From 1f82b6d2d894bf567926f4ae52f4362654db8f38 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Tue, 25 Jun 2024 11:12:56 +0100 Subject: [PATCH] lib/uri.c: Allow tls-verify-peer to be overridden in URIs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Older versions of libnbd didn't always check the server certificate. Since some clients might be depending on this, allow ?tls-verify-peer=false in URIs to skip this check. Reviewed-by: Daniel P. Berrangé (cherry picked from commit 75641c6b30155abce272f60cf3518a65654aa401) (cherry picked from commit caad9cfb5dda0957c4b15cc85738a4c6ac856e8b) (cherry picked from commit 4bfc3176de535350f884732b8793574e37714d2a) --- generator/API.ml | 5 +++++ lib/uri.c | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/generator/API.ml b/generator/API.ml index 4b2a62e8..69ee428d 100644 --- a/generator/API.ml +++ b/generator/API.ml @@ -1306,6 +1306,11 @@ Note this is not allowed by default - see next section. Set the PSK file. See L. Note this is not allowed by default - see next section. +=item B + +Do not verify the server certificate. See L. +The default is C. + =back =head2 Disable URI features diff --git a/lib/uri.c b/lib/uri.c index c8d9041e..8dfefd00 100644 --- a/lib/uri.c +++ b/lib/uri.c @@ -140,6 +140,31 @@ error: return -1; } +/* Similar to nbdkit_parse_bool */ +int +parse_bool (const char *param, const char *value) +{ + if (!strcmp (value, "1") || + !strcasecmp (value, "true") || + !strcasecmp (value, "t") || + !strcasecmp (value, "yes") || + !strcasecmp (value, "y") || + !strcasecmp (value, "on")) + return 1; + + if (!strcmp (value, "0") || + !strcasecmp (value, "false") || + !strcasecmp (value, "f") || + !strcasecmp (value, "no") || + !strcasecmp (value, "n") || + !strcasecmp (value, "off")) + return 0; + + set_error (EINVAL, "could not parse %s parameter, expecting %s=true|false", + param, param); + return -1; +} + int nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) { @@ -271,6 +296,13 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) if (nbd_unlocked_set_tls_psk_file (h, queries.ptr[i].value) == -1) goto cleanup; } + else if (strcasecmp (queries.ptr[i].name, "tls-verify-peer") == 0) { + int v = parse_bool ("tls-verify-peer", queries.ptr[i].value); + if (v == -1) + goto cleanup; + if (nbd_unlocked_set_tls_verify_peer (h, v) == -1) + goto cleanup; + } } /* Username. */ -- 2.43.0