Import OL libnbd-1.18.1-4.0.1.el9_4
This commit is contained in:
parent
774c090ddc
commit
f6177471db
91
SOURCES/0004-build-Move-to-minimum-gnutls-3.5.18.patch
Normal file
91
SOURCES/0004-build-Move-to-minimum-gnutls-3.5.18.patch
Normal file
@ -0,0 +1,91 @@
|
|||||||
|
From 596626369b90016f6852610c217da22668158521 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||||
|
Date: Tue, 25 Jun 2024 10:55:54 +0100
|
||||||
|
Subject: [PATCH] build: Move to minimum gnutls >= 3.5.18
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
This version matches current qemu.
|
||||||
|
|
||||||
|
RHEL 7 gnutls is too old (lacks gnutls_session_set_verify_cert), which
|
||||||
|
means TLS will be disabled on this platform. RHEL 8 has gnutls 3.6.14.
|
||||||
|
|
||||||
|
I also unconditionally enabled the gnutls/socket.h header. This
|
||||||
|
header was added in 2016 (gnutls 3.5.3), so it's not present in RHEL 7.
|
||||||
|
|
||||||
|
On RHEL 7 the configure-time test now prints:
|
||||||
|
|
||||||
|
checking for GNUTLS... no
|
||||||
|
configure: WARNING: gnutls not found or < 3.5.18, TLS support will be disabled.
|
||||||
|
...
|
||||||
|
Optional library features:
|
||||||
|
TLS support ............................ no
|
||||||
|
|
||||||
|
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||||
|
(cherry picked from commit 5ff09cdbbd19226dd2d5015d76134f88dee9321e)
|
||||||
|
(cherry picked from commit 177fd0847723640829eff8d1ab102f8d28a7328e)
|
||||||
|
---
|
||||||
|
configure.ac | 5 ++---
|
||||||
|
lib/crypto.c | 6 ------
|
||||||
|
2 files changed, 2 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 91fe004b..c0d6a472 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -178,13 +178,13 @@ AC_ARG_WITH([gnutls],
|
||||||
|
[],
|
||||||
|
[with_gnutls=check])
|
||||||
|
AS_IF([test "$with_gnutls" != "no"],[
|
||||||
|
- PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.3.0], [
|
||||||
|
+ PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.5.18], [
|
||||||
|
printf "gnutls version is "; $PKG_CONFIG --modversion gnutls
|
||||||
|
AC_SUBST([GNUTLS_CFLAGS])
|
||||||
|
AC_SUBST([GNUTLS_LIBS])
|
||||||
|
AC_DEFINE([HAVE_GNUTLS],[1],[gnutls found at compile time.])
|
||||||
|
], [
|
||||||
|
- AC_MSG_WARN([gnutls not found or < 3.3.0, TLS support will be disabled.])
|
||||||
|
+ AC_MSG_WARN([gnutls not found or < 3.5.18, TLS support will be disabled.])
|
||||||
|
])
|
||||||
|
])
|
||||||
|
AM_CONDITIONAL([HAVE_GNUTLS], [test "x$GNUTLS_LIBS" != "x"])
|
||||||
|
@@ -210,7 +210,6 @@ AS_IF([test "$GNUTLS_LIBS" != ""],[
|
||||||
|
old_LIBS="$LIBS"
|
||||||
|
LIBS="$GNUTLS_LIBS $LIBS"
|
||||||
|
AC_CHECK_FUNCS([\
|
||||||
|
- gnutls_session_set_verify_cert \
|
||||||
|
gnutls_transport_is_ktls_enabled \
|
||||||
|
])
|
||||||
|
LIBS="$old_LIBS"
|
||||||
|
diff --git a/lib/crypto.c b/lib/crypto.c
|
||||||
|
index 22a1cfa5..d131f1d0 100644
|
||||||
|
--- a/lib/crypto.c
|
||||||
|
+++ b/lib/crypto.c
|
||||||
|
@@ -28,10 +28,8 @@
|
||||||
|
|
||||||
|
#ifdef HAVE_GNUTLS
|
||||||
|
#include <gnutls/gnutls.h>
|
||||||
|
-#ifdef HAVE_GNUTLS_SOCKET_H
|
||||||
|
#include <gnutls/socket.h>
|
||||||
|
#endif
|
||||||
|
-#endif
|
||||||
|
|
||||||
|
#include "internal.h"
|
||||||
|
#include "nbdkit-string.h"
|
||||||
|
@@ -532,12 +530,8 @@ set_up_certificate_credentials (struct nbd_handle *h,
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
found_certificates:
|
||||||
|
-#ifdef HAVE_GNUTLS_SESSION_SET_VERIFY_CERT
|
||||||
|
if (h->hostname && h->tls_verify_peer)
|
||||||
|
gnutls_session_set_verify_cert (session, h->hostname, 0);
|
||||||
|
-#else
|
||||||
|
- debug (h, "ignoring nbd_set_tls_verify_peer, this requires GnuTLS >= 3.4.6");
|
||||||
|
-#endif
|
||||||
|
|
||||||
|
err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret);
|
||||||
|
if (err < 0) {
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -0,0 +1,57 @@
|
|||||||
|
From d8ec4c8ecc5244ed192f58bc3a976c4b2f9cc6d7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||||
|
Date: Mon, 24 Jun 2024 10:48:12 +0100
|
||||||
|
Subject: [PATCH] lib/crypto.c: Check server certificate even when using system
|
||||||
|
CA
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
The previous code checked the server certificate only when a custom
|
||||||
|
certificate directory was set (ie. nbd_set_tls_certificates /
|
||||||
|
?tls-certificates=DIR). In the fallback case where we use the system
|
||||||
|
CA, we never called gnutls_session_set_verify_cert and so the server
|
||||||
|
certificate was never checked.
