libnbd/SOURCES/0005-lib-crypto.c-Check-ser...

From d8ec4c8ecc5244ed192f58bc3a976c4b2f9cc6d7 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Mon, 24 Jun 2024 10:48:12 +0100
Subject: [PATCH] lib/crypto.c: Check server certificate even when using system
 CA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous code checked the server certificate only when a custom
certificate directory was set (ie.  nbd_set_tls_certificates /
?tls-certificates=DIR).  In the fallback case where we use the system
CA, we never called gnutls_session_set_verify_cert and so the server
certificate was never checked.

Move the call to gnutls_session_set_verify_cert later so it is called
on both paths.

If the server certificate does not match the hostname you will see:

nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1)

Reported-by: Jon Szymaniak <jon.szymaniak@gmail.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 87ef41b69929d5d293390ec36b1c10aba2c9a57a)
(cherry picked from commit 7a6739aeca8250515a449bacd23d09bf40587dec)
---
 lib/crypto.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/crypto.c b/lib/crypto.c
index d131f1d0..c542ce6b 100644
--- a/lib/crypto.c
+++ b/lib/crypto.c
@@ -530,9 +530,6 @@ set_up_certificate_credentials (struct nbd_handle *h,
   return NULL;
 
  found_certificates:
-  if (h->hostname && h->tls_verify_peer)
-    gnutls_session_set_verify_cert (session, h->hostname, 0);
-
   err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret);
   if (err < 0) {
     set_error (0, "gnutls_credentials_set: %s", gnutls_strerror (err));
@@ -647,6 +644,9 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,
       gnutls_deinit (session);
       return NULL;
     }
+
+    if (h->hostname && h->tls_verify_peer)
+      gnutls_session_set_verify_cert (session, h->hostname, 0);
   }
 
   /* Wrap the underlying socket with GnuTLS. */
-- 
2.43.0
import libnbd-1.18.1-4.el9_4 1 day ago			`From d8ec4c8ecc5244ed192f58bc3a976c4b2f9cc6d7 Mon Sep 17 00:00:00 2001`
			`From: "Richard W.M. Jones" <rjones@redhat.com>`
			`Date: Mon, 24 Jun 2024 10:48:12 +0100`
			`Subject: [PATCH] lib/crypto.c: Check server certificate even when using system`
			`CA`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`The previous code checked the server certificate only when a custom`
			`certificate directory was set (ie. nbd_set_tls_certificates /`
			`?tls-certificates=DIR). In the fallback case where we use the system`
			`CA, we never called gnutls_session_set_verify_cert and so the server`
			`certificate was never checked.`

			`Move the call to gnutls_session_set_verify_cert later so it is called`
			`on both paths.`

			`If the server certificate does not match the hostname you will see:`

			`nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1)`

			`Reported-by: Jon Szymaniak <jon.szymaniak@gmail.com>`
			`Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>`
			`(cherry picked from commit 87ef41b69929d5d293390ec36b1c10aba2c9a57a)`
			`(cherry picked from commit 7a6739aeca8250515a449bacd23d09bf40587dec)`
			`---`
			`lib/crypto.c \| 6 +++---`
			`1 file changed, 3 insertions(+), 3 deletions(-)`

			`diff --git a/lib/crypto.c b/lib/crypto.c`
			`index d131f1d0..c542ce6b 100644`
			`--- a/lib/crypto.c`
			`+++ b/lib/crypto.c`
			`@@ -530,9 +530,6 @@ set_up_certificate_credentials (struct nbd_handle *h,`
			`return NULL;`

			`found_certificates:`
			`- if (h->hostname && h->tls_verify_peer)`
			`- gnutls_session_set_verify_cert (session, h->hostname, 0);`
			`-`
			`err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret);`
			`if (err < 0) {`
			`set_error (0, "gnutls_credentials_set: %s", gnutls_strerror (err));`
			`@@ -647,6 +644,9 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,`
			`gnutls_deinit (session);`
			`return NULL;`
			`}`
			`+`
			`+ if (h->hostname && h->tls_verify_peer)`
			`+ gnutls_session_set_verify_cert (session, h->hostname, 0);`
			`}`

			`/* Wrap the underlying socket with GnuTLS. */`
			`--`
			`2.43.0`