From nobody Mon Feb 9 23:45:09 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1529498173796903.5271569471779; Wed, 20 Jun 2018 05:36:13 -0700 (PDT) Received: from localhost ([::1]:49157 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fVcLN-0001kE-2o for importer@patchew.org; Wed, 20 Jun 2018 08:36:13 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36688) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fVc0P-0000Tc-Sl for qemu-devel@nongnu.org; Wed, 20 Jun 2018 08:14:35 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fVc0O-0008F3-Bp for qemu-devel@nongnu.org; Wed, 20 Jun 2018 08:14:33 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:51980 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fVc0K-0008BD-Do; Wed, 20 Jun 2018 08:14:28 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0FA4C40200A7; Wed, 20 Jun 2018 12:14:28 +0000 (UTC) Received: from t460.redhat.com (unknown [10.33.36.101]) by smtp.corp.redhat.com (Postfix) with ESMTP id 362362026D6B; Wed, 20 Jun 2018 12:14:26 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Date: Wed, 20 Jun 2018 13:14:18 +0100 Message-Id: <20180620121423.16979-2-berrange@redhat.com> In-Reply-To: <20180620121423.16979-1-berrange@redhat.com> References: <20180620121423.16979-1-berrange@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Wed, 20 Jun 2018 12:14:28 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Wed, 20 Jun 2018 12:14:28 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'berrange@redhat.com' RCPT:'' X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PATCH v2 1/6] qemu-nbd: add support for authorization of TLS clients X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , qemu-block@nongnu.org, Juan Quintela , Markus Armbruster , "Dr. David Alan Gilbert" , Max Reitz , Gerd Hoffmann , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , Paolo Bonzini Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: "Daniel P. Berrange" Currently any client which can complete the TLS handshake is able to use the NBD server. The server admin can turn on the 'verify-peer' option for the x509 creds to require the client to provide a x509 certificate. This means the client will have to acquire a certificate from the CA before they are permitted to use the NBD server. This is still a fairly low bar to cross. This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which takes the ID of a previously added 'QAuthZ' object instance. This will be used to validate the client's x509 distinguished name. Clients failing the authorization check will not be permitted to use the NBD server. For example to setup authorization that only allows connection from a client whose x509 certificate distinguished name is CN=3Dlaptop.example.com,O=3DExample Org,L=3DLondon,ST=3DLondon,C=3DGB use: qemu-nbd --object tls-creds-x509,id=3Dtls0,dir=3D/home/berrange/qemutls,\ endpoint=3Dserver,verify-peer=3Dyes \ --object authz-simple,id=3Dauth0,identity=3DCN=3Dlaptop.example.= com,,\ O=3DExample Org,,L=3DLondon,,ST=3DLondon,,C=3DGB \ --tls-creds tls0 \ --tls-authz authz0 ....other qemu-nbd args... Signed-off-by: Daniel P. Berrange Reviewed-by: Eric Blake --- include/block/nbd.h | 2 +- nbd/server.c | 10 +++++----- qemu-nbd.c | 13 ++++++++++++- qemu-nbd.texi | 4 ++++ 4 files changed, 22 insertions(+), 7 deletions(-) diff --git a/include/block/nbd.h b/include/block/nbd.h index fcdcd54502..80ea9d240c 100644 --- a/include/block/nbd.h +++ b/include/block/nbd.h @@ -307,7 +307,7 @@ void nbd_export_close_all(void); void nbd_client_new(NBDExport *exp, QIOChannelSocket *sioc, QCryptoTLSCreds *tlscreds, - const char *tlsaclname, + const char *tlsauthz, void (*close_fn)(NBDClient *, bool)); void nbd_client_get(NBDClient *client); void nbd_client_put(NBDClient *client); diff --git a/nbd/server.c b/nbd/server.c index 9e1f227178..4f10f08dc0 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -100,7 +100,7 @@ struct NBDClient { =20 NBDExport *exp; QCryptoTLSCreds *tlscreds; - char *tlsaclname; + char *tlsauthz; QIOChannelSocket *sioc; /* The underlying data channel */ QIOChannel *ioc; /* The current I/O channel which may differ (eg TLS) = */ =20 @@ -677,7 +677,7 @@ static QIOChannel *nbd_negotiate_handle_starttls(NBDCli= ent *client, =20 tioc =3D qio_channel_tls_new_server(ioc, client->tlscreds, - client->tlsaclname, + client->tlsauthz, errp); if (!tioc) { return NULL; @@ -1250,7 +1250,7 @@ void nbd_client_put(NBDClient *client) if (client->tlscreds) { object_unref(OBJECT(client->tlscreds)); } - g_free(client->tlsaclname); + g_free(client->tlsauthz); if (client->exp) { QTAILQ_REMOVE(&client->exp->clients, client, next); nbd_export_put(client->exp); @@ -2140,7 +2140,7 @@ static coroutine_fn void nbd_co_client_start(void *op= aque) void nbd_client_new(NBDExport *exp, QIOChannelSocket *sioc, QCryptoTLSCreds *tlscreds, - const char *tlsaclname, + const char *tlsauthz, void (*close_fn)(NBDClient *, bool)) { NBDClient *client; @@ -2153,7 +2153,7 @@ void nbd_client_new(NBDExport *exp, if (tlscreds) { object_ref(OBJECT(client->tlscreds)); } - client->tlsaclname =3D g_strdup(tlsaclname); + client->tlsauthz =3D g_strdup(tlsauthz); client->sioc =3D sioc; object_ref(OBJECT(client->sioc)); client->ioc =3D QIO_CHANNEL(sioc); diff --git a/qemu-nbd.c b/qemu-nbd.c index 51b9d38c72..c0c9c805c0 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -52,6 +52,7 @@ #define QEMU_NBD_OPT_TLSCREDS 261 #define QEMU_NBD_OPT_IMAGE_OPTS 262 #define QEMU_NBD_OPT_FORK 263 +#define QEMU_NBD_OPT_TLSAUTHZ 264 =20 #define MBR_SIZE 512 =20 @@ -66,6 +67,7 @@ static int shared =3D 1; static int nb_fds; static QIONetListener *server; static QCryptoTLSCreds *tlscreds; +static const char *tlsauthz; =20 static void usage(const char *name) { @@ -355,7 +357,7 @@ static void nbd_accept(QIONetListener *listener, QIOCha= nnelSocket *cioc, nb_fds++; nbd_update_server_watch(); nbd_client_new(newproto ? NULL : exp, cioc, - tlscreds, NULL, nbd_client_closed); + tlscreds, tlsauthz, nbd_client_closed); } =20 static void nbd_update_server_watch(void) @@ -533,6 +535,7 @@ int main(int argc, char **argv) { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS }, { "trace", required_argument, NULL, 'T' }, { "fork", no_argument, NULL, QEMU_NBD_OPT_FORK }, + { "tls-authz", no_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ }, { NULL, 0, NULL, 0 } }; int ch; @@ -755,6 +758,9 @@ int main(int argc, char **argv) g_free(trace_file); trace_file =3D trace_opt_parse(optarg); break; + case QEMU_NBD_OPT_TLSAUTHZ: + tlsauthz =3D optarg; + break; case QEMU_NBD_OPT_FORK: fork_process =3D true; break; @@ -819,6 +825,11 @@ int main(int argc, char **argv) error_get_pretty(local_err)); exit(EXIT_FAILURE); } + } else { + if (tlsauthz) { + error_report("--tls-authz is not permitted without --tls-creds= "); + exit(EXIT_FAILURE); + } } =20 if (disconnect) { diff --git a/qemu-nbd.texi b/qemu-nbd.texi index 9a84e81eed..7f9503cf05 100644 --- a/qemu-nbd.texi +++ b/qemu-nbd.texi @@ -91,6 +91,10 @@ of the TLS credentials object previously created with th= e --object option. @item --fork Fork off the server process and exit the parent once the server is running. +@item --tls-authz=3DID +Specify the ID of a qauthz object previously created with the +--object option. This will be used to authorize connecting users +against their x509 distinguished name. @item -v, --verbose Display extra debugging information @item -h, --help --=20 2.17.0