libnbd/SOURCES/0010-lib-uri.c-Allow-tls-verify-peer-to-be-overridden-in-.patch

90 lines
2.7 KiB
Diff

From a2541de206b3560fdfadf5dfada2cac1b69c09a1 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Tue, 25 Jun 2024 11:12:56 +0100
Subject: [PATCH] lib/uri.c: Allow tls-verify-peer to be overridden in URIs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Older versions of libnbd didn't always check the server certificate.
Since some clients might be depending on this, allow
?tls-verify-peer=false in URIs to skip this check.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 75641c6b30155abce272f60cf3518a65654aa401)
(cherry picked from commit b12466821fc534fb68d5b8e695832ee03496e0af)
---
generator/API.ml | 5 +++++
lib/uri.c | 32 ++++++++++++++++++++++++++++++++
2 files changed, 37 insertions(+)
diff --git a/generator/API.ml b/generator/API.ml
index c4547615..f2752f25 100644
--- a/generator/API.ml
+++ b/generator/API.ml
@@ -1994,6 +1994,11 @@ Note this is not allowed by default - see next section.
Set the PSK file. See L<nbd_set_tls_psk_file(3)>. Note
this is not allowed by default - see next section.
+=item B<tls-verify-peer=false>
+
+Do not verify the server certificate. See L<nbd_set_tls_verify_peer(3)>.
+The default is C<true>.
+
=back
=head2 Disable URI features
diff --git a/lib/uri.c b/lib/uri.c
index 0c8e87cf..969e88be 100644
--- a/lib/uri.c
+++ b/lib/uri.c
@@ -150,6 +150,31 @@ parse_uri_queries (const char *query_raw, uri_query_list *list)
return -1;
}
+/* Similar to nbdkit_parse_bool */
+int
+parse_bool (const char *param, const char *value)
+{
+ if (!strcmp (value, "1") ||
+ !strcasecmp (value, "true") ||
+ !strcasecmp (value, "t") ||
+ !strcasecmp (value, "yes") ||
+ !strcasecmp (value, "y") ||
+ !strcasecmp (value, "on"))
+ return 1;
+
+ if (!strcmp (value, "0") ||
+ !strcasecmp (value, "false") ||
+ !strcasecmp (value, "f") ||
+ !strcasecmp (value, "no") ||
+ !strcasecmp (value, "n") ||
+ !strcasecmp (value, "off"))
+ return 0;
+
+ set_error (EINVAL, "could not parse %s parameter, expecting %s=true|false",
+ param, param);
+ return -1;
+}
+
int
nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri)
{
@@ -298,6 +323,13 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri)
if (nbd_unlocked_set_tls_psk_file (h, queries.ptr[i].value) == -1)
goto cleanup;
}
+ else if (strcasecmp (queries.ptr[i].name, "tls-verify-peer") == 0) {
+ int v = parse_bool ("tls-verify-peer", queries.ptr[i].value);
+ if (v == -1)
+ goto cleanup;
+ if (nbd_unlocked_set_tls_verify_peer (h, v) == -1)
+ goto cleanup;
+ }
}
/* Username. */
--
2.43.0