From nobody Fri May 3 11:43:29 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1508156182385277.08649425974; Mon, 16 Oct 2017 05:16:22 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 85912C0587D3; Mon, 16 Oct 2017 12:16:20 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 21B5C17526; Mon, 16 Oct 2017 12:16:19 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B4FC1B3487; Mon, 16 Oct 2017 12:16:15 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v9GCGEZF019963 for ; Mon, 16 Oct 2017 08:16:14 -0400 Received: by smtp.corp.redhat.com (Postfix) id 3C8375D96E; Mon, 16 Oct 2017 12:16:14 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.70]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3041A5D96A; Mon, 16 Oct 2017 12:16:10 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 85912C0587D3 Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com From: "Daniel P. Berrange" To: libvir-list@redhat.com Date: Mon, 16 Oct 2017 13:16:06 +0100 Message-Id: <20171016121606.9379-1-berrange@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH] qemu: ensure TLS clients always verify the server certificate X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Mon, 16 Oct 2017 12:16:21 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The default_tls_x509_verify (and related) parameters in qemu.conf control whether the QEMU TLS servers request & verify certificates from clients. This works as a simple access control system for servers by requiring the CA to issue certs to permitted clients. This use of client certificates is disabled by default, since it requires extra work to issue client certificates. Unfortunately the code was using this configuration parameter when setting up both TLS clients and servers in QEMU. The result was that TLS clients for character devices and disk devices had verification turned off, meaning they would ignore errors while validating the server certificate. This allows for trivial MITM attacks between client and server, as any certificate returned by the attacker will be accepted by the client. This is assigned CVE-2017-1000256 / LSN-2017-0002 Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrange --- Pushed as a off-list reviewed security fix. src/qemu/qemu_command.c | = 2 +- tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args | = 2 +- .../qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args | = 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 46f0bdd18c..f68b82d083 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -721,7 +721,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath, if (virJSONValueObjectCreate(propsret, "s:dir", path, "s:endpoint", (isListen ? "server": "clie= nt"), - "b:verify-peer", verifypeer, + "b:verify-peer", (isListen ? verifypeer := true), NULL) < 0) goto cleanup; =20 diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev= .args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args index 5aff7734e1..ab5f7e27f2 100644 --- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args +++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args @@ -26,7 +26,7 @@ server,nowait \ localport=3D1111 \ -device isa-serial,chardev=3Dcharserial0,id=3Dserial0 \ -object tls-creds-x509,id=3Dobjcharserial1_tls0,dir=3D/etc/pki/libvirt-cha= rdev,\ -endpoint=3Dclient,verify-peer=3Dno \ +endpoint=3Dclient,verify-peer=3Dyes \ -chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,\ tls-creds=3Dobjcharserial1_tls0 \ -device isa-serial,chardev=3Dcharserial1,id=3Dserial1 \ diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-= chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secre= t-chardev.args index 91f1fe0cde..2567abbfad 100644 --- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev= .args +++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev= .args @@ -31,7 +31,7 @@ localport=3D1111 \ data=3D9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ keyid=3DmasterKey0,iv=3DAAECAwQFBgcICQoLDA0ODw=3D=3D,format=3Dbase64 \ -object tls-creds-x509,id=3Dobjcharserial1_tls0,dir=3D/etc/pki/libvirt-cha= rdev,\ -endpoint=3Dclient,verify-peer=3Dno,passwordid=3Dcharserial1-secret0 \ +endpoint=3Dclient,verify-peer=3Dyes,passwordid=3Dcharserial1-secret0 \ -chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,\ tls-creds=3Dobjcharserial1_tls0 \ -device isa-serial,chardev=3Dcharserial1,id=3Dserial1 \ --=20 2.13.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list