External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-07-11 04:15:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

conf: Add support for modifying ssl validation for https/ftps disks

Browse Source 
To allow turning off verification of SSL cerificates add a new element
<ssl> to the disk source XML which will allow configuring the validation
process using the 'verify' attribute.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
Peter Krempa 2017-04-28 12:24:46 +02:00
parent 43a3d2e02e
commit 25481e25b1
6 changed files with 88 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/formatdomain.html.in
View File

@ -2857,6 +2857,7 @@
&lt;driver name='qemu' type='raw'/&gt; &lt;driver name='qemu' type='raw'/&gt;
&lt;source protocol="https" name="url_path"&gt; &lt;source protocol="https" name="url_path"&gt;
&lt;host name="hostname" port="443"/&gt; &lt;host name="hostname" port="443"/&gt;
&lt;ssl verify="no"/&gt;
&lt;/source&gt; &lt;/source&gt;
&lt;target dev='hdf' bus='ide' tray='open'/&gt; &lt;target dev='hdf' bus='ide' tray='open'/&gt;
&lt;readonly/&gt; &lt;readonly/&gt;
@ -3383,6 +3384,14 @@
The <code>offset</code> and <code>size</code> values are in bytes. The <code>offset</code> and <code>size</code> values are in bytes.
<span class="since">Since 6.1.0</span> <span class="since">Since 6.1.0</span>
</dd> </dd>
<dt><code>ssl</code></dt>
<dd>
For <code>https</code> and <code>ftps</code> accessed storage it's
possible to tweak the SSL transport parameters with this element.
The <code>verify</code> attribute allows to turn on or off SSL
certificate validation. Supported values are <code>yes</code> and
<code>no</code>. <span class="since">Since 6.2.0</span>
</dd>
</dl> </dl>
<p> <p>

51
docs/schemas/domaincommon.rng
View File

@ -1808,12 +1808,39 @@
</element> </element>
</define> </define>
<define name="diskSourceNetworkProtocolSSLVerify">
<element name="ssl">
<attribute name="verify">
<ref name="virYesNo"/>
</attribute>
<empty/>
</element>
</define>
<define name="diskSourceNetworkProtocolHTTPS">
<element name="source">
<attribute name="protocol">
<choice>
<value>https</value>
</choice>
</attribute>
<attribute name="name"/>
<ref name="diskSourceCommon"/>
<ref name="diskSourceNetworkHost"/>
<optional>
<ref name="encryption"/>
</optional>
<optional>
<ref name="diskSourceNetworkProtocolSSLVerify"/>
</optional>
</element>
</define>
<define name="diskSourceNetworkProtocolHTTP"> <define name="diskSourceNetworkProtocolHTTP">
<element name="source"> <element name="source">
<attribute name="protocol"> <attribute name="protocol">
<choice> <choice>
<value>http</value> <value>http</value>
<value>https</value>
</choice> </choice>
</attribute> </attribute>
<attribute name="name"/> <attribute name="name"/>
@ -1825,13 +1852,31 @@
</element> </element>
</define> </define>
<define name="diskSourceNetworkProtocolFTPS">
<element name="source">
<attribute name="protocol">
<choice>
<value>ftps</value>
</choice>
</attribute>
<attribute name="name"/>
<ref name="diskSourceCommon"/>
<ref name="diskSourceNetworkHost"/>
<optional>
<ref name="encryption"/>
</optional>
<optional>
<ref name="diskSourceNetworkProtocolSSLVerify"/>
</optional>
</element>
</define>
<define name="diskSourceNetworkProtocolSimple"> <define name="diskSourceNetworkProtocolSimple">
<element name="source"> <element name="source">
<attribute name="protocol"> <attribute name="protocol">
<choice> <choice>
<value>sheepdog</value> <value>sheepdog</value>
<value>ftp</value> <value>ftp</value>
<value>ftps</value>
<value>tftp</value> <value>tftp</value>
</choice> </choice>
</attribute> </attribute>
@ -1909,6 +1954,8 @@
<ref name="diskSourceNetworkProtocolRBD"/> <ref name="diskSourceNetworkProtocolRBD"/>
<ref name="diskSourceNetworkProtocolISCSI"/> <ref name="diskSourceNetworkProtocolISCSI"/>
<ref name="diskSourceNetworkProtocolHTTP"/> <ref name="diskSourceNetworkProtocolHTTP"/>
<ref name="diskSourceNetworkProtocolHTTPS"/>
<ref name="diskSourceNetworkProtocolFTPS"/>
<ref name="diskSourceNetworkProtocolSimple"/> <ref name="diskSourceNetworkProtocolSimple"/>
<ref name="diskSourceNetworkProtocolVxHS"/> <ref name="diskSourceNetworkProtocolVxHS"/>
</choice> </choice>

