qemu-nbd: add support for authorization of TLS clients
Currently any client which can complete the TLS handshake is able to use the NBD server. The server admin can turn on the 'verify-peer' option for the x509 creds to require the client to provide a x509 certificate. This means the client will have to acquire a certificate from the CA before they are permitted to use the NBD server. This is still a fairly low bar to cross. This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which takes the ID of a previously added 'QAuthZ' object instance. This will be used to validate the client's x509 distinguished name. Clients failing the authorization check will not be permitted to use the NBD server. For example to setup authorization that only allows connection from a client whose x509 certificate distinguished name is CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB escape the commas in the name and use: qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\ endpoint=server,verify-peer=yes \ --object 'authz-simple,id=auth0,identity=CN=laptop.example.com,,\ O=Example Org,,L=London,,ST=London,,C=GB' \ --tls-creds tls0 \ --tls-authz authz0 \ ....other qemu-nbd args... NB: a real shell command line would not have leading whitespace after the line continuation, it is just included here for clarity. Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-Id: <20190227162035.18543-2-berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> [eblake: split long line in --help text, tweak 233 to show that whitespace after ,, in identity= portion is actually okay] Signed-off-by: Eric Blake <eblake@redhat.com>
This commit is contained in:
parent
c557a8c7b7
commit
b25e12daff
@ -326,7 +326,7 @@ void nbd_export_close_all(void);
|
|||||||
|
|
||||||
void nbd_client_new(QIOChannelSocket *sioc,
|
void nbd_client_new(QIOChannelSocket *sioc,
|
||||||
QCryptoTLSCreds *tlscreds,
|
QCryptoTLSCreds *tlscreds,
|
||||||
const char *tlsaclname,
|
const char *tlsauthz,
|
||||||
void (*close_fn)(NBDClient *, bool));
|
void (*close_fn)(NBDClient *, bool));
|
||||||
void nbd_client_get(NBDClient *client);
|
void nbd_client_get(NBDClient *client);
|
||||||
void nbd_client_put(NBDClient *client);
|
void nbd_client_put(NBDClient *client);
|
||||||
|
10
nbd/server.c
10
nbd/server.c
@ -111,7 +111,7 @@ struct NBDClient {
|
|||||||
|
|
||||||
NBDExport *exp;
|
NBDExport *exp;
|
||||||
QCryptoTLSCreds *tlscreds;
|
QCryptoTLSCreds *tlscreds;
|
||||||
char *tlsaclname;
|
char *tlsauthz;
|
||||||
QIOChannelSocket *sioc; /* The underlying data channel */
|
QIOChannelSocket *sioc; /* The underlying data channel */
|
||||||
QIOChannel *ioc; /* The current I/O channel which may differ (eg TLS) */
|
QIOChannel *ioc; /* The current I/O channel which may differ (eg TLS) */
|
||||||
|
|
||||||
@ -686,7 +686,7 @@ static QIOChannel *nbd_negotiate_handle_starttls(NBDClient *client,
|
|||||||
|
|
||||||
tioc = qio_channel_tls_new_server(ioc,
|
tioc = qio_channel_tls_new_server(ioc,
|
||||||
client->tlscreds,
|
client->tlscreds,
|
||||||
client->tlsaclname,
|
client->tlsauthz,
|
||||||
errp);
|
errp);
|
||||||
if (!tioc) {
|
if (!tioc) {
|
||||||
return NULL;
|
return NULL;
|
||||||
@ -1348,7 +1348,7 @@ void nbd_client_put(NBDClient *client)
|
|||||||
if (client->tlscreds) {
|
if (client->tlscreds) {
|
||||||
object_unref(OBJECT(client->tlscreds));
|
object_unref(OBJECT(client->tlscreds));
|
||||||
}
|
}
|
||||||
g_free(client->tlsaclname);
|
g_free(client->tlsauthz);
|
||||||
if (client->exp) {
|
if (client->exp) {
|
||||||
QTAILQ_REMOVE(&client->exp->clients, client, next);
|
QTAILQ_REMOVE(&client->exp->clients, client, next);
|
||||||
nbd_export_put(client->exp);
|
nbd_export_put(client->exp);
|
||||||
@ -2425,7 +2425,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
|
|||||||
*/
|
*/
|
||||||
void nbd_client_new(QIOChannelSocket *sioc,
|
void nbd_client_new(QIOChannelSocket *sioc,
|
||||||
QCryptoTLSCreds *tlscreds,
|
QCryptoTLSCreds *tlscreds,
|
||||||
const char *tlsaclname,
|
const char *tlsauthz,
|
||||||
void (*close_fn)(NBDClient *, bool))
|
void (*close_fn)(NBDClient *, bool))
|
