Import OL libnbd-1.18.1-4.0.1.el9_4

This commit is contained in:
eabdullin 2024-09-20 14:43:32 +03:00
parent 774c090ddc
commit f6177471db
12 changed files with 717 additions and 1 deletions

View File

@ -0,0 +1,91 @@
From 596626369b90016f6852610c217da22668158521 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Tue, 25 Jun 2024 10:55:54 +0100
Subject: [PATCH] build: Move to minimum gnutls >= 3.5.18
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This version matches current qemu.
RHEL 7 gnutls is too old (lacks gnutls_session_set_verify_cert), which
means TLS will be disabled on this platform. RHEL 8 has gnutls 3.6.14.
I also unconditionally enabled the gnutls/socket.h header. This
header was added in 2016 (gnutls 3.5.3), so it's not present in RHEL 7.
On RHEL 7 the configure-time test now prints:
checking for GNUTLS... no
configure: WARNING: gnutls not found or < 3.5.18, TLS support will be disabled.
...
Optional library features:
TLS support ............................ no
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 5ff09cdbbd19226dd2d5015d76134f88dee9321e)
(cherry picked from commit 177fd0847723640829eff8d1ab102f8d28a7328e)
---
configure.ac | 5 ++---
lib/crypto.c | 6 ------
2 files changed, 2 insertions(+), 9 deletions(-)
diff --git a/configure.ac b/configure.ac
index 91fe004b..c0d6a472 100644
--- a/configure.ac
+++ b/configure.ac
@@ -178,13 +178,13 @@ AC_ARG_WITH([gnutls],
[],
[with_gnutls=check])
AS_IF([test "$with_gnutls" != "no"],[
- PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.3.0], [
+ PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.5.18], [
printf "gnutls version is "; $PKG_CONFIG --modversion gnutls
AC_SUBST([GNUTLS_CFLAGS])
AC_SUBST([GNUTLS_LIBS])
AC_DEFINE([HAVE_GNUTLS],[1],[gnutls found at compile time.])
], [
- AC_MSG_WARN([gnutls not found or < 3.3.0, TLS support will be disabled.])
+ AC_MSG_WARN([gnutls not found or < 3.5.18, TLS support will be disabled.])
])
])
AM_CONDITIONAL([HAVE_GNUTLS], [test "x$GNUTLS_LIBS" != "x"])
@@ -210,7 +210,6 @@ AS_IF([test "$GNUTLS_LIBS" != ""],[
old_LIBS="$LIBS"
LIBS="$GNUTLS_LIBS $LIBS"
AC_CHECK_FUNCS([\
- gnutls_session_set_verify_cert \
gnutls_transport_is_ktls_enabled \
])
LIBS="$old_LIBS"
diff --git a/lib/crypto.c b/lib/crypto.c
index 22a1cfa5..d131f1d0 100644
--- a/lib/crypto.c
+++ b/lib/crypto.c
@@ -28,10 +28,8 @@
#ifdef HAVE_GNUTLS
#include <gnutls/gnutls.h>
-#ifdef HAVE_GNUTLS_SOCKET_H
#include <gnutls/socket.h>
#endif
-#endif
#include "internal.h"
#include "nbdkit-string.h"
@@ -532,12 +530,8 @@ set_up_certificate_credentials (struct nbd_handle *h,
return NULL;
found_certificates:
-#ifdef HAVE_GNUTLS_SESSION_SET_VERIFY_CERT
if (h->hostname && h->tls_verify_peer)
gnutls_session_set_verify_cert (session, h->hostname, 0);
-#else
- debug (h, "ignoring nbd_set_tls_verify_peer, this requires GnuTLS >= 3.4.6");
-#endif
err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret);
if (err < 0) {
--
2.43.0