|
||||||
|
|
||||||
|
Move the call to gnutls_session_set_verify_cert later so it is called
|
||||||
|
on both paths.
|
||||||
|
|
||||||
|
If the server certificate does not match the hostname you will see:
|
||||||
|
|
||||||
|
nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1)
|
||||||
|
|
||||||
|
Reported-by: Jon Szymaniak <jon.szymaniak@gmail.com>
|
||||||
|
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||||
|
(cherry picked from commit 87ef41b69929d5d293390ec36b1c10aba2c9a57a)
|
||||||
|
(cherry picked from commit 7a6739aeca8250515a449bacd23d09bf40587dec)
|
||||||
|
---
|
||||||
|
lib/crypto.c | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/crypto.c b/lib/crypto.c
|
||||||
|
index d131f1d0..c542ce6b 100644
|
||||||
|
--- a/lib/crypto.c
|
||||||
|
+++ b/lib/crypto.c
|
||||||
|
@@ -530,9 +530,6 @@ set_up_certificate_credentials (struct nbd_handle *h,
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
found_certificates:
|
||||||
|
- if (h->hostname && h->tls_verify_peer)
|
||||||
|
- gnutls_session_set_verify_cert (session, h->hostname, 0);
|
||||||
|
-
|
||||||
|
err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret);
|
||||||
|
if (err < 0) {
|
||||||
|
set_error (0, "gnutls_credentials_set: %s", gnutls_strerror (err));
|
||||||
|
@@ -647,6 +644,9 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,
|
||||||
|
gnutls_deinit (session);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (h->hostname && h->tls_verify_peer)
|
||||||
|
+ gnutls_session_set_verify_cert (session, h->hostname, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Wrap the underlying socket with GnuTLS. */
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -0,0 +1,76 @@
|
|||||||
|
From af09b72a486fd870ab72170a0cba4b1d6d37894f Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||||
|
Date: Mon, 24 Jun 2024 10:31:10 +0100
|
||||||
|
Subject: [PATCH] lib/crypto.c: Allow CA verification even if h->hostname is
|
||||||
|
not set
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Calling gnutls_session_set_verify_cert with the hostname parameter set
|
||||||
|
to NULL is permitted:
|
||||||
|
https://www.gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fsession_005fset_005fverify_005fcert
|
||||||
|
|
||||||
|
It means that the server's hostname in the certificate will not be
|
||||||
|
verified but we can at least check that the certificate was signed by
|
||||||
|
the CA. This allows the CA to be checked even for connections over
|
||||||
|
Unix domain sockets.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
$ rm -f /tmp/sock
|
||||||
|
$ nbdkit -U /tmp/sock -f --tls=require --tls-certificates=$HOME/d/nbdkit/tests/pki memory 1G &
|
||||||
|
|
||||||
|
Before this change:
|
||||||
|
|
||||||
|
$ nbdinfo 'nbds+unix://?socket=/tmp/sock'
|
||||||
|
protocol: newstyle-fixed with TLS, using structured packets
|
||||||
|
export="":
|
||||||
|
export-size: 1073741824 (1G)
|
||||||
|
content: data
|
||||||
|
uri: nbds+unix:///?socket=/tmp/sock
|
||||||
|
[etc]
|
||||||
|
|
||||||
|
(works because it never called gnutls_session_set_verify_cert).
|
||||||
|
|
||||||
|
After this change:
|
||||||
|
|
||||||
|
$ nbdinfo 'nbds+unix://?socket=/tmp/sock'
|
||||||
|
nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1)
|
||||||
|
|
||||||
|
(fails because system CA does not know about nbdkit's certificate
|
||||||
|
which is signed by the CA from the nbdkit/tests/pki directory)
|
||||||
|
|
||||||
|
$ nbdinfo 'nbds+unix://?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki'
|
||||||
|
protocol: newstyle-fixed with TLS, using structured packets
|
||||||
|
export="":
|
||||||
|
export-size: 1073741824 (1G)
|
||||||
|
content: data
|
||||||
|
uri: nbds+unix:///?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki
|
||||||
|
[etc]
|
||||||
|
|
||||||
|
(works because we supplied the correct CA)
|
||||||
|
|
||||||
|
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||||
|
(cherry picked from commit 6ed47a27d14f6f11946bb096d94e5bf21d97083d)
|
||||||
|
(cherry picked from commit 3a427e6d7a83f89299ab6fdaeeffbd9074610ecc)
|
||||||
|
---
|
||||||
|
lib/crypto.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/crypto.c b/lib/crypto.c
|
||||||
|
index c542ce6b..437e24ec 100644
|
||||||
|
--- a/lib/crypto.c
|
||||||
|
+++ b/lib/crypto.c
|
||||||
|
@@ -645,7 +645,7 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (h->hostname && h->tls_verify_peer)
|
||||||
|
+ if (h->tls_verify_peer)
|
||||||
|
gnutls_session_set_verify_cert (session, h->hostname, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
145
SOURCES/0007-interop-Pass-DCERTS-and-DPSK-as-strings.patch
Normal file
145
SOURCES/0007-interop-Pass-DCERTS-and-DPSK-as-strings.patch
Normal file
@ -0,0 +1,145 @@
|
|||||||
|
From 764fc45a258c08177d01b6b6b6a0e431ee29089a Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||||
|
Date: Mon, 24 Jun 2024 11:49:07 +0100
|
||||||
|
Subject: [PATCH] interop: Pass -DCERTS and -DPSK as strings
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Rather than implicitly defining the certificates dir or PSK file in
|
||||||
|
interop.c, pass the actual paths from the Makefile.