||||||
{
|
{
|
||||||
NBDClient *client;
|
NBDClient *client;
|
||||||
@ -2437,7 +2437,7 @@ void nbd_client_new(QIOChannelSocket *sioc,
|
|||||||
if (tlscreds) {
|
if (tlscreds) {
|
||||||
object_ref(OBJECT(client->tlscreds));
|
object_ref(OBJECT(client->tlscreds));
|
||||||
}
|
}
|
||||||
client->tlsaclname = g_strdup(tlsaclname);
|
client->tlsauthz = g_strdup(tlsauthz);
|
||||||
client->sioc = sioc;
|
client->sioc = sioc;
|
||||||
object_ref(OBJECT(client->sioc));
|
object_ref(OBJECT(client->sioc));
|
||||||
client->ioc = QIO_CHANNEL(sioc);
|
client->ioc = QIO_CHANNEL(sioc);
|
||||||
|
19
qemu-nbd.c
19
qemu-nbd.c
@ -58,6 +58,7 @@
|
|||||||
#define QEMU_NBD_OPT_TLSCREDS 261
|
#define QEMU_NBD_OPT_TLSCREDS 261
|
||||||
#define QEMU_NBD_OPT_IMAGE_OPTS 262
|
#define QEMU_NBD_OPT_IMAGE_OPTS 262
|
||||||
#define QEMU_NBD_OPT_FORK 263
|
#define QEMU_NBD_OPT_FORK 263
|
||||||
|
#define QEMU_NBD_OPT_TLSAUTHZ 264
|
||||||
|
|
||||||
#define MBR_SIZE 512
|
#define MBR_SIZE 512
|
||||||
|
|
||||||
@ -71,6 +72,7 @@ static int shared = 1;
|
|||||||
static int nb_fds;
|
static int nb_fds;
|
||||||
static QIONetListener *server;
|
static QIONetListener *server;
|
||||||
static QCryptoTLSCreds *tlscreds;
|
static QCryptoTLSCreds *tlscreds;
|
||||||
|
static const char *tlsauthz;
|
||||||
|
|
||||||
static void usage(const char *name)
|
static void usage(const char *name)
|
||||||
{
|
{
|
||||||
@ -103,6 +105,8 @@ static void usage(const char *name)
|
|||||||
" --object type,id=ID,... define an object such as 'secret' for providing\n"
|
" --object type,id=ID,... define an object such as 'secret' for providing\n"
|
||||||
" passwords and/or encryption keys\n"
|
" passwords and/or encryption keys\n"
|
||||||
" --tls-creds=ID use id of an earlier --object to provide TLS\n"
|
" --tls-creds=ID use id of an earlier --object to provide TLS\n"
|
||||||
|
" --tls-authz=ID use id of an earlier --object to provide\n"
|
||||||
|
" authorization\n"
|
||||||
" -T, --trace [[enable=]<pattern>][,events=<file>][,file=<file>]\n"
|
" -T, --trace [[enable=]<pattern>][,events=<file>][,file=<file>]\n"
|
||||||
" specify tracing options\n"
|
" specify tracing options\n"
|
||||||
" --fork fork off the server process and exit the parent\n"
|
" --fork fork off the server process and exit the parent\n"
|
||||||
@ -452,7 +456,7 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
|
|||||||
|
|
||||||
nb_fds++;
|
nb_fds++;
|
||||||
nbd_update_server_watch();
|
nbd_update_server_watch();
|
||||||
nbd_client_new(cioc, tlscreds, NULL, nbd_client_closed);
|
nbd_client_new(cioc, tlscreds, tlsauthz, nbd_client_closed);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void nbd_update_server_watch(void)
|
static void nbd_update_server_watch(void)
|
||||||
@ -643,6 +647,7 @@ int main(int argc, char **argv)
|
|||||||
{ "export-name", required_argument, NULL, 'x' },
|
{ "export-name", required_argument, NULL, 'x' },
|
||||||
{ "description", required_argument, NULL, 'D' },
|
{ "description", required_argument, NULL, 'D' },
|
||||||
{ "tls-creds", required_argument, NULL, QEMU_NBD_OPT_TLSCREDS },
|
{ "tls-creds", required_argument, NULL, QEMU_NBD_OPT_TLSCREDS },
|
||||||
|
{ "tls-authz", required_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ },
|
||||||
{ "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS },
|
{ "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS },
|
||||||
{ "trace", required_argument, NULL, 'T' },
|
{ "trace", required_argument, NULL, 'T' },
|
||||||
{ "fork", no_argument, NULL, QEMU_NBD_OPT_FORK },
|
{ "fork", no_argument, NULL, QEMU_NBD_OPT_FORK },
|
||||||
@ -862,6 +867,9 @@ int main(int argc, char **argv)
|
|||||||
g_free(trace_file);
|
g_free(trace_file);
|
||||||
trace_file = trace_opt_parse(optarg);
|
trace_file = trace_opt_parse(optarg);
|
||||||
break;
|
break;
|
||||||
|
case QEMU_NBD_OPT_TLSAUTHZ:
|
||||||
|
tlsauthz = optarg;
|
||||||
|
break;
|
||||||
case QEMU_NBD_OPT_FORK:
|
case QEMU_NBD_OPT_FORK:
|
||||||
fork_process = true;
|
fork_process = true;
|
||||||
break;
|
break;
|
||||||
@ -934,12 +942,21 @@ int main(int argc, char **argv)
|
|||||||