View File

@ -0,0 +1,57 @@
From d8ec4c8ecc5244ed192f58bc3a976c4b2f9cc6d7 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Mon, 24 Jun 2024 10:48:12 +0100
Subject: [PATCH] lib/crypto.c: Check server certificate even when using system
CA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The previous code checked the server certificate only when a custom
certificate directory was set (ie. nbd_set_tls_certificates /
?tls-certificates=DIR). In the fallback case where we use the system
CA, we never called gnutls_session_set_verify_cert and so the server
certificate was never checked.
Move the call to gnutls_session_set_verify_cert later so it is called
on both paths.
If the server certificate does not match the hostname you will see:
nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1)
Reported-by: Jon Szymaniak <jon.szymaniak@gmail.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 87ef41b69929d5d293390ec36b1c10aba2c9a57a)
(cherry picked from commit 7a6739aeca8250515a449bacd23d09bf40587dec)
---
lib/crypto.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/crypto.c b/lib/crypto.c
index d131f1d0..c542ce6b 100644
--- a/lib/crypto.c
+++ b/lib/crypto.c
@@ -530,9 +530,6 @@ set_up_certificate_credentials (struct nbd_handle *h,
return NULL;
found_certificates:
- if (h->hostname && h->tls_verify_peer)
- gnutls_session_set_verify_cert (session, h->hostname, 0);
-
err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret);
if (err < 0) {
set_error (0, "gnutls_credentials_set: %s", gnutls_strerror (err));
@@ -647,6 +644,9 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,
gnutls_deinit (session);
return NULL;
}
+
+ if (h->hostname && h->tls_verify_peer)
+ gnutls_session_set_verify_cert (session, h->hostname, 0);
}
/* Wrap the underlying socket with GnuTLS. */
--
2.43.0

View File

@ -0,0 +1,76 @@
From af09b72a486fd870ab72170a0cba4b1d6d37894f Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Mon, 24 Jun 2024 10:31:10 +0100
Subject: [PATCH] lib/crypto.c: Allow CA verification even if h->hostname is
not set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Calling gnutls_session_set_verify_cert with the hostname parameter set
to NULL is permitted:
https://www.gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fsession_005fset_005fverify_005fcert
It means that the server's hostname in the certificate will not be
verified but we can at least check that the certificate was signed by
the CA. This allows the CA to be checked even for connections over
Unix domain sockets.
Example:
$ rm -f /tmp/sock
$ nbdkit -U /tmp/sock -f --tls=require --tls-certificates=$HOME/d/nbdkit/tests/pki memory 1G &
Before this change:
$ nbdinfo 'nbds+unix://?socket=/tmp/sock'
protocol: newstyle-fixed with TLS, using structured packets
export="":
export-size: 1073741824 (1G)
content: data
uri: nbds+unix:///?socket=/tmp/sock
[etc]
(works because it never called gnutls_session_set_verify_cert).
After this change:
$ nbdinfo 'nbds+unix://?socket=/tmp/sock'
nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1)
(fails because system CA does not know about nbdkit's certificate
which is signed by the CA from the nbdkit/tests/pki directory)
$ nbdinfo 'nbds+unix://?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki'
protocol: newstyle-fixed with TLS, using structured packets
export="":
export-size: 1073741824 (1G)
content: data
uri: nbds+unix:///?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki
[etc]
(works because we supplied the correct CA)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 6ed47a27d14f6f11946bb096d94e5bf21d97083d)
(cherry picked from commit 3a427e6d7a83f89299ab6fdaeeffbd9074610ecc)
---
lib/crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/crypto.c b/lib/crypto.c
index c542ce6b..437e24ec 100644
--- a/lib/crypto.c
+++ b/lib/crypto.c
@@ -645,7 +645,7 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,
return NULL;
}
- if (h->hostname && h->tls_verify_peer)
+ if (h->tls_verify_peer)
gnutls_session_set_verify_cert (session, h->hostname, 0);
}
--
2.43.0