|
||||||
|
|
||||||
|
This also allows -DCERTS=NULL which is interpreted as not calling
|
||||||
|
nbd_set_tls_certificates at all. This makes the test added in a
|
||||||
|
subsequent commit possible.
|
||||||
|
|
||||||
|
No real change here, just refactoring the tests.
|
||||||
|
|
||||||
|
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||||
|
(cherry picked from commit 69ab18442994c68f749e2b84b91d41031ebbb088)
|
||||||
|
(cherry picked from commit 33d7f3aa8e3cf8c826a534107529e1d409c0c004)
|
||||||
|
---
|
||||||
|
interop/Makefile.am | 18 +++++++++---------
|
||||||
|
interop/interop.c | 11 ++++++-----
|
||||||
|
2 files changed, 15 insertions(+), 14 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/interop/Makefile.am b/interop/Makefile.am
|
||||||
|
index ac12d84a..4cdc55e9 100644
|
||||||
|
--- a/interop/Makefile.am
|
||||||
|
+++ b/interop/Makefile.am
|
||||||
|
@@ -100,7 +100,7 @@ interop_nbd_server_tls_CPPFLAGS = \
|
||||||
|
-DSERVER=\"$(NBD_SERVER)\" \
|
||||||
|
-DSERVER_PARAMS='"-d", "-C", "nbd-server-tls.conf", "0", TMPFILE' \
|
||||||
|
-DEXPORT_NAME='""' \
|
||||||
|
- -DCERTS=1 \
|
||||||
|
+ -DCERTS='"../tests/pki"' \
|
||||||
|
-DTLS_MODE=LIBNBD_TLS_REQUIRE \
|
||||||
|
$(NULL)
|
||||||
|
interop_nbd_server_tls_LDADD = \
|
||||||
|
@@ -186,7 +186,7 @@ interop_qemu_nbd_tls_certs_CPPFLAGS = \
|
||||||
|
-DSERVER=\"$(QEMU_NBD)\" \
|
||||||
|
-DSERVER_PARAMS='"--object", "tls-creds-x509,id=tls0,endpoint=server,dir=$(abs_top_builddir)/tests/pki", "--tls-creds", "tls0", "-f", "raw", "-x", "/", TMPFILE' \
|
||||||
|
-DEXPORT_NAME='"/"' \
|
||||||
|
- -DCERTS=1 \
|
||||||
|
+ -DCERTS='"../tests/pki"' \
|
||||||
|
-DTLS_MODE=LIBNBD_TLS_REQUIRE \
|
||||||
|
$(NULL)
|
||||||
|
interop_qemu_nbd_tls_certs_LDADD = \
|
||||||
|
@@ -208,7 +208,7 @@ interop_qemu_nbd_tls_psk_CPPFLAGS = \
|
||||||
|
-DSERVER=\"$(QEMU_NBD)\" \
|
||||||
|
-DSERVER_PARAMS='"--object", "tls-creds-psk,id=tls0,endpoint=server,dir=$(abs_top_builddir)/tests", "--tls-creds", "tls0", "-f", "raw", "-x", "/", TMPFILE' \
|
||||||
|
-DEXPORT_NAME='"/"' \
|
||||||
|
- -DPSK=1 \
|
||||||
|
+ -DPSK='"../tests/keys.psk"' \
|
||||||
|
-DTLS_MODE=LIBNBD_TLS_REQUIRE \
|
||||||
|
$(NULL)
|
||||||
|
interop_qemu_nbd_tls_psk_LDADD = \
|
||||||
|
@@ -323,7 +323,7 @@ interop_nbdkit_tls_certs_CPPFLAGS = \
|
||||||
|
-DNEEDS_TMPFILE=1 \
|
||||||
|
-DSERVER=\"$(NBDKIT)\" \
|
||||||
|
-DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki", "-s", "--exit-with-parent", "file", TMPFILE' \
|
||||||
|
- -DCERTS=1 \
|
||||||
|
+ -DCERTS='"../tests/pki"' \
|
||||||
|
-DTLS_MODE=LIBNBD_TLS_REQUIRE \
|
||||||
|
$(NULL)
|
||||||
|
interop_nbdkit_tls_certs_LDADD = \
|
||||||
|
@@ -342,7 +342,7 @@ interop_nbdkit_tls_certs_allow_enabled_CPPFLAGS = \
|
||||||
|
-DNEEDS_TMPFILE=1 \
|
||||||
|
-DSERVER=\"$(NBDKIT)\" \
|
||||||
|
-DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki", "-s", "--exit-with-parent", "file", TMPFILE' \
|
||||||
|
- -DCERTS=1 \
|
||||||
|
+ -DCERTS='"../tests/pki"' \
|
||||||
|
-DTLS_MODE=LIBNBD_TLS_ALLOW \
|
||||||
|
$(NULL)
|
||||||
|
interop_nbdkit_tls_certs_allow_enabled_LDADD = \
|
||||||
|
@@ -361,7 +361,7 @@ interop_nbdkit_tls_certs_allow_fallback_CPPFLAGS = \
|
||||||
|
-DNEEDS_TMPFILE=1 \
|
||||||
|
-DSERVER=\"$(NBDKIT)\" \
|
||||||
|
