yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone

Blame SOURCES/kvm-curl-Make-sslverify-off-disable-host-as-well-as-peer.patch

ae23c9
From b914607db0576e1e0a4f49c58b12058f713b5b75 Mon Sep 17 00:00:00 2001
ae23c9
From: Jeffrey Cody <jcody@redhat.com>
ae23c9
Date: Wed, 26 Sep 2018 04:08:14 +0100
ae23c9
Subject: [PATCH 4/4] curl: Make sslverify=off disable host as well as peer
ae23c9
 verification.
ae23c9
ae23c9
RH-Author: Jeffrey Cody <jcody@redhat.com>
ae23c9
Message-id: <543d2f667af465dd809329fcba5175bc974d58d4.1537933576.git.jcody@redhat.com>
ae23c9
Patchwork-id: 82293
ae23c9
O-Subject: [RHEL8/rhel qemu-kvm PATCH 1/1] curl: Make sslverify=off disable host as well as peer verification.
ae23c9
Bugzilla: 1575925
ae23c9
RH-Acked-by: Richard Jones <rjones@redhat.com>
ae23c9
RH-Acked-by: John Snow <jsnow@redhat.com>
ae23c9
RH-Acked-by: Max Reitz <mreitz@redhat.com>
ae23c9
ae23c9
From: "Richard W.M. Jones" <rjones@redhat.com>
ae23c9
ae23c9
The sslverify setting is supposed to turn off all TLS certificate
ae23c9
checks in libcurl.  However because of the way we use it, it only
ae23c9
turns off peer certificate authenticity checks
ae23c9
(CURLOPT_SSL_VERIFYPEER).  This patch makes it also turn off the check
ae23c9
that the server name in the certificate is the same as the server
ae23c9
you're connecting to (CURLOPT_SSL_VERIFYHOST).
ae23c9
ae23c9
We can use Google's server at 8.8.8.8 which happens to have a bad TLS
ae23c9
certificate to demonstrate this:
ae23c9
ae23c9
$ ./qemu-img create -q -f qcow2 -b 'json: { "file.sslverify": "off", "file.driver": "https", "file.url": "https://8.8.8.8/foo" }' /var/tmp/file.qcow2
ae23c9
qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: SSL: no alternative certificate subject name matches target host name '8.8.8.8'
ae23c9
Could not open backing image to determine size.
ae23c9
ae23c9
With this patch applied, qemu-img connects to the server regardless of
ae23c9
the bad certificate:
ae23c9
ae23c9
$ ./qemu-img create -q -f qcow2 -b 'json: { "file.sslverify": "off", "file.driver": "https", "file.url": "https://8.8.8.8/foo" }' /var/tmp/file.qcow2
ae23c9
qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: The requested URL returned error: 404 Not Found
ae23c9
ae23c9
(The 404 error is expected because 8.8.8.8 is not actually serving a
ae23c9
file called "/foo".)
ae23c9
ae23c9
Of course the default (without sslverify=off) remains to always check
ae23c9
the certificate:
ae23c9
ae23c9
$ ./qemu-img create -q -f qcow2 -b 'json: { "file.driver": "https", "file.url": "https://8.8.8.8/foo" }' /var/tmp/file.qcow2
ae23c9
qemu-img: /var/tmp/file.qcow2: CURL: Error opening file: SSL: no alternative certificate subject name matches target host name '8.8.8.8'
ae23c9
Could not open backing image to determine size.
ae23c9
ae23c9
Further information about the two settings is available here:
ae23c9
ae23c9
https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html
ae23c9
https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
ae23c9
ae23c9
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
ae23c9
Message-id: 20180914095622.19698-1-rjones@redhat.com
ae23c9
Signed-off-by: Jeff Cody <jcody@redhat.com>
ae23c9
(cherry picked from commit 637fa44ab80c6b317adf1d117494325a95daad60)
ae23c9
Signed-off-by: Jeff Cody <jcody@redhat.com>
ae23c9
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
ae23c9
---
ae23c9
 block/curl.c | 2 ++
ae23c9
 1 file changed, 2 insertions(+)
ae23c9
ae23c9
diff --git a/block/curl.c b/block/curl.c
ae23c9
index aa42535..4d28f77 100644
ae23c9
--- a/block/curl.c
ae23c9
+++ b/block/curl.c
ae23c9
@@ -483,6 +483,8 @@ static int curl_init_state(BDRVCURLState *s, CURLState *state)
ae23c9
         curl_easy_setopt(state->curl, CURLOPT_URL, s->url);
ae23c9
         curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYPEER,
ae23c9
                          (long) s->sslverify);
ae23c9
+        curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYHOST,
ae23c9
+                         s->sslverify ? 2L : 0L);
ae23c9
         if (s->cookie) {
ae23c9
             curl_easy_setopt(state->curl, CURLOPT_COOKIE, s->cookie);
ae23c9
         }
ae23c9
-- 
ae23c9
1.8.3.1
ae23c9