View File

@ -0,0 +1,145 @@
From 764fc45a258c08177d01b6b6b6a0e431ee29089a Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Mon, 24 Jun 2024 11:49:07 +0100
Subject: [PATCH] interop: Pass -DCERTS and -DPSK as strings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Rather than implicitly defining the certificates dir or PSK file in
interop.c, pass the actual paths from the Makefile.
This also allows -DCERTS=NULL which is interpreted as not calling
nbd_set_tls_certificates at all. This makes the test added in a
subsequent commit possible.
No real change here, just refactoring the tests.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 69ab18442994c68f749e2b84b91d41031ebbb088)
(cherry picked from commit 33d7f3aa8e3cf8c826a534107529e1d409c0c004)
---
interop/Makefile.am | 18 +++++++++---------
interop/interop.c | 11 ++++++-----
2 files changed, 15 insertions(+), 14 deletions(-)
diff --git a/interop/Makefile.am b/interop/Makefile.am
index ac12d84a..4cdc55e9 100644
--- a/interop/Makefile.am
+++ b/interop/Makefile.am
@@ -100,7 +100,7 @@ interop_nbd_server_tls_CPPFLAGS = \
-DSERVER=\"$(NBD_SERVER)\" \
-DSERVER_PARAMS='"-d", "-C", "nbd-server-tls.conf", "0", TMPFILE' \
-DEXPORT_NAME='""' \
- -DCERTS=1 \
+ -DCERTS='"../tests/pki"' \
-DTLS_MODE=LIBNBD_TLS_REQUIRE \
$(NULL)
interop_nbd_server_tls_LDADD = \
@@ -186,7 +186,7 @@ interop_qemu_nbd_tls_certs_CPPFLAGS = \
-DSERVER=\"$(QEMU_NBD)\" \
-DSERVER_PARAMS='"--object", "tls-creds-x509,id=tls0,endpoint=server,dir=$(abs_top_builddir)/tests/pki", "--tls-creds", "tls0", "-f", "raw", "-x", "/", TMPFILE' \
-DEXPORT_NAME='"/"' \
- -DCERTS=1 \
+ -DCERTS='"../tests/pki"' \
-DTLS_MODE=LIBNBD_TLS_REQUIRE \
$(NULL)
interop_qemu_nbd_tls_certs_LDADD = \
@@ -208,7 +208,7 @@ interop_qemu_nbd_tls_psk_CPPFLAGS = \
-DSERVER=\"$(QEMU_NBD)\" \
-DSERVER_PARAMS='"--object", "tls-creds-psk,id=tls0,endpoint=server,dir=$(abs_top_builddir)/tests", "--tls-creds", "tls0", "-f", "raw", "-x", "/", TMPFILE' \
-DEXPORT_NAME='"/"' \
- -DPSK=1 \
+ -DPSK='"../tests/keys.psk"' \
-DTLS_MODE=LIBNBD_TLS_REQUIRE \
$(NULL)
interop_qemu_nbd_tls_psk_LDADD = \
@@ -323,7 +323,7 @@ interop_nbdkit_tls_certs_CPPFLAGS = \
-DNEEDS_TMPFILE=1 \
-DSERVER=\"$(NBDKIT)\" \
-DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki", "-s", "--exit-with-parent", "file", TMPFILE' \
- -DCERTS=1 \
+ -DCERTS='"../tests/pki"' \
-DTLS_MODE=LIBNBD_TLS_REQUIRE \
$(NULL)
interop_nbdkit_tls_certs_LDADD = \
@@ -342,7 +342,7 @@ interop_nbdkit_tls_certs_allow_enabled_CPPFLAGS = \
-DNEEDS_TMPFILE=1 \
-DSERVER=\"$(NBDKIT)\" \
-DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki", "-s", "--exit-with-parent", "file", TMPFILE' \
- -DCERTS=1 \
+ -DCERTS='"../tests/pki"' \
-DTLS_MODE=LIBNBD_TLS_ALLOW \
$(NULL)
interop_nbdkit_tls_certs_allow_enabled_LDADD = \
@@ -361,7 +361,7 @@ interop_nbdkit_tls_certs_allow_fallback_CPPFLAGS = \
-DNEEDS_TMPFILE=1 \
-DSERVER=\"$(NBDKIT)\" \
-DSERVER_PARAMS='"--tls=off", "-s", "--exit-with-parent", "file", TMPFILE' \
- -DCERTS=1 \
+ -DCERTS='"../tests/pki"' \
-DTLS_MODE=LIBNBD_TLS_ALLOW \
-DTLS_FALLBACK=1 \
$(NULL)
@@ -381,7 +381,7 @@ interop_nbdkit_tls_psk_CPPFLAGS = \
-DNEEDS_TMPFILE=1 \
-DSERVER=\"$(NBDKIT)\" \
-DSERVER_PARAMS='"--tls=require", "--tls-psk=../tests/keys.psk", "-s", "--exit-with-parent", "file", TMPFILE' \
- -DPSK=1 \
+ -DPSK='"../tests/keys.psk"' \
-DTLS_MODE=LIBNBD_TLS_REQUIRE \
$(NULL)
interop_nbdkit_tls_psk_LDADD = \
@@ -400,7 +400,7 @@ interop_nbdkit_tls_psk_allow_enabled_CPPFLAGS = \
-DNEEDS_TMPFILE=1 \
-DSERVER=\"$(NBDKIT)\" \
-DSERVER_PARAMS='"--tls=require", "--tls-psk=../tests/keys.psk", "-s", "--exit-with-parent", "file", TMPFILE' \
- -DPSK=1 \
+ -DPSK='"../tests/keys.psk"' \
-DTLS_MODE=LIBNBD_TLS_ALLOW \
$(NULL)
interop_nbdkit_tls_psk_allow_enabled_LDADD = \
@@ -419,7 +419,7 @@ interop_nbdkit_tls_psk_allow_fallback_CPPFLAGS = \
-DNEEDS_TMPFILE=1 \
-DSERVER=\"$(NBDKIT)\" \
-DSERVER_PARAMS='"--tls=off", "-s", "--exit-with-parent", "file", TMPFILE' \
- -DPSK=1 \
+ -DPSK='"../tests/keys.psk"' \
-DTLS_MODE=LIBNBD_TLS_ALLOW \
-DTLS_FALLBACK=1 \
$(NULL)
diff --git a/interop/interop.c b/interop/interop.c
index 20e101d4..d4d6671e 100644
--- a/interop/interop.c
+++ b/interop/interop.c
@@ -41,7 +41,7 @@
#define SIZE (1024*1024)
-#if CERTS || PSK
+#if defined(CERTS) || defined(PSK)
#define TLS 1
#ifndef TLS_MODE
#error "TLS_MODE must be defined when using CERTS || PSK"
@@ -149,13 +149,14 @@ main (int argc, char *argv[])
}
#endif
-#if CERTS
- if (nbd_set_tls_certificates (nbd, "../tests/pki") == -1) {
+#if defined(CERTS)
+ const char *certs = CERTS;
+ if (certs && nbd_set_tls_certificates (nbd, certs) == -1) {
fprintf (stderr, "%s\n", nbd_get_error ());
exit (EXIT_FAILURE);
}
-#elif PSK
- if (nbd_set_tls_psk_file (nbd, "../tests/keys.psk") == -1) {
+#elif defined(PSK)
+ if (nbd_set_tls_psk_file (nbd, PSK) == -1) {
fprintf (stderr, "%s\n", nbd_get_error ());
exit (EXIT_FAILURE);
}
--
2.43.0