-DSERVER_PARAMS='"--tls=off", "-s", "--exit-with-parent", "file", TMPFILE' \
|
||||||
|
- -DCERTS=1 \
|
||||||
|
+ -DCERTS='"../tests/pki"' \
|
||||||
|
-DTLS_MODE=LIBNBD_TLS_ALLOW \
|
||||||
|
-DTLS_FALLBACK=1 \
|
||||||
|
$(NULL)
|
||||||
|
@@ -381,7 +381,7 @@ interop_nbdkit_tls_psk_CPPFLAGS = \
|
||||||
|
-DNEEDS_TMPFILE=1 \
|
||||||
|
-DSERVER=\"$(NBDKIT)\" \
|
||||||
|
-DSERVER_PARAMS='"--tls=require", "--tls-psk=../tests/keys.psk", "-s", "--exit-with-parent", "file", TMPFILE' \
|
||||||
|
- -DPSK=1 \
|
||||||
|
+ -DPSK='"../tests/keys.psk"' \
|
||||||
|
-DTLS_MODE=LIBNBD_TLS_REQUIRE \
|
||||||
|
$(NULL)
|
||||||
|
interop_nbdkit_tls_psk_LDADD = \
|
||||||
|
@@ -400,7 +400,7 @@ interop_nbdkit_tls_psk_allow_enabled_CPPFLAGS = \
|
||||||
|
-DNEEDS_TMPFILE=1 \
|
||||||
|
-DSERVER=\"$(NBDKIT)\" \
|
||||||
|
-DSERVER_PARAMS='"--tls=require", "--tls-psk=../tests/keys.psk", "-s", "--exit-with-parent", "file", TMPFILE' \
|
||||||
|
- -DPSK=1 \
|
||||||
|
+ -DPSK='"../tests/keys.psk"' \
|
||||||
|
-DTLS_MODE=LIBNBD_TLS_ALLOW \
|
||||||
|
$(NULL)
|
||||||
|
interop_nbdkit_tls_psk_allow_enabled_LDADD = \
|
||||||
|
@@ -419,7 +419,7 @@ interop_nbdkit_tls_psk_allow_fallback_CPPFLAGS = \
|
||||||
|
-DNEEDS_TMPFILE=1 \
|
||||||
|
-DSERVER=\"$(NBDKIT)\" \
|
||||||
|
-DSERVER_PARAMS='"--tls=off", "-s", "--exit-with-parent", "file", TMPFILE' \
|
||||||
|
- -DPSK=1 \
|
||||||
|
+ -DPSK='"../tests/keys.psk"' \
|
||||||
|
-DTLS_MODE=LIBNBD_TLS_ALLOW \
|
||||||
|
-DTLS_FALLBACK=1 \
|
||||||
|
$(NULL)
|
||||||
|
diff --git a/interop/interop.c b/interop/interop.c
|
||||||
|
index 20e101d4..d4d6671e 100644
|
||||||
|
--- a/interop/interop.c
|
||||||
|
+++ b/interop/interop.c
|
||||||
|
@@ -41,7 +41,7 @@
|
||||||
|
|
||||||
|
#define SIZE (1024*1024)
|
||||||
|
|
||||||
|
-#if CERTS || PSK
|
||||||
|
+#if defined(CERTS) || defined(PSK)
|
||||||
|
#define TLS 1
|
||||||
|
#ifndef TLS_MODE
|
||||||
|
#error "TLS_MODE must be defined when using CERTS || PSK"
|
||||||
|
@@ -149,13 +149,14 @@ main (int argc, char *argv[])
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-#if CERTS
|
||||||
|
- if (nbd_set_tls_certificates (nbd, "../tests/pki") == -1) {
|
||||||
|
+#if defined(CERTS)
|
||||||
|
+ const char *certs = CERTS;
|
||||||
|
+ if (certs && nbd_set_tls_certificates (nbd, certs) == -1) {
|
||||||
|
fprintf (stderr, "%s\n", nbd_get_error ());
|
||||||
|
exit (EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
-#elif PSK
|
||||||
|
- if (nbd_set_tls_psk_file (nbd, "../tests/keys.psk") == -1) {
|
||||||
|
+#elif defined(PSK)
|
||||||
|
+ if (nbd_set_tls_psk_file (nbd, PSK) == -1) {
|
||||||
|
fprintf (stderr, "%s\n", nbd_get_error ());
|
||||||
|
exit (EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -0,0 +1,53 @@
|
|||||||
|
From fcb7d28e4dd2ab438c6070e7e5b1aae54cc75f28 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||||
|
Date: Mon, 24 Jun 2024 13:54:48 +0100
|
||||||
|
Subject: [PATCH] interop: Add -DEXPECT_FAIL=1 where we expect the test to fail
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||||
|
(cherry picked from commit c7a8df4f78f2c1901f5c532f262dadd6cce84750)
|
||||||
|
(cherry picked from commit 175ee89f4a64c52cdb1412a2a72fc8c52fecaf93)
|
||||||
|
---
|
||||||
|
interop/interop.c | 14 +++++++++++++-
|
||||||
|
