From nobody Thu Nov 6 03:12:39 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1539091434340154.00065482822072; Tue, 9 Oct 2018 06:23:54 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 761AF30820CE; Tue, 9 Oct 2018 13:23:51 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EEFDF75556; Tue, 9 Oct 2018 13:23:50 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 1EBEE4BB74; Tue, 9 Oct 2018 13:23:49 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w99DNmqk002616 for ; Tue, 9 Oct 2018 09:23:48 -0400 Received: by smtp.corp.redhat.com (Postfix) id 7357B6A96D; Tue, 9 Oct 2018 13:23:48 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.42.22.189]) by smtp.corp.redhat.com (Postfix) with ESMTP id DDD586A943; Tue, 9 Oct 2018 13:23:45 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Date: Tue, 9 Oct 2018 14:23:25 +0100 Message-Id: <20181009132330.7549-2-berrange@redhat.com> In-Reply-To: <20181009132330.7549-1-berrange@redhat.com> References: <20181009132330.7549-1-berrange@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Cc: Kevin Wolf , qemu-block@nongnu.org, Juan Quintela , libvir-list@redhat.com, Max Reitz , Gerd Hoffmann , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , Paolo Bonzini , "Dr. David Alan Gilbert" Subject: [libvirt] [PATCH v3 1/6] qemu-nbd: add support for authorization of TLS clients X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]); Tue, 09 Oct 2018 13:23:53 +0000 (UTC) X-ZohoMail: RDMRC_0 RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" From: "Daniel P. Berrange" Currently any client which can complete the TLS handshake is able to use the NBD server. The server admin can turn on the 'verify-peer' option for the x509 creds to require the client to provide a x509 certificate. This means the client will have to acquire a certificate from the CA before they are permitted to use the NBD server. This is still a fairly low bar to cross. This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which takes the ID of a previously added 'QAuthZ' object instance. This will be used to validate the client's x509 distinguished name. Clients failing the authorization check will not be permitted to use the NBD server. For example to setup authorization that only allows connection from a client whose x509 certificate distinguished name is CN=3Dlaptop.example.com,O=3DExample Org,L=3DLondon,ST=3DLondon,C=3DGB use: qemu-nbd --object tls-creds-x509,id=3Dtls0,dir=3D/home/berrange/qemutls,\ endpoint=3Dserver,verify-peer=3Dyes \ --object authz-simple,id=3Dauth0,identity=3DCN=3Dlaptop.example.= com,,\ O=3DExample Org,,L=3DLondon,,ST=3DLondon,,C=3DGB \ --tls-creds tls0 \ --tls-authz authz0 ....other qemu-nbd args... Signed-off-by: Daniel P. Berrange Reviewed-by: Juan Quintela --- include/block/nbd.h | 2 +- nbd/server.c | 10 +++++----- qemu-nbd.c | 13 ++++++++++++- qemu-nbd.texi | 4 ++++ 4 files changed, 22 insertions(+), 7 deletions(-) diff --git a/include/block/nbd.h b/include/block/nbd.h index 6a5bfe5d55..d7aa6b24d0 100644 --- a/include/block/nbd.h +++ b/include/block/nbd.h @@ -312,7 +312,7 @@ void nbd_export_close_all(void); =20 void nbd_client_new(QIOChannelSocket *sioc, QCryptoTLSCreds *tlscreds, - const char *tlsaclname, + const char *tlsauthz, void (*close_fn)(NBDClient *, bool)); void nbd_client_get(NBDClient *client); void nbd_client_put(NBDClient *client); diff --git a/nbd/server.c b/nbd/server.c index a1eda0114f..138a35f838 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -111,7 +111,7 @@ struct NBDClient { =20 NBDExport *exp; QCryptoTLSCreds *tlscreds; - char *tlsaclname; + char *tlsauthz; QIOChannelSocket *sioc; /* The underlying data channel */ QIOChannel *ioc; /* The current I/O channel which may differ (eg TLS) = */ =20 @@ -687,7 +687,7 @@ static QIOChannel *nbd_negotiate_handle_starttls(NBDCli= ent *client, =20 tioc =3D qio_channel_tls_new_server(ioc, client->tlscreds, - client->tlsaclname, + client->tlsauthz, errp); if (!tioc) { return NULL; @@ -1353,7 +1353,7 @@ void nbd_client_put(NBDClient *client) if (client->tlscreds) { object_unref(OBJECT(client->tlscreds)); } - g_free(client->tlsaclname); + g_free(client->tlsauthz); if (client->exp) { QTAILQ_REMOVE(&client->exp->clients, client, next); nbd_export_put(client->exp); @@ -2403,7 +2403,7 @@ static coroutine_fn void nbd_co_client_start(void *op= aque) */ void nbd_client_new(QIOChannelSocket *sioc, QCryptoTLSCreds *tlscreds, - const char *tlsaclname, + const char *tlsauthz, void (*close_fn)(NBDClient *, bool)) { NBDClient *client; @@ -2415,7 +2415,7 @@ void nbd_client_new(QIOChannelSocket *sioc, if (tlscreds) { object_ref(OBJECT(client->tlscreds)); } - client->tlsaclname =3D g_strdup(tlsaclname); + client->tlsauthz =3D g_strdup(tlsauthz); client->sioc =3D sioc; object_ref(OBJECT(client->sioc)); client->ioc =3D QIO_CHANNEL(sioc); diff --git a/qemu-nbd.c b/qemu-nbd.c index e76fe3082a..61fe0fb5b9 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -52,6 +52,7 @@ #define QEMU_NBD_OPT_TLSCREDS 261 #define QEMU_NBD_OPT_IMAGE_OPTS 262 #define QEMU_NBD_OPT_FORK 263 +#define QEMU_NBD_OPT_TLSAUTHZ 264 =20 #define MBR_SIZE 512 =20 @@ -65,6 +66,7 @@ static int shared =3D 1; static int nb_fds; static QIONetListener *server; static QCryptoTLSCreds *tlscreds; +static const char *tlsauthz; =20 static void usage(const char *name) { @@ -354,7 +356,7 @@ static void nbd_accept(QIONetListener *listener, QIOCha= nnelSocket *cioc, =20 nb_fds++; nbd_update_server_watch(); - nbd_client_new(cioc, tlscreds, NULL, nbd_client_closed); + nbd_client_new(cioc, tlscreds, tlsauthz, nbd_client_closed); } =20 static void nbd_update_server_watch(void) @@ -532,6 +534,7 @@ int main(int argc, char **argv) { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS }, { "trace", required_argument, NULL, 'T' }, { "fork", no_argument, NULL, QEMU_NBD_OPT_FORK }, + { "tls-authz", no_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ }, { NULL, 0, NULL, 0 } }; int ch; @@ -754,6 +757,9 @@ int main(int argc, char **argv) g_free(trace_file); trace_file =3D trace_opt_parse(optarg); break; + case QEMU_NBD_OPT_TLSAUTHZ: + tlsauthz =3D optarg; + break; case QEMU_NBD_OPT_FORK: fork_process =3D true; break; @@ -813,6 +819,11 @@ int main(int argc, char **argv) error_get_pretty(local_err)); exit(EXIT_FAILURE); } + } else { + if (tlsauthz) { + error_report("--tls-authz is not permitted without --tls-creds= "); + exit(EXIT_FAILURE); + } } =20 if (disconnect) { diff --git a/qemu-nbd.texi b/qemu-nbd.texi index 9a84e81eed..7f9503cf05 100644 --- a/qemu-nbd.texi +++ b/qemu-nbd.texi @@ -91,6 +91,10 @@ of the TLS credentials object previously created with th= e --object option. @item --fork Fork off the server process and exit the parent once the server is running. +@item --tls-authz=3DID +Specify the ID of a qauthz object previously created with the +--object option. This will be used to authorize connecting users +against their x509 distinguished name. @item -v, --verbose Display extra debugging information @item -h, --help --=20 2.17.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list