From: Eric Blake <eblake@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Daniel P. Berrangé" <berrange@redhat.com>
Subject: [PULL 01/15] crypto: mandate a hostname when checking x509 creds on a client
Date: Mon, 7 Mar 2022 19:44:05 -0600 [thread overview]
Message-ID: <20220308014419.3056549-2-eblake@redhat.com> (raw)
In-Reply-To: <20220308014419.3056549-1-eblake@redhat.com>
From: Daniel P. Berrangé <berrange@redhat.com>
Currently the TLS session object assumes that the caller will always
provide a hostname when using x509 creds on a client endpoint. This
relies on the caller to detect and report an error if the user has
configured QEMU with x509 credentials on a UNIX socket. The migration
code has such a check, but it is too broad, reporting an error when
the user has configured QEMU with PSK credentials on a UNIX socket,
where hostnames are irrelevant.
Putting the check into the TLS session object credentials validation
code ensures we report errors in only the scenario that matters.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220304193610.3293146-2-berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
---
crypto/tlssession.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/crypto/tlssession.c b/crypto/tlssession.c
index a8db8c76d138..b302d835d215 100644
--- a/crypto/tlssession.c
+++ b/crypto/tlssession.c
@@ -373,6 +373,12 @@ qcrypto_tls_session_check_certificate(QCryptoTLSSession *session,
session->hostname);
goto error;
}
+ } else {
+ if (session->creds->endpoint ==
+ QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT) {
+ error_setg(errp, "No hostname for certificate validation");
+ goto error;
+ }
}
}
--
2.35.1
next prev parent reply other threads:[~2022-03-08 1:48 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-08 1:44 [PULL 00/15] NBD patches for 7.0-rc0 Eric Blake
2022-03-08 1:44 ` Eric Blake [this message]
2022-03-08 1:44 ` [PULL 02/15] block: pass desired TLS hostname through from block driver client Eric Blake
2022-03-08 1:44 ` [PULL 03/15] block/nbd: support override of hostname for TLS certificate validation Eric Blake
2022-03-08 1:44 ` [PULL 04/15] qemu-nbd: add --tls-hostname option " Eric Blake
2022-03-08 1:44 ` [PULL 05/15] block/nbd: don't restrict TLS usage to IP sockets Eric Blake
2022-03-08 1:44 ` [PULL 06/15] tests/qemu-iotests: add QEMU_IOTESTS_REGEN=1 to update reference file Eric Blake
2022-03-08 1:44 ` [PULL 07/15] tests/qemu-iotests: expand _filter_nbd rules Eric Blake
2022-03-08 1:44 ` [PULL 08/15] tests/qemu-iotests: introduce filter for qemu-nbd export list Eric Blake
2022-03-08 1:44 ` [PULL 09/15] tests/qemu-iotests: convert NBD TLS test to use standard filters Eric Blake
2022-03-08 1:44 ` [PULL 10/15] tests/qemu-iotests: validate NBD TLS with hostname mismatch Eric Blake
2022-03-08 1:44 ` [PULL 11/15] tests/qemu-iotests: validate NBD TLS with UNIX sockets Eric Blake
2022-03-08 1:44 ` [PULL 12/15] tests/qemu-iotests: validate NBD TLS with UNIX sockets and PSK Eric Blake
2022-03-08 1:44 ` [PULL 13/15] nbd/server: Minor cleanups Eric Blake
2022-03-08 1:44 ` [PULL 14/15] qemu-io: Utilize 64-bit status during map Eric Blake
2022-03-08 1:44 ` [PULL 15/15] qemu-io: Allow larger write zeroes under no fallback Eric Blake
2022-03-09 15:50 ` [PULL 00/15] NBD patches for 7.0-rc0 Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220308014419.3056549-2-eblake@redhat.com \
--to=eblake@redhat.com \
--cc=berrange@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.