View File

@ -0,0 +1,53 @@
From fcb7d28e4dd2ab438c6070e7e5b1aae54cc75f28 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Mon, 24 Jun 2024 13:54:48 +0100
Subject: [PATCH] interop: Add -DEXPECT_FAIL=1 where we expect the test to fail
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit c7a8df4f78f2c1901f5c532f262dadd6cce84750)
(cherry picked from commit 175ee89f4a64c52cdb1412a2a72fc8c52fecaf93)
---
interop/interop.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/interop/interop.c b/interop/interop.c
index d4d6671e..469327ee 100644
--- a/interop/interop.c
+++ b/interop/interop.c
@@ -78,6 +78,7 @@ main (int argc, char *argv[])
int64_t actual_size;
char buf[512];
size_t i;
+ int r;
/* Check requirements or skip the test. */
#ifdef REQUIRES
@@ -174,10 +175,21 @@ main (int argc, char *argv[])
#else
#define NBD_CONNECT nbd_connect_command
#endif
- if (NBD_CONNECT (nbd, args) == -1) {
+ r = NBD_CONNECT (nbd, args);
+#if EXPECT_FAIL
+ if (r != -1) {
+ fprintf (stderr, "%s: expected connection to fail but it did not\n",
+ argv[0]);
+ exit (EXIT_FAILURE);
+ }
+ exit (EXIT_SUCCESS);
+ /*NOTREACHED*/
+#else
+ if (r == -1) {
fprintf (stderr, "%s\n", nbd_get_error ());
exit (EXIT_FAILURE);
}
+#endif
#if TLS
if (TLS_MODE == LIBNBD_TLS_REQUIRE) {
--
2.43.0