error_report("TLS is not supported with a host device");
|
error_report("TLS is not supported with a host device");
|
||||||
exit(EXIT_FAILURE);
|
exit(EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
|
if (tlsauthz && list) {
|
||||||
|
error_report("TLS authorization is incompatible with export list");
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
tlscreds = nbd_get_tls_creds(tlscredsid, list, &local_err);
|
tlscreds = nbd_get_tls_creds(tlscredsid, list, &local_err);
|
||||||
if (local_err) {
|
if (local_err) {
|
||||||
error_report("Failed to get TLS creds %s",
|
error_report("Failed to get TLS creds %s",
|
||||||
error_get_pretty(local_err));
|
error_get_pretty(local_err));
|
||||||
exit(EXIT_FAILURE);
|
exit(EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
if (tlsauthz) {
|
||||||
|
error_report("--tls-authz is not permitted without --tls-creds");
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (list) {
|
if (list) {
|
||||||
|
@ -117,6 +117,10 @@ option; or provide the credentials needed for connecting as a client
|
|||||||
in list mode.
|
in list mode.
|
||||||
@item --fork
|
@item --fork
|
||||||
Fork off the server process and exit the parent once the server is running.
|
Fork off the server process and exit the parent once the server is running.
|
||||||
|
@item --tls-authz=ID
|
||||||
|
Specify the ID of a qauthz object previously created with the
|
||||||
|
--object option. This will be used to authorize connecting users
|
||||||
|
against their x509 distinguished name.
|
||||||
@item -v, --verbose
|
@item -v, --verbose
|
||||||
Display extra debugging information.
|
Display extra debugging information.
|
||||||
@item -h, --help
|
@item -h, --help
|
||||||
@ -142,13 +146,16 @@ qemu-nbd -f qcow2 file.qcow2
|
|||||||
@end example
|
@end example
|
||||||
|
|
||||||
Start a long-running server listening with encryption on port 10810,
|
Start a long-running server listening with encryption on port 10810,
|
||||||
and require clients to have a correct X.509 certificate to connect to
|
and whitelist clients with a specific X.509 certificate to connect to
|
||||||
a 1 megabyte subset of a raw file, using the export name 'subset':
|
a 1 megabyte subset of a raw file, using the export name 'subset':
|
||||||
|
|
||||||
@example
|
@example
|
||||||
qemu-nbd \
|
qemu-nbd \
|
||||||
--object tls-creds-x509,id=tls0,endpoint=server,dir=/path/to/qemutls \
|
--object tls-creds-x509,id=tls0,endpoint=server,dir=/path/to/qemutls \
|
||||||
--tls-creds tls0 -t -x subset -p 10810 \
|
--object 'authz-simple,id=auth0,identity=CN=laptop.example.com,,\
|
||||||
|
O=Example Org,,L=London,,ST=London,,C=GB' \
|
||||||
|
--tls-creds tls0 --tls-authz auth0 \
|
||||||
|
-t -x subset -p 10810 \
|
||||||
--image-opts driver=raw,offset=1M,size=1M,file.driver=file,file.filename=file.raw
|
--image-opts driver=raw,offset=1M,size=1M,file.driver=file,file.filename=file.raw
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
|
@ -61,6 +61,7 @@ tls_x509_create_root_ca "ca2"
|
|||||||
tls_x509_create_server "ca1" "server1"
|
tls_x509_create_server "ca1" "server1"
|
||||||
tls_x509_create_client "ca1" "client1"
|
tls_x509_create_client "ca1" "client1"
|
||||||
tls_x509_create_client "ca2" "client2"
|
tls_x509_create_client "ca2" "client2"
|
||||||
|
tls_x509_create_client "ca1" "client3"
|
||||||
|
|
||||||
echo
|
echo
|
||||||
echo "== preparing image =="
|
echo "== preparing image =="
|
||||||
@ -93,11 +94,15 @@ $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port
|
|||||||
|
|
||||||
echo
|
echo
|
||||||
echo "== check TLS works =="
|
echo "== check TLS works =="
|
||||||
obj=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
|
obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
|
||||||
$QEMU_IMG info --image-opts --object $obj \
|
obj2=tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0
|
||||||
|
$QEMU_IMG info --image-opts --object $obj1 \
|
||||||
driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
|
driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
|
||||||
2>&1 | sed "s/$nbd_tcp_port/PORT/g"
|
2>&1 | sed "s/$nbd_tcp_port/PORT/g"
