[libvirt] [PATCH 2/3] conf: Add support for modifying ssl validation for https/ftps disks

Peter Krempa pkrempa at redhat.com
Thu Apr 27 17:04:24 UTC 2017 

To allow turning of verification of SSL cerificates add a new element
<ssl> to the disk source XML which will allow configuring the validation
process using the 'verify' attribute.
---
 docs/formatdomain.html.in                          |  9 ++++
 docs/schemas/domaincommon.rng                      | 50 +++++++++++++++++++++-
 src/conf/domain_conf.c                             | 21 ++++++++-
 src/util/virstoragefile.h                          |  1 +
 .../generic-disk-network-http.xml                  |  2 +
 5 files changed, 80 insertions(+), 3 deletions(-)

diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index ab70edff3..351122fe1 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -2256,6 +2256,7 @@
     <driver name='qemu' type='raw'/>
     <source protocol="https" name="url_path">
       <host name="hostname" port="443"/>
+      <ssl verify="no"/>
     </source>
     <target dev='hdf' bus='ide' tray='open'/>
     <readonly/>
@@ -2602,6 +2603,14 @@
             possible to pass one or more cookies. The cookie name and value
             must conform to the HTTP specification.
           </dd>
+          <dt><code>ssl</code></dt>
+          <dd>
+            For <code>https</code> and <code>ftps</code> accessed storage it's
+            possible to tweak the SSL transport parameters with this element.
+            The <code>verify</code> attribute allows to turn on or of SSL
+            certificate validation. Supported values are <code>yes</code> and
+            <code>no</code>. <span class="since">Since 3.3.0</span>
+          </dd>
         </dl>

         <p>
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index b2fa72381..e6bcd6835 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -1574,13 +1574,41 @@
     </element>
   </define>

+  <define name="diskSourceNetworkProtocolSSLVerify">
+    <element name="ssl">
+      <attribute name="verify">
+        <ref name="virYesNo"/>
+      </attribute>
+      <empty/>
+    </element>
+  </define>
+
+  <define name="diskSourceNetworkProtocolHTTPS">
+    <element name="source">
+      <interleave>
+        <attribute name="protocol">
+          <choice>
+            <value>https</value>
+          </choice>
+        </attribute>
+        <attribute name="name"/>
+        <ref name="diskSourceNetworkHost"/>
+        <optional>
+          <ref name="diskSourceNetworkProtocolHTTPCookies"/>
+        </optional>
+        <optional>
+          <ref name="diskSourceNetworkProtocolSSLVerify"/>
+        </optional>
+      </interleave>
+    </element>
+  </define>
+
   <define name="diskSourceNetworkProtocolHTTP">
     <element name="source">
       <interleave>
         <attribute name="protocol">
           <choice>
             <value>http</value>
-            <value>https</value>
           </choice>
         </attribute>
         <attribute name="name"/>
@@ -1592,6 +1620,23 @@
     </element>
   </define>

