47 ` Eric Blake
2022-03-03 16:03 ` [PATCH 05/12] block/nbd: don't restrict TLS usage to IP sockets Daniel P. Berrangé
2022-03-04 15:54 ` Eric Blake
2022-03-03 16:03 ` [PATCH 06/12] tests/qemu-iotests: add QEMU_IOTESTS_REGEN=1 to update reference file Daniel P. Berrangé
2022-03-04 16:36 ` Eric Blake
2022-03-03 16:03 ` [PATCH 07/12] tests/qemu-iotests: expand _filter_nbd rules Daniel P. Berrangé
2022-03-04 16:41 ` Eric Blake
2022-03-03 16:03 ` [PATCH 08/12] tests/qemu-iotests: introduce filter for qemu-nbd export list Daniel P. Berrangé
2022-03-04 16:43 ` Eric Blake
2022-03-04 19:32 ` Daniel P. Berrangé
2022-03-03 16:03 ` [PATCH 09/12] tests/qemu-iotests: convert NBD TLS test to use standard filters Daniel P. Berrangé
2022-03-04 16:45 ` Eric Blake
2022-03-03 16:03 ` [PATCH 10/12] tests/qemu-iotests: validate NBD TLS with hostname mismatch Daniel P. Berrangé
2022-03-04 16:49 ` Eric Blake
2022-03-03 16:03 ` [PATCH 11/12] tests/qemu-iotests: validate NBD TLS with UNIX sockets Daniel P. Berrangé
2022-03-04 16:50 ` Eric Blake
2022-03-03 16:03 ` [PATCH 12/12] tests/qemu-iotests: validate NBD TLS with UNIX sockets and PSK Daniel P. Berrangé
2022-03-04 16:51 ` Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220303201434.gioet2wepccja7ag@redhat.com \
--to=eblake@redhat.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=hreitz@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=vsementsov@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).