View File

@ -0,0 +1,84 @@
From c20ac23a9a3673cca863974ec53f9129392fd447 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Mon, 24 Jun 2024 11:39:01 +0100
Subject: [PATCH] interop: Test interop with a bad system CA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is expected to fail now.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 1c7db8f3337632f0395dac9b13cf03b100cf1a4a)
(cherry picked from commit cb3519eeefa788b8fef466bf9394eefa9d6a6c18)
---
.gitignore | 1 +
interop/Makefile.am | 26 ++++++++++++++++++++++++++
2 files changed, 27 insertions(+)
diff --git a/.gitignore b/.gitignore
index 0b1cf764..597043e1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -113,6 +113,7 @@ Makefile.in
/interop/interop-nbdkit-tls-certs
/interop/interop-nbdkit-tls-certs-allow-enabled
/interop/interop-nbdkit-tls-certs-allow-fallback
+/interop/interop-nbdkit-tls-certs-bad-CA
/interop/interop-nbdkit-tls-psk
/interop/interop-nbdkit-tls-psk-allow-enabled
/interop/interop-nbdkit-tls-psk-allow-fallback
diff --git a/interop/Makefile.am b/interop/Makefile.am
index 4cdc55e9..bc974b99 100644
--- a/interop/Makefile.am
+++ b/interop/Makefile.am
@@ -281,6 +281,7 @@ check_PROGRAMS += \
interop-nbdkit-tls-certs \
interop-nbdkit-tls-certs-allow-enabled \
interop-nbdkit-tls-certs-allow-fallback \
+ interop-nbdkit-tls-certs-bad-CA \
interop-nbdkit-tls-psk \
interop-nbdkit-tls-psk-allow-enabled \
interop-nbdkit-tls-psk-allow-fallback \
@@ -292,6 +293,7 @@ TESTS += \
interop-nbdkit-tls-certs \
interop-nbdkit-tls-certs-allow-enabled \
interop-nbdkit-tls-certs-allow-fallback \
+ interop-nbdkit-tls-certs-bad-CA \
interop-nbdkit-tls-psk \
interop-nbdkit-tls-psk-allow-enabled \
interop-nbdkit-tls-psk-allow-fallback \
@@ -370,6 +372,30 @@ interop_nbdkit_tls_certs_allow_fallback_LDADD = \
$(GNUTLS_LIBS) \
$(NULL)
+# In this test, nbdkit offers a server certificate signed by our CA in
+# the tests/pki directory, but we deliberately tell libnbd to test
+# against the system CA (-DCERTS=NULL). This is expected to fail the
+# connection with the error:
+# libnbd: debug: nbd1: nbd_connect_command: handle dead: nbd_connect_command: gnutls_handshake: Error in the certificate verification. (15/1)
+interop_nbdkit_tls_certs_bad_CA_SOURCES = \
+ interop.c \
+ requires.c \
+ ../tests/requires.h \
+ $(NULL)
+interop_nbdkit_tls_certs_bad_CA_CPPFLAGS = \
+ $(AM_CPPFLAGS) \
+ -DREQUIRES=' requires ("test -d ../tests/pki"); ' \
+ -DSERVER=\"$(NBDKIT)\" \
+ -DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki", "-s", "--exit-with-parent", "null"' \
+ -DCERTS=NULL \
+ -DTLS_MODE=LIBNBD_TLS_REQUIRE \
+ -DEXPECT_FAIL=1 \
+ $(NULL)
+interop_nbdkit_tls_certs_bad_CA_LDADD = \
+ $(top_builddir)/lib/libnbd.la \
+ $(GNUTLS_LIBS) \
+ $(NULL)
+
interop_nbdkit_tls_psk_SOURCES = \
interop.c \
requires.c \
--
2.43.0