+  <define name="diskSourceNetworkProtocolFTPS">
+    <element name="source">
+      <interleave>
+        <attribute name="protocol">
+          <choice>
+            <value>ftps</value>
+          </choice>
+        </attribute>
+        <attribute name="name"/>
+        <ref name="diskSourceNetworkHost"/>
+        <optional>
+          <ref name="diskSourceNetworkProtocolSSLVerify"/>
+        </optional>
+      </interleave>
+    </element>
+  </define>
+
   <define name="diskSourceNetworkProtocolSimple">
     <element name="source">
       <attribute name="protocol">
@@ -1599,7 +1644,6 @@
           <value>sheepdog</value>
           <value>iscsi</value>
           <value>ftp</value>
-          <value>ftps</value>
           <value>tftp</value>
         </choice>
       </attribute>
@@ -1646,6 +1690,8 @@
       <ref name="diskSourceNetworkProtocolGluster"/>
       <ref name="diskSourceNetworkProtocolRBD"/>
       <ref name="diskSourceNetworkProtocolHTTP"/>
+      <ref name="diskSourceNetworkProtocolHTTPS"/>
+      <ref name="diskSourceNetworkProtocolFTPS"/>
       <ref name="diskSourceNetworkProtocolSimple"/>
     </choice>
   </define>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index a951282db..e750c0f07 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -7671,6 +7671,20 @@ virDomainDiskSourceParse(xmlNodePtr node,
             if (virDomainStorageCookiesParse(tmpnode, ctxt, src) < 0)
                 goto cleanup;
         }
+
+        if ((src->protocol == VIR_STORAGE_NET_PROTOCOL_HTTPS ||
+             src->protocol == VIR_STORAGE_NET_PROTOCOL_FTPS) &&
+            (tmp = virXPathString("string(./ssl/@verify)", ctxt))) {
+            int verify;
+            if ((verify = virTristateBoolTypeFromString(tmp)) < 0) {
+                virReportError(VIR_ERR_XML_ERROR,
+                               _("invalid ssl verify mode '%s'"), tmp);
+                goto cleanup;
+            }
+            VIR_FREE(tmp);
+
+            src->sslverify = verify;
+        }
         break;
     case VIR_STORAGE_TYPE_VOLUME:
         if (virDomainDiskSourcePoolDefParse(node, &src->srcpool) < 0)
@@ -20892,7 +20906,8 @@ virDomainDiskSourceFormatNetwork(virBufferPtr buf,

     VIR_FREE(path);

-    if (src->nhosts == 0 && !src->snapshot && !src->configFile && src->ncookies == 0) {
+    if (src->nhosts == 0 && !src->snapshot && !src->configFile &&
+        src->ncookies == 0 && src->sslverify == VIR_TRISTATE_BOOL_ABSENT) {
         virBufferAddLit(buf, "/>\n");
     } else {
         virBufferAddLit(buf, ">\n");
@@ -20917,6 +20932,10 @@ virDomainDiskSourceFormatNetwork(virBufferPtr buf,
         if (virDomainDiskSourceFormatNetworkCookies(buf, src) < 0)
             return -1;

+        if (src->sslverify != VIR_TRISTATE_BOOL_ABSENT)
+            virBufferAsprintf(buf, "<ssl verify='%s'/>\n",
+                              virTristateBoolTypeToString(src->sslverify));
+
         virBufferAdjustIndent(buf, -2);
         virBufferAddLit(buf, "</source>\n");
     }
diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h
index 42d9eac61..4f7509cff 100644
--- a/src/util/virstoragefile.h
+++ b/src/util/virstoragefile.h
@@ -250,6 +250,7 @@ struct _virStorageSource {
     virStorageSourcePoolDefPtr srcpool;
     virStorageAuthDefPtr auth;
     virStorageEncryptionPtr encryption;
+    virTristateBool sslverify;

     char *driverName;
     int format; /* virStorageFileFormat in domain backing chains, but
diff --git a/tests/genericxml2xmlindata/generic-disk-network-http.xml b/tests/genericxml2xmlindata/generic-disk-network-http.xml
index c5da23604..0821b63df 100644
--- a/tests/genericxml2xmlindata/generic-disk-network-http.xml
+++ b/tests/genericxml2xmlindata/generic-disk-network-http.xml
@@ -25,6 +25,7 @@
       <driver name='qemu' type='raw'/>
       <source protocol='https' name='test2.img'>
         <host name='example.org'/>
+        <ssl verify='no'/>
       </source>
       <target dev='vdb' bus='virtio'/>
     </disk>
@@ -47,6 +48,7 @@
           <cookie name='test'>testcookievalue</cookie>
           <cookie name='test2'>blurb</cookie>
         </cookies>
+        <ssl verify='yes'/>
       </source>
       <target dev='vdd' bus='virtio'/>
     </disk>
-- 
2.12.2

More information about the libvir-list mailing list