1 file changed, 13 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/interop/interop.c b/interop/interop.c
|
||||||
|
index d4d6671e..469327ee 100644
|
||||||
|
--- a/interop/interop.c
|
||||||
|
+++ b/interop/interop.c
|
||||||
|
@@ -78,6 +78,7 @@ main (int argc, char *argv[])
|
||||||
|
int64_t actual_size;
|
||||||
|
char buf[512];
|
||||||
|
size_t i;
|
||||||
|
+ int r;
|
||||||
|
|
||||||
|
/* Check requirements or skip the test. */
|
||||||
|
#ifdef REQUIRES
|
||||||
|
@@ -174,10 +175,21 @@ main (int argc, char *argv[])
|
||||||
|
#else
|
||||||
|
#define NBD_CONNECT nbd_connect_command
|
||||||
|
#endif
|
||||||
|
- if (NBD_CONNECT (nbd, args) == -1) {
|
||||||
|
+ r = NBD_CONNECT (nbd, args);
|
||||||
|
+#if EXPECT_FAIL
|
||||||
|
+ if (r != -1) {
|
||||||
|
+ fprintf (stderr, "%s: expected connection to fail but it did not\n",
|
||||||
|
+ argv[0]);
|
||||||
|
+ exit (EXIT_FAILURE);
|
||||||
|
+ }
|
||||||
|
+ exit (EXIT_SUCCESS);
|
||||||
|
+ /*NOTREACHED*/
|
||||||
|
+#else
|
||||||
|
+ if (r == -1) {
|
||||||
|
fprintf (stderr, "%s\n", nbd_get_error ());
|
||||||
|
exit (EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
#if TLS
|
||||||
|
if (TLS_MODE == LIBNBD_TLS_REQUIRE) {
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
84
SOURCES/0009-interop-Test-interop-with-a-bad-system-CA.patch
Normal file
84
SOURCES/0009-interop-Test-interop-with-a-bad-system-CA.patch
Normal file
@ -0,0 +1,84 @@
|
|||||||
|
From c20ac23a9a3673cca863974ec53f9129392fd447 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||||
|
Date: Mon, 24 Jun 2024 11:39:01 +0100
|
||||||
|
Subject: [PATCH] interop: Test interop with a bad system CA
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
This is expected to fail now.
|
||||||
|
|
||||||
|
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||||
|
(cherry picked from commit 1c7db8f3337632f0395dac9b13cf03b100cf1a4a)
|
||||||
|
(cherry picked from commit cb3519eeefa788b8fef466bf9394eefa9d6a6c18)
|
||||||
|
---
|
||||||
|
.gitignore | 1 +
|
||||||
|
interop/Makefile.am | 26 ++++++++++++++++++++++++++
|
||||||
|
2 files changed, 27 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/.gitignore b/.gitignore
|
||||||
|
index 0b1cf764..597043e1 100644
|
||||||
|
--- a/.gitignore
|
||||||
|
+++ b/.gitignore
|
||||||
|
@@ -113,6 +113,7 @@ Makefile.in
|
||||||
|
/interop/interop-nbdkit-tls-certs
|
||||||
|
/interop/interop-nbdkit-tls-certs-allow-enabled
|
||||||
|
/interop/interop-nbdkit-tls-certs-allow-fallback
|
||||||
|
+/interop/interop-nbdkit-tls-certs-bad-CA
|
||||||
|
/interop/interop-nbdkit-tls-psk
|
||||||
|
/interop/interop-nbdkit-tls-psk-allow-enabled
|
||||||
|
/interop/interop-nbdkit-tls-psk-allow-fallback
|
||||||
|
diff --git a/interop/Makefile.am b/interop/Makefile.am
|
||||||
|
index 4cdc55e9..bc974b99 100644
|
||||||
|
--- a/interop/Makefile.am
|
||||||
|
+++ b/interop/Makefile.am
|
||||||
|
@@ -281,6 +281,7 @@ check_PROGRAMS += \
|
||||||
|
interop-nbdkit-tls-certs \
|
||||||
|
interop-nbdkit-tls-certs-allow-enabled \
|
||||||
|
interop-nbdkit-tls-certs-allow-fallback \
|
||||||
|
+ interop-nbdkit-tls-certs-bad-CA \
|
||||||
|
interop-nbdkit-tls-psk \
|
||||||
|
interop-nbdkit-tls-psk-allow-enabled \
|
||||||
|
interop-nbdkit-tls-psk-allow-fallback \
|
||||||
|
@@ -292,6 +293,7 @@ TESTS += \
