yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone

Blame SOURCES/kvm-curl-Make-sslverify-off-disable-host-as-well-as-peer.patch

26ba25
From b914607db0576e1e0a4f49c58b12058f713b5b75 Mon Sep 17 00:00:00 2001
26ba25
From: Jeffrey Cody <jcody@redhat.com>
26ba25
Date: Wed, 26 Sep 2018 04:08:14 +0100
26ba25
Subject: [PATCH 4/4] curl: Make sslverify=off disable host as well as peer
26ba25
 verification.
26ba25
26ba25
RH-Author: Jeffrey Cody <jcody@redhat.com>
26ba25
Message-id: <543d2f667af465dd809329fcba5175bc974d58d4.1537933576.git.jcody@redhat.com>
26ba25
Patchwork-id: 82293
26ba25
O-Subject: [RHEL8/rhel qemu-kvm PATCH 1/1] curl: Make sslverify=off disable host as well as peer verification.
26ba25
Bugzilla: 1575925
26ba25
RH-Acked-by: Richard Jones <rjones@redhat.com>
26ba25
RH-Acked-by: John Snow <jsnow@redhat.com>
26ba25
RH-Acked-by: Max Reitz <mreitz@redhat.com>
26ba25
26ba25
From: "Richard W.M. Jones" <rjones@redhat.com>
26ba25
26ba25
The sslverify setting is supposed to turn off all TLS certificate
26ba25
checks in libcurl.  However because of the way we use it, it only
26ba25
turns off peer certificate authenticity checks
26ba25
(CURLOPT_SSL_VERIFYPEER).  This patch makes it also turn off the check
26ba25
that the server name in the certificate is the same as the server
26ba25
you're connecting to (CURLOPT_SSL_VERIFYHOST).
26ba25
26ba25
We can use Google's server at 8.8.8.8 which happens to have a bad TLS
26ba25
certificate to demonstrate this:
26ba25
26ba25
$ ./qemu-img create -q -f qcow2 -b 'json: { "file.sslverify": "off", "file.driver": "https", "file.url": "https://8.8.8.8/foo" }' /var/tmp/file.qcow2
26ba25
qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: SSL: no alternative certificate subject name matches target host name '8.8.8.8'
26ba25
Could not open backing image to determine size.
26ba25
26ba25
With this patch applied, qemu-img connects to the server regardless of
26ba25
the bad certificate:
26ba25
26ba25
$ ./qemu-img create -q -f qcow2 -b 'json: { "file.sslverify": "off", "file.driver": "https", "file.url": "https://8.8.8.8/foo" }' /var/tmp/file.qcow2
26ba25
qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: The requested URL returned error: 404 Not Found
26ba25
26ba25
(The 404 error is expected because 8.8.8.8 is not actually serving a
26ba25
file called "/foo".)
26ba25
26ba25
Of course the default (without sslverify=off) remains to always check
26ba25
the certificate:
26ba25
26ba25
$ ./qemu-img create -q -f qcow2 -b 'json: { "file.driver": "https", "file.url": "https://8.8.8.8/foo" }' /var/tmp/file.qcow2
26ba25
qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: SSL: no alternative certificate subject name matches target host name '8.8.8.8'
26ba25
Could not open backing image to determine size.
26ba25
26ba25
Further information about the two settings is available here:
26ba25
26ba25
https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html
26ba25
https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
26ba25
26ba25
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
26ba25
Message-id: 20180914095622.19698-1-rjones@redhat.com
26ba25
Signed-off-by: Jeff Cody <jcody@redhat.com>
26ba25
(cherry picked from commit 637fa44ab80c6b317adf1d117494325a95daad60)
26ba25
Signed-off-by: Jeff Cody <jcody@redhat.com>
26ba25
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
26ba25
---
26ba25
 block/curl.c | 2 ++
26ba25
 1 file changed, 2 insertions(+)
26ba25
26ba25
diff --git a/block/curl.c b/block/curl.c
26ba25
index aa42535..4d28f77 100644
26ba25
--- a/block/curl.c
26ba25
+++ b/block/curl.c
26ba25
@@ -483,6 +483,8 @@ static int curl_init_state(BDRVCURLState *s, CURLState *state)
26ba25
         curl_easy_setopt(state->curl, CURLOPT_URL, s->url);
26ba25
         curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYPEER,
26ba25
                          (long) s->sslverify);
26ba25
+        curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYHOST,
26ba25
+                         s->sslverify ? 2L : 0L);
26ba25
         if (s->cookie) {
26ba25
             curl_easy_setopt(state->curl, CURLOPT_COOKIE, s->cookie);
26ba25
         }
26ba25
-- 
26ba25
1.8.3.1
26ba25