From ffe8028ca07eb049b12d5c152b3d66489378d731 Mon Sep 17 00:00:00 2001 Message-Id: From: Peter Krempa Date: Mon, 16 Mar 2020 22:11:56 +0100 Subject: [PATCH] conf: Add support for modifying ssl validation for https/ftps disks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit To allow turning off verification of SSL cerificates add a new element to the disk source XML which will allow configuring the validation process using the 'verify' attribute. Signed-off-by: Peter Krempa Reviewed-by: Ján Tomko (cherry picked from commit 25481e25b14108373bf2e5e95c04fe30bff96bb4) https://bugzilla.redhat.com/show_bug.cgi?id=1804750 Message-Id: Reviewed-by: Ján Tomko --- docs/formatdomain.html.in | 9 ++++ docs/schemas/domaincommon.rng | 51 ++++++++++++++++++- src/conf/domain_conf.c | 19 +++++++ src/util/virstoragefile.c | 1 + src/util/virstoragefile.h | 1 + .../disk-network-http.xml | 9 ++++ 6 files changed, 88 insertions(+), 2 deletions(-) diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index e9830ab231..2cce247958 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -2847,6 +2847,7 @@ <driver name='qemu' type='raw'/> <source protocol="https" name="url_path"> <host name="hostname" port="443"/> + <ssl verify="no"/> </source> <target dev='hdf' bus='ide' tray='open'/> <readonly/> @@ -3373,6 +3374,14 @@ The offset and size values are in bytes. Since 6.1.0 +
ssl
+
+ For https and ftps accessed storage it's + possible to tweak the SSL transport parameters with this element. + The verify attribute allows to turn on or off SSL + certificate validation. Supported values are yes and + no. Since 6.2.0 +

diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index aa70e340b9..548601b61c 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -1808,12 +1808,39 @@ + + + + + + + + + + + + + + https + + + + + + + + + + + + + + http - https @@ -1825,13 +1852,31 @@ + + + + + ftps + + + + + + + + + + + + + + sheepdog ftp - ftps tftp @@ -1909,6 +1954,8 @@ + + diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index b3c4084c38..70bbc35bb3 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -9259,6 +9259,7 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node, g_autofree char *protocol = NULL; g_autofree char *haveTLS = NULL; g_autofree char *tlsCfg = NULL; + g_autofree char *sslverifystr = NULL; if (!(protocol = virXMLPropString(node, "protocol"))) { virReportError(VIR_ERR_XML_ERROR, "%s", @@ -9331,6 +9332,19 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node, virStorageSourceInitiatorParseXML(ctxt, &src->initiator); + if ((src->protocol == VIR_STORAGE_NET_PROTOCOL_HTTPS || + src->protocol == VIR_STORAGE_NET_PROTOCOL_FTPS) && + (sslverifystr = virXPathString("string(./ssl/@verify)", ctxt))) { + int verify; + if ((verify = virTristateBoolTypeFromString(sslverifystr)) < 0) { + virReportError(VIR_ERR_XML_ERROR, + _("invalid ssl verify mode '%s'"), sslverifystr); + return -1; + } + + src->sslverify = verify; + } + return 0; } @@ -24312,6 +24326,11 @@ virDomainDiskSourceFormatNetwork(virBufferPtr attrBuf, virStorageSourceInitiatorFormatXML(&src->initiator, childBuf); + if (src->sslverify != VIR_TRISTATE_BOOL_ABSENT) { + virBufferAsprintf(childBuf, "\n", + virTristateBoolTypeToString(src->sslverify)); + } + return 0; } diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c index b88763b267..cfa77fccf8 100644 --- a/src/util/virstoragefile.c +++ b/src/util/virstoragefile.c @@ -2270,6 +2270,7 @@ virStorageSourceCopy(const virStorageSource *src, def->cachemode = src->cachemode; def->discard = src->discard; def->detect_zeroes = src->detect_zeroes; + def->sslverify = src->sslverify; /* storage driver metadata are not copied */ def->drv = NULL; diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h index 5b995d54ab..fab4248c3d 100644 --- a/src/util/virstoragefile.h +++ b/src/util/virstoragefile.h @@ -282,6 +282,7 @@ struct _virStorageSource { virStorageEncryptionPtr encryption; bool encryptionInherited; virStoragePRDefPtr pr; + virTristateBool sslverify; virStorageSourceNVMeDefPtr nvme; /* type == VIR_STORAGE_TYPE_NVME */ diff --git a/tests/genericxml2xmlindata/disk-network-http.xml b/tests/genericxml2xmlindata/disk-network-http.xml index fde1222fd0..bdcc1977f2 100644 --- a/tests/genericxml2xmlindata/disk-network-http.xml +++ b/tests/genericxml2xmlindata/disk-network-http.xml @@ -25,6 +25,7 @@ + @@ -35,6 +36,14 @@ + + + + + + + + -- 2.25.1