libnbd/SOURCES/0006-lib-crypto.c-Allow-CA-...

From af09b72a486fd870ab72170a0cba4b1d6d37894f Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Mon, 24 Jun 2024 10:31:10 +0100
Subject: [PATCH] lib/crypto.c: Allow CA verification even if h->hostname is
 not set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Calling gnutls_session_set_verify_cert with the hostname parameter set
to NULL is permitted:
https://www.gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fsession_005fset_005fverify_005fcert

It means that the server's hostname in the certificate will not be
verified but we can at least check that the certificate was signed by
the CA.  This allows the CA to be checked even for connections over
Unix domain sockets.

Example:

  $ rm -f /tmp/sock
  $ nbdkit -U /tmp/sock -f --tls=require --tls-certificates=$HOME/d/nbdkit/tests/pki memory 1G &

Before this change:

  $ nbdinfo 'nbds+unix://?socket=/tmp/sock'
  protocol: newstyle-fixed with TLS, using structured packets
  export="":
	export-size: 1073741824 (1G)
	content: data
	uri: nbds+unix:///?socket=/tmp/sock
  [etc]

(works because it never called gnutls_session_set_verify_cert).

After this change:

  $ nbdinfo 'nbds+unix://?socket=/tmp/sock'
  nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1)

(fails because system CA does not know about nbdkit's certificate
which is signed by the CA from the nbdkit/tests/pki directory)

  $ nbdinfo 'nbds+unix://?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki'
  protocol: newstyle-fixed with TLS, using structured packets
  export="":
	export-size: 1073741824 (1G)
	content: data
	uri: nbds+unix:///?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki
  [etc]

(works because we supplied the correct CA)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 6ed47a27d14f6f11946bb096d94e5bf21d97083d)
(cherry picked from commit 3a427e6d7a83f89299ab6fdaeeffbd9074610ecc)
---
 lib/crypto.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/crypto.c b/lib/crypto.c
index c542ce6b..437e24ec 100644
--- a/lib/crypto.c
+++ b/lib/crypto.c
@@ -645,7 +645,7 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,
       return NULL;
     }
 
-    if (h->hostname && h->tls_verify_peer)
+    if (h->tls_verify_peer)
       gnutls_session_set_verify_cert (session, h->hostname, 0);
   }
 
-- 
2.43.0
import libnbd-1.18.1-4.el9_4 2 months ago			`From af09b72a486fd870ab72170a0cba4b1d6d37894f Mon Sep 17 00:00:00 2001`
			`From: "Richard W.M. Jones" <rjones@redhat.com>`
			`Date: Mon, 24 Jun 2024 10:31:10 +0100`
			`Subject: [PATCH] lib/crypto.c: Allow CA verification even if h->hostname is`
			`not set`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`Calling gnutls_session_set_verify_cert with the hostname parameter set`
			`to NULL is permitted:`
			`https://www.gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fsession_005fset_005fverify_005fcert`

			`It means that the server's hostname in the certificate will not be`
			`verified but we can at least check that the certificate was signed by`
			`the CA. This allows the CA to be checked even for connections over`
			`Unix domain sockets.`

			`Example:`

			`$ rm -f /tmp/sock`
			`$ nbdkit -U /tmp/sock -f --tls=require --tls-certificates=$HOME/d/nbdkit/tests/pki memory 1G &`

			`Before this change:`

			`$ nbdinfo 'nbds+unix://?socket=/tmp/sock'`
			`protocol: newstyle-fixed with TLS, using structured packets`
			`export="":`
			`export-size: 1073741824 (1G)`
			`content: data`
			`uri: nbds+unix:///?socket=/tmp/sock`
			`[etc]`

			`(works because it never called gnutls_session_set_verify_cert).`

			`After this change:`

			`$ nbdinfo 'nbds+unix://?socket=/tmp/sock'`
			`nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1)`

			`(fails because system CA does not know about nbdkit's certificate`
			`which is signed by the CA from the nbdkit/tests/pki directory)`

			`$ nbdinfo 'nbds+unix://?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki'`
			`protocol: newstyle-fixed with TLS, using structured packets`
			`export="":`
			`export-size: 1073741824 (1G)`
			`content: data`
			`uri: nbds+unix:///?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki`
			`[etc]`

			`(works because we supplied the correct CA)`

			`Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>`
			`(cherry picked from commit 6ed47a27d14f6f11946bb096d94e5bf21d97083d)`
			`(cherry picked from commit 3a427e6d7a83f89299ab6fdaeeffbd9074610ecc)`
			`---`
			`lib/crypto.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/lib/crypto.c b/lib/crypto.c`
			`index c542ce6b..437e24ec 100644`
			`--- a/lib/crypto.c`
			`+++ b/lib/crypto.c`
			`@@ -645,7 +645,7 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,`
			`return NULL;`
			`}`

			`- if (h->hostname && h->tls_verify_peer)`
			`+ if (h->tls_verify_peer)`
			`gnutls_session_set_verify_cert (session, h->hostname, 0);`
			`}`

			`--`
			`2.43.0`