|
||||||
|
interop-nbdkit-tls-certs \
|
||||||
|
interop-nbdkit-tls-certs-allow-enabled \
|
||||||
|
interop-nbdkit-tls-certs-allow-fallback \
|
||||||
|
+ interop-nbdkit-tls-certs-bad-CA \
|
||||||
|
interop-nbdkit-tls-psk \
|
||||||
|
interop-nbdkit-tls-psk-allow-enabled \
|
||||||
|
interop-nbdkit-tls-psk-allow-fallback \
|
||||||
|
@@ -370,6 +372,30 @@ interop_nbdkit_tls_certs_allow_fallback_LDADD = \
|
||||||
|
$(GNUTLS_LIBS) \
|
||||||
|
$(NULL)
|
||||||
|
|
||||||
|
+# In this test, nbdkit offers a server certificate signed by our CA in
|
||||||
|
+# the tests/pki directory, but we deliberately tell libnbd to test
|
||||||
|
+# against the system CA (-DCERTS=NULL). This is expected to fail the
|
||||||
|
+# connection with the error:
|
||||||
|
+# libnbd: debug: nbd1: nbd_connect_command: handle dead: nbd_connect_command: gnutls_handshake: Error in the certificate verification. (15/1)
|
||||||
|
+interop_nbdkit_tls_certs_bad_CA_SOURCES = \
|
||||||
|
+ interop.c \
|
||||||
|
+ requires.c \
|
||||||
|
+ ../tests/requires.h \
|
||||||
|
+ $(NULL)
|
||||||
|
+interop_nbdkit_tls_certs_bad_CA_CPPFLAGS = \
|
||||||
|
+ $(AM_CPPFLAGS) \
|
||||||
|
+ -DREQUIRES=' requires ("test -d ../tests/pki"); ' \
|
||||||
|
+ -DSERVER=\"$(NBDKIT)\" \
|
||||||
|
+ -DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki", "-s", "--exit-with-parent", "null"' \
|
||||||
|
+ -DCERTS=NULL \
|
||||||
|
+ -DTLS_MODE=LIBNBD_TLS_REQUIRE \
|
||||||
|
+ -DEXPECT_FAIL=1 \
|
||||||
|
+ $(NULL)
|
||||||
|
+interop_nbdkit_tls_certs_bad_CA_LDADD = \
|
||||||
|
+ $(top_builddir)/lib/libnbd.la \
|
||||||
|
+ $(GNUTLS_LIBS) \
|
||||||
|
+ $(NULL)
|
||||||
|
+
|
||||||
|
interop_nbdkit_tls_psk_SOURCES = \
|
||||||
|
interop.c \
|
||||||
|
requires.c \
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -0,0 +1,89 @@
|
|||||||
|
From a2541de206b3560fdfadf5dfada2cac1b69c09a1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||||
|
Date: Tue, 25 Jun 2024 11:12:56 +0100
|
||||||
|
Subject: [PATCH] lib/uri.c: Allow tls-verify-peer to be overridden in URIs
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Older versions of libnbd didn't always check the server certificate.
|
||||||
|
Since some clients might be depending on this, allow
|
||||||
|
?tls-verify-peer=false in URIs to skip this check.
|
||||||
|
|
||||||
|
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||||
|
(cherry picked from commit 75641c6b30155abce272f60cf3518a65654aa401)
|
||||||
|
(cherry picked from commit b12466821fc534fb68d5b8e695832ee03496e0af)
|
||||||
|
---
|
||||||
|
generator/API.ml | 5 +++++
|
||||||
|
lib/uri.c | 32 ++++++++++++++++++++++++++++++++
|
||||||
|
2 files changed, 37 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/generator/API.ml b/generator/API.ml
|
||||||
|
index c4547615..f2752f25 100644
|
||||||
|
--- a/generator/API.ml
|
||||||
|
+++ b/generator/API.ml
|
||||||
|
@@ -1994,6 +1994,11 @@ Note this is not allowed by default - see next section.
|
||||||
|
Set the PSK file. See L<nbd_set_tls_psk_file(3)>. Note
|
||||||
|
this is not allowed by default - see next section.
|
||||||
|
|
||||||
|
+=item B<tls-verify-peer=false>
|
||||||
|
+
|
||||||
|
+Do not verify the server certificate. See L<nbd_set_tls_verify_peer(3)>.
|
||||||
|
+The default is C<true>.
