From nobody Wed Oct 22 06:30:25 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as
 permitted sender) client-ip=208.118.235.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by
 mx.zohomail.com
	with SMTPS id 1519913000466437.3263165047873;
 Thu, 1 Mar 2018 06:03:20 -0800 (PST)
Received: from localhost ([::1]:56987 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1erOnn-0006Ks-LD
	for importer@patchew.org; Thu, 01 Mar 2018 09:03:19 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51785)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rjones@redhat.com>) id 1erOjo-0003Oa-J7
	for qemu-devel@nongnu.org; Thu, 01 Mar 2018 08:59:13 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rjones@redhat.com>) id 1erOjn-00046R-LF
	for qemu-devel@nongnu.org; Thu, 01 Mar 2018 08:59:12 -0500
Received: from mx1.redhat.com ([209.132.183.28]:43514)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <rjones@redhat.com>)
	id 1erOjk-00040g-Iy; Thu, 01 Mar 2018 08:59:08 -0500
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
	[10.5.11.11])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id C1E38C057F83;
	Thu,  1 Mar 2018 13:59:07 +0000 (UTC)
Received: from moo.home.annexia.org (ovpn-116-44.ams2.redhat.com
	[10.36.116.44])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 3A97360175;
	Thu,  1 Mar 2018 13:59:05 +0000 (UTC)
From: "Richard W.M. Jones" <rjones@redhat.com>
To: jcody@redhat.com
Date: Thu,  1 Mar 2018 13:58:56 +0000
Message-Id: <20180301135856.22698-3-rjones@redhat.com>
In-Reply-To: <20180301135856.22698-1-rjones@redhat.com>
References: <20180301135856.22698-1-rjones@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
	(mx1.redhat.com [10.5.110.32]);
	Thu, 01 Mar 2018 13:59:07 +0000 (UTC)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
	[fuzzy]
X-Received-From: 209.132.183.28
Subject: [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority
 bundle to be passed in.
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: kwolf@redhat.com, qemu-block@nongnu.org, qemu-devel@nongnu.org,
	armbru@redhat.com, mreitz@redhat.com
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

This allows a Certificate Authority bundle to be passed to the curl
driver, allowing authentication against servers that check
certificates.  For example this allows you to access a disk on an
oVirt node:

  qemu-img create -f qcow2 \
      -b 'json:{ "file.driver": "https",
                 "file.url": "https://ovirt-node:54322/images/<disk-id>",
                  "file.header": ["Authorization: <ticket>"] }' \
                  "file.cainfo": "/tmp/ca.pem" }' \
      test.qcow2

(<disk-id> and <ticket> have to be determined using some extra code.
See
https://github.com/oVirt/ovirt-engine-sdk/blob/master/sdk/examples/upload_o=
va_as_vm.py
for some guidance).

Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
---
 block/curl.c         | 14 ++++++++++++++
 qapi/block-core.json |  3 +++
 2 files changed, 17 insertions(+)

diff --git a/block/curl.c b/block/curl.c
index 972673ba5c..2dc9035ff8 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -84,6 +84,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_=
handle,
 #define CURL_BLOCK_OPT_COOKIE    "cookie"
 #define CURL_BLOCK_OPT_COOKIE_SECRET "cookie-secret"
 #define CURL_BLOCK_OPT_HEADER_PATTERN "header."
+#define CURL_BLOCK_OPT_CAINFO   "cainfo"
 #define CURL_BLOCK_OPT_USERNAME "username"
 #define CURL_BLOCK_OPT_PASSWORD_SECRET "password-secret"
 #define CURL_BLOCK_OPT_PROXY_USERNAME "proxy-username"
@@ -136,6 +137,7 @@ typedef struct BDRVCURLState {
     uint64_t timeout;
     char *cookie;
     struct curl_slist *headers;
+    char *cainfo;
     bool accept_range;
     AioContext *aio_context;
     QemuMutex mutex;
@@ -491,6 +493,9 @@ static int curl_init_state(BDRVCURLState *s, CURLState =
*state)
         if (s->headers) {
             curl_easy_setopt(state->curl, CURLOPT_HTTPHEADER, s->headers);
         }
+        if (s->cainfo) {
+            curl_easy_setopt(state->curl, CURLOPT_CAINFO, s->cainfo);
+        }
         curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, (long)s->timeout);
         curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION,
                          (void *)curl_read_cb);
@@ -648,6 +653,11 @@ static QemuOptsList runtime_opts =3D {
             .help =3D "ID of secret used as cookie passed with each reques=
t"
         },
         {
+            .name =3D CURL_BLOCK_OPT_CAINFO,
+            .type =3D QEMU_OPT_STRING,
+            .help =3D "Pass the Certificate Authority bundle"
+        },
+        {
             .name =3D CURL_BLOCK_OPT_USERNAME,
             .type =3D QEMU_OPT_STRING,
             .help =3D "Username for HTTP auth"
@@ -757,6 +767,8 @@ static int curl_open(BlockDriverState *bs, QDict *optio=
ns, int flags,
         qdict_del(options, key);
     }
=20
+    s->cainfo =3D qemu_opt_get(opts, CURL_BLOCK_OPT_CAINFO);
+
     file =3D qemu_opt_get(opts, CURL_BLOCK_OPT_URL);
     if (file =3D=3D NULL) {
         error_setg(errp, "curl block driver requires an 'url' option");
@@ -864,6 +876,7 @@ out:
     state->curl =3D NULL;
 out_noclean:
     qemu_mutex_destroy(&s->mutex);
+    g_free(s->cainfo);
     curl_slist_free_all(s->headers);
     g_free(s->cookie);
     g_free(s->url);
@@ -963,6 +976,7 @@ static void curl_close(BlockDriverState *bs)
     curl_detach_aio_context(bs);
     qemu_mutex_destroy(&s->mutex);
=20
+    g_free(s->cainfo);
     curl_slist_free_all(s->headers);
     g_free(s->cookie);
     g_free(s->url);
diff --git a/qapi/block-core.json b/qapi/block-core.json
index ca1ebdbef1..bf3066af08 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -3073,6 +3073,8 @@
 # @cookie-secret: ID of a QCryptoSecret object providing the cookie data i=
n a
 #                 secure way. See @cookie for the format. (since 2.10)
 #
+# @cainfo:      Certificate Authority bundle.
+#
 # @header:      List of HTTP request headers, see CURLOPT_HTTPHEADER(3).
 #
 # Since: 2.9
@@ -3082,6 +3084,7 @@
   'data': { '*cookie': 'str',
             '*sslverify': 'bool',
             '*cookie-secret': 'str',
+            '*cainfo': 'str',
             '*header': [ 'str' ] } }
=20
 ##
--=20
2.13.2