conf: Add support for modifying ssl validation for https/ftps disks

To allow turning off verification of SSL cerificates add a new element
<ssl> to the disk source XML which will allow configuring the validation
process using the 'verify' attribute.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>

diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 7e7771725c40a8e37900fe53a40856ca31598ce3..bc34aef6054ae587ee1d27ac53257ad9b0487acc 100644 (file)
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -2857,6 +2857,7 @@
     <driver name='qemu' type='raw'/>
     <source protocol="https" name="url_path">
       <host name="hostname" port="443"/>
+      <ssl verify="no"/>
     </source>
     <target dev='hdf' bus='ide' tray='open'/>
     <readonly/>
@@ -3383,6 +3384,14 @@
             The <code>offset</code> and <code>size</code> values are in bytes.
             <span class="since">Since 6.1.0</span>
           </dd>
+          <dt><code>ssl</code></dt>
+          <dd>
+            For <code>https</code> and <code>ftps</code> accessed storage it's
+            possible to tweak the SSL transport parameters with this element.
+            The <code>verify</code> attribute allows to turn on or off SSL
+            certificate validation. Supported values are <code>yes</code> and
+            <code>no</code>. <span class="since">Since 6.2.0</span>
+          </dd>
         </dl>
 
         <p>

diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 529a98fc05b1a59c7e3255aba1ca01f1410adbdc..d179a25ee6fe1d4875588ffae45a10410ac07efe 100644 (file)
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -1808,12 +1808,39 @@
     </element>
   </define>
 
+  <define name="diskSourceNetworkProtocolSSLVerify">
+    <element name="ssl">
+      <attribute name="verify">
+        <ref name="virYesNo"/>
+      </attribute>
+      <empty/>
+    </element>
+  </define>
+
+  <define name="diskSourceNetworkProtocolHTTPS">
+    <element name="source">
+      <attribute name="protocol">
+        <choice>
+          <value>https</value>
+        </choice>
+      </attribute>
+      <attribute name="name"/>
+      <ref name="diskSourceCommon"/>
+      <ref name="diskSourceNetworkHost"/>
+      <optional>
+        <ref name="encryption"/>
+      </optional>
+      <optional>
+        <ref name="diskSourceNetworkProtocolSSLVerify"/>
+      </optional>
+    </element>
+  </define>
+
   <define name="diskSourceNetworkProtocolHTTP">
     <element name="source">
       <attribute name="protocol">
         <choice>
           <value>http</value>
-          <value>https</value>
         </choice>
       </attribute>
       <attribute name="name"/>
@@ -1825,13 +1852,31 @@
     </element>
   </define>
 
+  <define name="diskSourceNetworkProtocolFTPS">
+    <element name="source">
+      <attribute name="protocol">
+        <choice>
+          <value>ftps</value>
+        </choice>
+      </attribute>
+      <attribute name="name"/>
+      <ref name="diskSourceCommon"/>
+      <ref name="diskSourceNetworkHost"/>
+      <optional>
+        <ref name="encryption"/>
+      </optional>
+      <optional>
+        <ref name="diskSourceNetworkProtocolSSLVerify"/>
+      </optional>
+    </element>
+  </define>
+
   <define name="diskSourceNetworkProtocolSimple">
     <element name="source">
       <attribute name="protocol">
         <choice>
           <value>sheepdog</value>
           <value>ftp</value>
-          <value>ftps</value>
           <value>tftp</value>
         </choice>
       </attribute>
@@ -1909,6 +1954,8 @@
       <ref name="diskSourceNetworkProtocolRBD"/>
       <ref name="diskSourceNetworkProtocolISCSI"/>
       <ref name="diskSourceNetworkProtocolHTTP"/>
+      <ref name="diskSourceNetworkProtocolHTTPS"/>
+      <ref name="diskSourceNetworkProtocolFTPS"/>
       <ref name="diskSourceNetworkProtocolSimple"/>
       <ref name="diskSourceNetworkProtocolVxHS"/>
     </choice>

diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index f8a8d133baa3655c095e6cfe248e83da4aea83cd..50646fc440f68d5c963abf6e4b9d83d245914904 100644 (file)
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -9350,6 +9350,7 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node,
     g_autofree char *protocol = NULL;
     g_autofree char *haveTLS = NULL;
     g_autofree char *tlsCfg = NULL;
+    g_autofree char *sslverifystr = NULL;
 
     if (!(protocol = virXMLPropString(node, "protocol"))) {
         virReportError(VIR_ERR_XML_ERROR, "%s",
@@ -9422,6 +9423,19 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node,
 
     virStorageSourceInitiatorParseXML(ctxt, &src->initiator);
 
