From a2541de206b3560fdfadf5dfada2cac1b69c09a1 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Tue, 25 Jun 2024 11:12:56 +0100 Subject: [PATCH] lib/uri.c: Allow tls-verify-peer to be overridden in URIs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Older versions of libnbd didn't always check the server certificate. Since some clients might be depending on this, allow ?tls-verify-peer=false in URIs to skip this check. Reviewed-by: Daniel P. Berrangé (cherry picked from commit 75641c6b30155abce272f60cf3518a65654aa401) (cherry picked from commit b12466821fc534fb68d5b8e695832ee03496e0af) --- generator/API.ml | 5 +++++ lib/uri.c | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/generator/API.ml b/generator/API.ml index c4547615..f2752f25 100644 --- a/generator/API.ml +++ b/generator/API.ml @@ -1994,6 +1994,11 @@ Note this is not allowed by default - see next section. Set the PSK file. See L. Note this is not allowed by default - see next section. +=item B + +Do not verify the server certificate. See L. +The default is C. + =back =head2 Disable URI features diff --git a/lib/uri.c b/lib/uri.c index 0c8e87cf..969e88be 100644 --- a/lib/uri.c +++ b/lib/uri.c @@ -150,6 +150,31 @@ parse_uri_queries (const char *query_raw, uri_query_list *list) return -1; } +/* Similar to nbdkit_parse_bool */ +int +parse_bool (const char *param, const char *value) +{ + if (!strcmp (value, "1") || + !strcasecmp (value, "true") || + !strcasecmp (value, "t") || + !strcasecmp (value, "yes") || + !strcasecmp (value, "y") || + !strcasecmp (value, "on")) + return 1; + + if (!strcmp (value, "0") || + !strcasecmp (value, "false") || + !strcasecmp (value, "f") || + !strcasecmp (value, "no") || + !strcasecmp (value, "n") || + !strcasecmp (value, "off")) + return 0; + + set_error (EINVAL, "could not parse %s parameter, expecting %s=true|false", + param, param); + return -1; +} + int nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) { @@ -298,6 +323,13 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) if (nbd_unlocked_set_tls_psk_file (h, queries.ptr[i].value) == -1) goto cleanup; } + else if (strcasecmp (queries.ptr[i].name, "tls-verify-peer") == 0) { + int v = parse_bool ("tls-verify-peer", queries.ptr[i].value); + if (v == -1) + goto cleanup; + if (nbd_unlocked_set_tls_verify_peer (h, v) == -1) + goto cleanup; + } } /* Username. */ -- 2.43.0