View File

@ -0,0 +1,89 @@
From a2541de206b3560fdfadf5dfada2cac1b69c09a1 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Tue, 25 Jun 2024 11:12:56 +0100
Subject: [PATCH] lib/uri.c: Allow tls-verify-peer to be overridden in URIs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Older versions of libnbd didn't always check the server certificate.
Since some clients might be depending on this, allow
?tls-verify-peer=false in URIs to skip this check.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 75641c6b30155abce272f60cf3518a65654aa401)
(cherry picked from commit b12466821fc534fb68d5b8e695832ee03496e0af)
---
generator/API.ml | 5 +++++
lib/uri.c | 32 ++++++++++++++++++++++++++++++++
2 files changed, 37 insertions(+)
diff --git a/generator/API.ml b/generator/API.ml
index c4547615..f2752f25 100644
--- a/generator/API.ml
+++ b/generator/API.ml
@@ -1994,6 +1994,11 @@ Note this is not allowed by default - see next section.
Set the PSK file. See L<nbd_set_tls_psk_file(3)>. Note
this is not allowed by default - see next section.
+=item B<tls-verify-peer=false>
+
+Do not verify the server certificate. See L<nbd_set_tls_verify_peer(3)>.
+The default is C<true>.
+
=back
=head2 Disable URI features
diff --git a/lib/uri.c b/lib/uri.c
index 0c8e87cf..969e88be 100644
--- a/lib/uri.c
+++ b/lib/uri.c
@@ -150,6 +150,31 @@ parse_uri_queries (const char *query_raw, uri_query_list *list)
return -1;
}
+/* Similar to nbdkit_parse_bool */
+int
+parse_bool (const char *param, const char *value)
+{
+ if (!strcmp (value, "1") ||
+ !strcasecmp (value, "true") ||
+ !strcasecmp (value, "t") ||
+ !strcasecmp (value, "yes") ||
+ !strcasecmp (value, "y") ||
+ !strcasecmp (value, "on"))
+ return 1;
+
+ if (!strcmp (value, "0") ||
+ !strcasecmp (value, "false") ||
+ !strcasecmp (value, "f") ||
+ !strcasecmp (value, "no") ||
+ !strcasecmp (value, "n") ||
+ !strcasecmp (value, "off"))
+ return 0;
+
+ set_error (EINVAL, "could not parse %s parameter, expecting %s=true|false",
+ param, param);
+ return -1;
+}
+
int
nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri)
{
@@ -298,6 +323,13 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri)
if (nbd_unlocked_set_tls_psk_file (h, queries.ptr[i].value) == -1)
goto cleanup;
}
+ else if (strcasecmp (queries.ptr[i].name, "tls-verify-peer") == 0) {
+ int v = parse_bool ("tls-verify-peer", queries.ptr[i].value);
+ if (v == -1)
+ goto cleanup;
+ if (nbd_unlocked_set_tls_verify_peer (h, v) == -1)
+ goto cleanup;
+ }
}
/* Username. */
--
2.43.0

View File

@ -0,0 +1,31 @@
From dfa2a23c7638e325694101fe81b5330ceede68f9 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Tue, 25 Jun 2024 17:53:47 +0100
Subject: [PATCH] docs: security: Add link to TLS server certificate checking
announcement
(cherry picked from commit 9c723aa660c6ee7d224afbfc16eb7450d21fb9cf)
(cherry picked from commit 820f45a58fda50dc7d5e126c55403e33824cffe4)
---
docs/libnbd-security.pod | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod
index 216efa43..c9960d8c 100644
--- a/docs/libnbd-security.pod
+++ b/docs/libnbd-security.pod
@@ -45,6 +45,11 @@ negative size result from nbd_get_size(3)
See the full announcement here:
L<https://listman.redhat.com/archives/libguestfs/2023-September/032711.html>
+=head2 multiple flaws in TLS server certificate checking
+
+See the full announcement here:
+L<https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/LHR3BW6RJ7K4BJBQIYV3GTZLSY27VZO2/>
+
=head1 SEE ALSO
L<libnbd(3)>.
--
2.43.0

View File

@ -0,0 +1,32 @@
From 8334404ee0883dcfa90697b6fdae541ed4751b79 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Thu, 1 Aug 2024 15:17:29 +0100
Subject: [PATCH] docs/libnbd-security.pod: Assign CVE-2024-7383
CVE-2024-7383 was assigned to the (already published & fixed) flaws
found in libnbd certificate checking.
Reported-by: Jon Szymaniak
Thanks: Mauro Matteo Cascella
(cherry picked from commit 81a22ac6697ccdeb13509aba3072609251d1378b)
---
docs/libnbd-security.pod | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod
index c9960d8c..ece0cf5a 100644
--- a/docs/libnbd-security.pod
+++ b/docs/libnbd-security.pod
@@ -45,7 +45,8 @@ negative size result from nbd_get_size(3)
See the full announcement here:
L<https://listman.redhat.com/archives/libguestfs/2023-September/032711.html>
-=head2 multiple flaws in TLS server certificate checking
+=head2 CVE-2024-7383
+multiple flaws in TLS server certificate checking
See the full announcement here:
L<https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/LHR3BW6RJ7K4BJBQIYV3GTZLSY27VZO2/>
--
2.43.0

