mirror of
https://github.com/xemu-project/xemu.git
synced 2024-11-23 03:29:43 +00:00
crypto: mandate a hostname when checking x509 creds on a client
Currently the TLS session object assumes that the caller will always provide a hostname when using x509 creds on a client endpoint. This relies on the caller to detect and report an error if the user has configured QEMU with x509 credentials on a UNIX socket. The migration code has such a check, but it is too broad, reporting an error when the user has configured QEMU with PSK credentials on a UNIX socket, where hostnames are irrelevant. Putting the check into the TLS session object credentials validation code ensures we report errors in only the scenario that matters. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20220304193610.3293146-2-berrange@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com>
This commit is contained in:
parent
b49872aa8f
commit
d41997e465
@ -373,6 +373,12 @@ qcrypto_tls_session_check_certificate(QCryptoTLSSession *session,
|
||||
session->hostname);
|
||||
goto error;
|
||||
}
|
||||
} else {
|
||||
if (session->creds->endpoint ==
|
||||
QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT) {
|
||||
error_setg(errp, "No hostname for certificate validation");
|
||||
goto error;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user