|
||||||
$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj \
|
$QEMU_IMG info --image-opts --object $obj2 \
|
||||||
|
driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
|
||||||
|
2>&1 | sed "s/$nbd_tcp_port/PORT/g"
|
||||||
|
$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj1 \
|
||||||
--tls-creds=tls0
|
--tls-creds=tls0
|
||||||
|
|
||||||
echo
|
echo
|
||||||
@ -119,6 +124,27 @@ $QEMU_IO -c 'r -P 0x11 1m 1m' -c 'w -P 0x22 1m 1m' --image-opts \
|
|||||||
|
|
||||||
$QEMU_IO -f $IMGFMT -r -U -c 'r -P 0x22 1m 1m' "$TEST_IMG" | _filter_qemu_io
|
$QEMU_IO -f $IMGFMT -r -U -c 'r -P 0x22 1m 1m' "$TEST_IMG" | _filter_qemu_io
|
||||||
|
|
||||||
|
echo
|
||||||
|
echo "== check TLS with authorization =="
|
||||||
|
|
||||||
|
nbd_server_stop
|
||||||
|
|
||||||
|
nbd_server_start_tcp_socket \
|
||||||
|
--object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=yes \
|
||||||
|
--object "authz-simple,id=authz0,identity=CN=localhost,, \
|
||||||
|
O=Cthulu Dark Lord Enterprises client1,,L=R'lyeh,,C=South Pacific" \
|
||||||
|
--tls-authz authz0 \
|
||||||
|
--tls-creds tls0 \
|
||||||
|
-f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"
|
||||||
|
|
||||||
|
$QEMU_IMG info --image-opts \
|
||||||
|
--object tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 \
|
||||||
|
driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0
|
||||||
|
|
||||||
|
$QEMU_IMG info --image-opts \
|
||||||
|
--object tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0 \
|
||||||
|
driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0
|
||||||
|
|
||||||
echo
|
echo
|
||||||
echo "== final server log =="
|
echo "== final server log =="
|
||||||
cat "$TEST_DIR/server.log"
|
cat "$TEST_DIR/server.log"
|
||||||
|
@ -6,6 +6,7 @@ Generating a self signed certificate...
|
|||||||
Generating a signed certificate...
|
Generating a signed certificate...
|
||||||
Generating a signed certificate...
|
Generating a signed certificate...
|
||||||
Generating a signed certificate...
|
Generating a signed certificate...
|
||||||
|
Generating a signed certificate...
|
||||||
|
|
||||||
== preparing image ==
|
== preparing image ==
|
||||||
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
|
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
|
||||||
@ -29,6 +30,10 @@ image: nbd://127.0.0.1:PORT
|
|||||||
file format: nbd
|
file format: nbd
|
||||||
virtual size: 64M (67108864 bytes)
|
virtual size: 64M (67108864 bytes)
|
||||||
disk size: unavailable
|
disk size: unavailable
|
||||||
|
image: nbd://127.0.0.1:PORT
|
||||||
|
file format: nbd
|
||||||
|
virtual size: 64M (67108864 bytes)
|
||||||
|
disk size: unavailable
|
||||||
exports available: 1
|
exports available: 1
|
||||||
export: ''
|
export: ''
|
||||||
size: 67108864
|
size: 67108864
|
||||||
@ -51,7 +56,13 @@ wrote 1048576/1048576 bytes at offset 1048576
|
|||||||
read 1048576/1048576 bytes at offset 1048576
|
read 1048576/1048576 bytes at offset 1048576
|
||||||
1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
|
1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
|
||||||
|
|
||||||
|
== check TLS with authorization ==
|
||||||
|
qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=10809,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort
|
||||||
|
qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=10809,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort
|
||||||
|
|
||||||
== final server log ==
|
== final server log ==
|
||||||
qemu-nbd: option negotiation failed: Verify failed: No certificate was found.
|
qemu-nbd: option negotiation failed: Verify failed: No certificate was found.
|
||||||
qemu-nbd: option negotiation failed: Verify failed: No certificate was found.
|
qemu-nbd: option negotiation failed: Verify failed: No certificate was found.
|
||||||
|
qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client1,L=R'lyeh,C=South Pacific is denied
|
||||||
|
qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client3,L=R'lyeh,C=South Pacific is denied
|
||||||
*** done
|
*** done
|
||||||
|
Loading…
Reference in New Issue
Block a user