+    if ((src->protocol == VIR_STORAGE_NET_PROTOCOL_HTTPS ||
+         src->protocol == VIR_STORAGE_NET_PROTOCOL_FTPS) &&
+        (sslverifystr = virXPathString("string(./ssl/@verify)", ctxt))) {
+        int verify;
+        if ((verify = virTristateBoolTypeFromString(sslverifystr)) < 0) {
+            virReportError(VIR_ERR_XML_ERROR,
+                           _("invalid ssl verify mode '%s'"), sslverifystr);
+            return -1;
+        }
+
+        src->sslverify = verify;
+    }
+
     return 0;
 }
 
@@ -24531,6 +24545,11 @@ virDomainDiskSourceFormatNetwork(virBufferPtr attrBuf,
 
     virStorageSourceInitiatorFormatXML(&src->initiator, childBuf);
 
+    if (src->sslverify != VIR_TRISTATE_BOOL_ABSENT) {
+        virBufferAsprintf(childBuf, "<ssl verify='%s'/>\n",
+                          virTristateBoolTypeToString(src->sslverify));
+    }
+
     return 0;
 }
 

diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
index b133cf17f1a788714675ec9ba3e75723ecd7f5e9..ca91fc65ba6cbbf786190c4c5d8fe9abe278ed54 100644 (file)
--- a/src/util/virstoragefile.c
+++ b/src/util/virstoragefile.c
@@ -2270,6 +2270,7 @@ virStorageSourceCopy(const virStorageSource *src,
     def->cachemode = src->cachemode;
     def->discard = src->discard;
     def->detect_zeroes = src->detect_zeroes;
+    def->sslverify = src->sslverify;
 
     /* storage driver metadata are not copied */
     def->drv = NULL;

diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h
index 9af7b4f226c97eee0b01d3784e9e0ece0fb2b231..49718b51d82f52aadf11248f7ed4cf9fb76046b3 100644 (file)
--- a/src/util/virstoragefile.h
+++ b/src/util/virstoragefile.h
@@ -281,6 +281,7 @@ struct _virStorageSource {
     virStorageEncryptionPtr encryption;
     bool encryptionInherited;
     virStoragePRDefPtr pr;
+    virTristateBool sslverify;
 
     virStorageSourceNVMeDefPtr nvme; /* type == VIR_STORAGE_TYPE_NVME */
 

diff --git a/tests/genericxml2xmlindata/disk-network-http.xml b/tests/genericxml2xmlindata/disk-network-http.xml
index fde1222fd09849bebd6a288f790ecf122029dae6..bdcc1977f20f259612e62f4d93172303409c72c1 100644 (file)
--- a/tests/genericxml2xmlindata/disk-network-http.xml
+++ b/tests/genericxml2xmlindata/disk-network-http.xml
@@ -25,6 +25,7 @@
       <driver name='qemu' type='raw'/>
       <source protocol='https' name='test2.img'>
         <host name='example.org' port='443'/>
+        <ssl verify='no'/>
       </source>
       <target dev='vdb' bus='virtio'/>
     </disk>
@@ -35,6 +36,14 @@
       </source>
       <target dev='vdc' bus='virtio'/>
     </disk>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source protocol='https' name='test4.img'>
+        <host name='example.org' port='1234'/>
+        <ssl verify='yes'/>
+      </source>
+      <target dev='vdd' bus='virtio'/>
+    </disk>
     <controller type='usb' index='0'/>
     <controller type='pci' index='0' model='pci-root'/>
     <input type='mouse' bus='ps2'/>