|
||||||
|
+
|
||||||
|
=back
|
||||||
|
|
||||||
|
=head2 Disable URI features
|
||||||
|
diff --git a/lib/uri.c b/lib/uri.c
|
||||||
|
index 0c8e87cf..969e88be 100644
|
||||||
|
--- a/lib/uri.c
|
||||||
|
+++ b/lib/uri.c
|
||||||
|
@@ -150,6 +150,31 @@ parse_uri_queries (const char *query_raw, uri_query_list *list)
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Similar to nbdkit_parse_bool */
|
||||||
|
+int
|
||||||
|
+parse_bool (const char *param, const char *value)
|
||||||
|
+{
|
||||||
|
+ if (!strcmp (value, "1") ||
|
||||||
|
+ !strcasecmp (value, "true") ||
|
||||||
|
+ !strcasecmp (value, "t") ||
|
||||||
|
+ !strcasecmp (value, "yes") ||
|
||||||
|
+ !strcasecmp (value, "y") ||
|
||||||
|
+ !strcasecmp (value, "on"))
|
||||||
|
+ return 1;
|
||||||
|
+
|
||||||
|
+ if (!strcmp (value, "0") ||
|
||||||
|
+ !strcasecmp (value, "false") ||
|
||||||
|
+ !strcasecmp (value, "f") ||
|
||||||
|
+ !strcasecmp (value, "no") ||
|
||||||
|
+ !strcasecmp (value, "n") ||
|
||||||
|
+ !strcasecmp (value, "off"))
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ set_error (EINVAL, "could not parse %s parameter, expecting %s=true|false",
|
||||||
|
+ param, param);
|
||||||
|
+ return -1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int
|
||||||
|
nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri)
|
||||||
|
{
|
||||||
|
@@ -298,6 +323,13 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri)
|
||||||
|
if (nbd_unlocked_set_tls_psk_file (h, queries.ptr[i].value) == -1)
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
+ else if (strcasecmp (queries.ptr[i].name, "tls-verify-peer") == 0) {
|
||||||
|
+ int v = parse_bool ("tls-verify-peer", queries.ptr[i].value);
|
||||||
|
+ if (v == -1)
|
||||||
|
+ goto cleanup;
|
||||||
|
+ if (nbd_unlocked_set_tls_verify_peer (h, v) == -1)
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Username. */
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -0,0 +1,31 @@
|
|||||||
|
From dfa2a23c7638e325694101fe81b5330ceede68f9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||||
|
Date: Tue, 25 Jun 2024 17:53:47 +0100
|
||||||
|
Subject: [PATCH] docs: security: Add link to TLS server certificate checking
|
||||||
|
announcement
|
||||||
|
|
||||||
|
(cherry picked from commit 9c723aa660c6ee7d224afbfc16eb7450d21fb9cf)
|
||||||
|
(cherry picked from commit 820f45a58fda50dc7d5e126c55403e33824cffe4)
|
||||||
|
---
|
||||||
|
docs/libnbd-security.pod | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod
|
||||||
|
index 216efa43..c9960d8c 100644
|
||||||
|
--- a/docs/libnbd-security.pod
|
||||||
|
+++ b/docs/libnbd-security.pod
|
||||||
|
@@ -45,6 +45,11 @@ negative size result from nbd_get_size(3)
|
||||||
|
See the full announcement here:
|
||||||
|
L<https://listman.redhat.com/archives/libguestfs/2023-September/032711.html>
|
||||||
|
|
||||||
|
+=head2 multiple flaws in TLS server certificate checking
|
||||||
|
+
|
||||||
|
+See the full announcement here:
|
||||||
|
+L<https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/LHR3BW6RJ7K4BJBQIYV3GTZLSY27VZO2/>
|
||||||
|
+
|
||||||
|
=head1 SEE ALSO
|
||||||
|
|
||||||
|
L<libnbd(3)>.
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -0,0 +1,32 @@
|
|||||||
|
From 8334404ee0883dcfa90697b6fdae541ed4751b79 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||||
|
Date: Thu, 1 Aug 2024 15:17:29 +0100
|
||||||
|
Subject: [PATCH] docs/libnbd-security.pod: Assign CVE-2024-7383
|
||||||
|
|
||||||
|
CVE-2024-7383 was assigned to the (already published & fixed) flaws
|
||||||
|
found in libnbd certificate checking.
|
||||||
|
|
||||||
|
Reported-by: Jon Szymaniak
|
||||||
|
Thanks: Mauro Matteo Cascella
|
||||||
|
(cherry picked from commit 81a22ac6697ccdeb13509aba3072609251d1378b)
|
||||||
|
---
|
||||||
|
docs/libnbd-security.pod | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod
|
||||||
|
index c9960d8c..ece0cf5a 100644
|
||||||
|
--- a/docs/libnbd-security.pod
|
||||||
|
+++ b/docs/libnbd-security.pod
|
||||||
|
@@ -45,7 +45,8 @@ negative size result from nbd_get_size(3)
|
||||||
|
See the full announcement here:
|
||||||
|
L<https://listman.redhat.com/archives/libguestfs/2023-September/032711.html>
|
||||||
|
|
||||||
|
-=head2 multiple flaws in TLS server certificate checking
|
||||||
|
+=head2 CVE-2024-7383
|
||||||
|
+multiple flaws in TLS server certificate checking
|
||||||
|
|
||||||
|
See the full announcement here:
|
||||||
|
L<https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/LHR3BW6RJ7K4BJBQIYV3GTZLSY27VZO2/>
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
39
SOURCES/1000-Update-doc-template-for-tls-verify-peer.patch
Normal file
39
SOURCES/1000-Update-doc-template-for-tls-verify-peer.patch
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
From 9acc05f757ff7518104c8f232b49230f0503ffa1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alex Burmashev <alexander.burmashev@oracle.com>
|
||||||
|
Date: Thu, 19 Sep 2024 09:16:31 +0000
|
||||||
|
Subject: [PATCH] Update doc template for tls-verify-peer
|
||||||
|
|
||||||
|
Without this change, docs on i686 are not generated correctly.
|
||||||
|
|
||||||
|
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
|
||||||
|
---
|
||||||
|
docs/nbd_connect_uri.pod | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/docs/nbd_connect_uri.pod b/docs/nbd_connect_uri.pod
|
||||||
|
index 5d7ecdb..9e49e24 100644
|
||||||
|
--- a/docs/nbd_connect_uri.pod
|
||||||
|
+++ b/docs/nbd_connect_uri.pod
|
||||||
|
@@ -119,6 +119,11 @@ Note this is not allowed by default - see next section.