View File

@ -0,0 +1,39 @@
From 9acc05f757ff7518104c8f232b49230f0503ffa1 Mon Sep 17 00:00:00 2001
From: Alex Burmashev <alexander.burmashev@oracle.com>
Date: Thu, 19 Sep 2024 09:16:31 +0000
Subject: [PATCH] Update doc template for tls-verify-peer
Without this change, docs on i686 are not generated correctly.
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
---
docs/nbd_connect_uri.pod | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/docs/nbd_connect_uri.pod b/docs/nbd_connect_uri.pod
index 5d7ecdb..9e49e24 100644
--- a/docs/nbd_connect_uri.pod
+++ b/docs/nbd_connect_uri.pod
@@ -119,6 +119,11 @@ Note this is not allowed by default - see next section.
Set the PSK file. See L<nbd_set_tls_psk_file(3)>. Note
this is not allowed by default - see next section.
+=item B<tls-verify-peer=false>
+
+Do not verify the server certificate. See L<nbd_set_tls_verify_peer(3)>.
+The default is C<true>.
+
=back
=head2 Disable URI features
@@ -227,6 +232,7 @@ L<nbd_set_opt_mode(3)>,
L<nbd_set_tls(3)>,
L<nbd_set_tls_certificates(3)>,
L<nbd_set_tls_psk_file(3)>,
+L<nbd_set_tls_verify_peer(3)>,
L<nbd_set_uri_allow_local_file(3)>,
L<nbd_set_uri_allow_tls(3)>,
L<nbd_set_uri_allow_transports(3)>,
--
2.43.5

0
SOURCES/copy-patches.sh Executable file → Normal file
View File

View File

@ -9,7 +9,7 @@
Name: libnbd Name: libnbd
Version: 1.18.1 Version: 1.18.1
Release: 3%{?dist} Release: 4.0.1%{?dist}
Summary: NBD client library in userspace Summary: NBD client library in userspace
License: LGPL-2.0-or-later AND BSD-3-Clause License: LGPL-2.0-or-later AND BSD-3-Clause
@ -32,6 +32,18 @@ Source3: copy-patches.sh
Patch0001: 0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch Patch0001: 0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch
Patch0002: 0002-docs-Fix-incorrect-xref-in-libnbd-release-notes-for-.patch Patch0002: 0002-docs-Fix-incorrect-xref-in-libnbd-release-notes-for-.patch
Patch0003: 0003-tests-Check-behavior-of-nbd_set_strict_mode-STRICT_A.patch Patch0003: 0003-tests-Check-behavior-of-nbd_set_strict_mode-STRICT_A.patch
Patch0004: 0004-build-Move-to-minimum-gnutls-3.5.18.patch
Patch0005: 0005-lib-crypto.c-Check-server-certificate-even-when-usin.patch
Patch0006: 0006-lib-crypto.c-Allow-CA-verification-even-if-h-hostnam.patch
Patch0007: 0007-interop-Pass-DCERTS-and-DPSK-as-strings.patch
Patch0008: 0008-interop-Add-DEXPECT_FAIL-1-where-we-expect-the-test-.patch
Patch0009: 0009-interop-Test-interop-with-a-bad-system-CA.patch
Patch0010: 0010-lib-uri.c-Allow-tls-verify-peer-to-be-overridden-in-.patch
Patch0011: 0011-docs-security-Add-link-to-TLS-server-certificate-che.patch
Patch0012: 0012-docs-libnbd-security.pod-Assign-CVE-2024-7383.patch
# Oracle patches
Patch1000: 1000-Update-doc-template-for-tls-verify-peer.patch
%if 0%{patches_touch_autotools} %if 0%{patches_touch_autotools}
BuildRequires: autoconf, automake, libtool BuildRequires: autoconf, automake, libtool
@ -383,6 +395,13 @@ make %{?_smp_mflags} check || {
%changelog %changelog
* Thu Sep 19 2024 Alex Burmashev <alexander.burmashev@oracle.com> - 1.18.1-4.0.1
- Add new content to nbd_connect_uri.pod
* Tue Aug 27 2024 Richard W.M. Jones <rjones@redhat.com> - 1.18.1-4
- Fix CVE-2024-7383 NBD server improper certificate validation
resolves: RHEL-52730
* Mon Nov 13 2023 Eric Blake <eblake@redhat.com> - 1.18.1-3 * Mon Nov 13 2023 Eric Blake <eblake@redhat.com> - 1.18.1-3
- Backport unit test of recent libnbd API addition - Backport unit test of recent libnbd API addition
resolves: RHEL-16292 resolves: RHEL-16292