19
src/conf/domain_conf.c
View File

@ -9350,6 +9350,7 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node,
g_autofree char *protocol = NULL; g_autofree char *protocol = NULL;
g_autofree char *haveTLS = NULL; g_autofree char *haveTLS = NULL;
g_autofree char *tlsCfg = NULL; g_autofree char *tlsCfg = NULL;
g_autofree char *sslverifystr = NULL;
if (!(protocol = virXMLPropString(node, "protocol"))) { if (!(protocol = virXMLPropString(node, "protocol"))) {
virReportError(VIR_ERR_XML_ERROR, "%s", virReportError(VIR_ERR_XML_ERROR, "%s",
@ -9422,6 +9423,19 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node,
virStorageSourceInitiatorParseXML(ctxt, &src->initiator); virStorageSourceInitiatorParseXML(ctxt, &src->initiator);
if ((src->protocol == VIR_STORAGE_NET_PROTOCOL_HTTPS ||
src->protocol == VIR_STORAGE_NET_PROTOCOL_FTPS) &&
(sslverifystr = virXPathString("string(./ssl/@verify)", ctxt))) {
int verify;
if ((verify = virTristateBoolTypeFromString(sslverifystr)) < 0) {
virReportError(VIR_ERR_XML_ERROR,
_("invalid ssl verify mode '%s'"), sslverifystr);
return -1;
}
src->sslverify = verify;
}
return 0; return 0;
} }
@ -24531,6 +24545,11 @@ virDomainDiskSourceFormatNetwork(virBufferPtr attrBuf,
virStorageSourceInitiatorFormatXML(&src->initiator, childBuf); virStorageSourceInitiatorFormatXML(&src->initiator, childBuf);
if (src->sslverify != VIR_TRISTATE_BOOL_ABSENT) {
virBufferAsprintf(childBuf, "<ssl verify='%s'/>\n",
virTristateBoolTypeToString(src->sslverify));
}
return 0; return 0;
} }

1
src/util/virstoragefile.c
View File

@ -2270,6 +2270,7 @@ virStorageSourceCopy(const virStorageSource *src,
def->cachemode = src->cachemode; def->cachemode = src->cachemode;
def->discard = src->discard; def->discard = src->discard;
def->detect_zeroes = src->detect_zeroes; def->detect_zeroes = src->detect_zeroes;
def->sslverify = src->sslverify;
/* storage driver metadata are not copied */ /* storage driver metadata are not copied */
def->drv = NULL; def->drv = NULL;

1
src/util/virstoragefile.h
View File

@ -281,6 +281,7 @@ struct _virStorageSource {
virStorageEncryptionPtr encryption; virStorageEncryptionPtr encryption;
bool encryptionInherited; bool encryptionInherited;
virStoragePRDefPtr pr; virStoragePRDefPtr pr;
virTristateBool sslverify;
virStorageSourceNVMeDefPtr nvme; /* type == VIR_STORAGE_TYPE_NVME */ virStorageSourceNVMeDefPtr nvme; /* type == VIR_STORAGE_TYPE_NVME */

9
tests/genericxml2xmlindata/disk-network-http.xml
View File

@ -25,6 +25,7 @@
<driver name='qemu' type='raw'/> <driver name='qemu' type='raw'/>
<source protocol='https' name='test2.img'> <source protocol='https' name='test2.img'>
<host name='example.org' port='443'/> <host name='example.org' port='443'/>
<ssl verify='no'/>
</source> </source>
<target dev='vdb' bus='virtio'/> <target dev='vdb' bus='virtio'/>
</disk> </disk>
@ -35,6 +36,14 @@
</source> </source>
<target dev='vdc' bus='virtio'/> <target dev='vdc' bus='virtio'/>
</disk> </disk>
<disk type='network' device='disk'>
<driver name='qemu' type='raw'/>
<source protocol='https' name='test4.img'>
<host name='example.org' port='1234'/>
<ssl verify='yes'/>
</source>
<target dev='vdd' bus='virtio'/>
</disk>
<controller type='usb' index='0'/> <controller type='usb' index='0'/>
<controller type='pci' index='0' model='pci-root'/> <controller type='pci' index='0' model='pci-root'/>
<input type='mouse' bus='ps2'/> <input type='mouse' bus='ps2'/>