|
||||||
|
Set the PSK file. See L<nbd_set_tls_psk_file(3)>. Note
|
||||||
|
this is not allowed by default - see next section.
|
||||||
|
|
||||||
|
+=item B<tls-verify-peer=false>
|
||||||
|
+
|
||||||
|
+Do not verify the server certificate. See L<nbd_set_tls_verify_peer(3)>.
|
||||||
|
+The default is C<true>.
|
||||||
|
+
|
||||||
|
=back
|
||||||
|
|
||||||
|
=head2 Disable URI features
|
||||||
|
@@ -227,6 +232,7 @@ L<nbd_set_opt_mode(3)>,
|
||||||
|
L<nbd_set_tls(3)>,
|
||||||
|
L<nbd_set_tls_certificates(3)>,
|
||||||
|
L<nbd_set_tls_psk_file(3)>,
|
||||||
|
+L<nbd_set_tls_verify_peer(3)>,
|
||||||
|
L<nbd_set_uri_allow_local_file(3)>,
|
||||||
|
L<nbd_set_uri_allow_tls(3)>,
|
||||||
|
L<nbd_set_uri_allow_transports(3)>,
|
||||||
|
--
|
||||||
|
2.43.5
|
||||||
|
|
0
SOURCES/copy-patches.sh
Executable file → Normal file
0
SOURCES/copy-patches.sh
Executable file → Normal file
@ -9,7 +9,7 @@
|
|||||||
|
|
||||||
Name: libnbd
|
Name: libnbd
|
||||||
Version: 1.18.1
|
Version: 1.18.1
|
||||||
Release: 3%{?dist}
|
Release: 4.0.1%{?dist}
|
||||||
Summary: NBD client library in userspace
|
Summary: NBD client library in userspace
|
||||||
|
|
||||||
License: LGPL-2.0-or-later AND BSD-3-Clause
|
License: LGPL-2.0-or-later AND BSD-3-Clause
|
||||||
@ -32,6 +32,18 @@ Source3: copy-patches.sh
|
|||||||
Patch0001: 0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch
|
Patch0001: 0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch
|
||||||
Patch0002: 0002-docs-Fix-incorrect-xref-in-libnbd-release-notes-for-.patch
|
Patch0002: 0002-docs-Fix-incorrect-xref-in-libnbd-release-notes-for-.patch
|
||||||
Patch0003: 0003-tests-Check-behavior-of-nbd_set_strict_mode-STRICT_A.patch
|
Patch0003: 0003-tests-Check-behavior-of-nbd_set_strict_mode-STRICT_A.patch
|
||||||
|
Patch0004: 0004-build-Move-to-minimum-gnutls-3.5.18.patch
|
||||||
|
Patch0005: 0005-lib-crypto.c-Check-server-certificate-even-when-usin.patch
|
||||||
|
Patch0006: 0006-lib-crypto.c-Allow-CA-verification-even-if-h-hostnam.patch
|
||||||
|
Patch0007: 0007-interop-Pass-DCERTS-and-DPSK-as-strings.patch
|
||||||
|
Patch0008: 0008-interop-Add-DEXPECT_FAIL-1-where-we-expect-the-test-.patch
|
||||||
|
Patch0009: 0009-interop-Test-interop-with-a-bad-system-CA.patch
|
||||||
|
Patch0010: 0010-lib-uri.c-Allow-tls-verify-peer-to-be-overridden-in-.patch
|
||||||
|
Patch0011: 0011-docs-security-Add-link-to-TLS-server-certificate-che.patch
|
||||||
|
Patch0012: 0012-docs-libnbd-security.pod-Assign-CVE-2024-7383.patch
|
||||||
|
|
||||||
|
# Oracle patches
|
||||||
|
Patch1000: 1000-Update-doc-template-for-tls-verify-peer.patch
|
||||||
|
|
||||||
%if 0%{patches_touch_autotools}
|
%if 0%{patches_touch_autotools}
|
||||||
BuildRequires: autoconf, automake, libtool
|
BuildRequires: autoconf, automake, libtool
|
||||||
@ -383,6 +395,13 @@ make %{?_smp_mflags} check || {
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Sep 19 2024 Alex Burmashev <alexander.burmashev@oracle.com> - 1.18.1-4.0.1
|
||||||
|
- Add new content to nbd_connect_uri.pod
|
||||||
|
|
||||||
|
* Tue Aug 27 2024 Richard W.M. Jones <rjones@redhat.com> - 1.18.1-4
|
||||||
|
- Fix CVE-2024-7383 NBD server improper certificate validation
|
||||||
|
resolves: RHEL-52730
|
||||||
|
|
||||||
* Mon Nov 13 2023 Eric Blake <eblake@redhat.com> - 1.18.1-3
|
* Mon Nov 13 2023 Eric Blake <eblake@redhat.com> - 1.18.1-3
|
||||||
- Backport unit test of recent libnbd API addition
|
- Backport unit test of recent libnbd API addition
|
||||||
resolves: RHEL-16292
|
resolves: RHEL-16292
|
||||||
|
Loading…
Reference in New Issue
Block a user