The TLS usage for NBD was restricted to IP sockets because validating
x509 certificates requires knowledge of the hostname that the client
is connecting to.
TLS does not have to use x509 certificates though, as PSK (pre-shared
keys) provide an alternative credential option. These have no
requirement for a hostname and can thus be trivially used for UNIX
sockets.
Furthermore, with the ability to overide the default hostname for
TLS validation in the previous patch, it is now also valid to want
to use x509 certificates with FD passing and UNIX sockets.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <
20220304193610.
3293146-6-berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
goto error;
}
- /* TODO SOCKET_ADDRESS_KIND_FD where fd has AF_INET or AF_INET6 */
- if (s->saddr->type != SOCKET_ADDRESS_TYPE_INET) {
- error_setg(errp, "TLS only supported over IP sockets");
- goto error;
- }
s->tlshostname = g_strdup(qemu_opt_get(opts, "tls-hostname"));
- if (!s->tlshostname) {
+ if (!s->tlshostname &&
+ s->saddr->type == SOCKET_ADDRESS_TYPE_INET) {
s->tlshostname = g_strdup(s->saddr->u.inet.host);
}
}
if (!nbd_server->tlscreds) {
goto error;
}
-
- /* TODO SOCKET_ADDRESS_TYPE_FD where fd has AF_INET or AF_INET6 */
- if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
- error_setg(errp, "TLS is only supported with IPv4/IPv6");
- goto error;
- }
}
nbd_server->tlsauthz = g_strdup(tls_authz);
socket_activation = check_socket_activation();
if (socket_activation == 0) {
- setup_address_and_port(&bindto, &port);
+ if (!sockpath) {
+ setup_address_and_port(&bindto, &port);
+ }
} else {
/* Using socket activation - check user didn't use -p etc. */
const char *err_msg = socket_activation_validate_opts(device, sockpath,
}
if (tlscredsid) {
- if (sockpath) {
- error_report("TLS is only supported with IPv4/IPv6");
- exit(EXIT_FAILURE);
- }
if (device) {
error_report("TLS is not supported with a host device");
exit(EXIT_FAILURE);
projects / qemu.git / commitdiff