[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] d41997: crypto: mandate a hostname when check
|
From: |
Peter Maydell |
|
Subject: |
[Qemu-commits] [qemu/qemu] d41997: crypto: mandate a hostname when checking x509 cred... |
|
Date: |
Wed, 09 Mar 2022 07:50:41 -0800 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: d41997e465c533f3a29e0d0bb52cfcad696e2b2d
https://github.com/qemu/qemu/commit/d41997e465c533f3a29e0d0bb52cfcad696e2b2d
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-03-07 (Mon, 07 Mar 2022)
Changed paths:
M crypto/tlssession.c
Log Message:
-----------
crypto: mandate a hostname when checking x509 creds on a client
Currently the TLS session object assumes that the caller will always
provide a hostname when using x509 creds on a client endpoint. This
relies on the caller to detect and report an error if the user has
configured QEMU with x509 credentials on a UNIX socket. The migration
code has such a check, but it is too broad, reporting an error when
the user has configured QEMU with PSK credentials on a UNIX socket,
where hostnames are irrelevant.
Putting the check into the TLS session object credentials validation
code ensures we report errors in only the scenario that matters.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220304193610.3293146-2-berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Commit: 046f98d0753872b1e3189689da16c68e1f6c78c2
https://github.com/qemu/qemu/commit/046f98d0753872b1e3189689da16c68e1f6c78c2
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-03-07 (Mon, 07 Mar 2022)
Changed paths:
M block/nbd.c
M include/block/nbd.h
M nbd/client-connection.c
Log Message:
-----------
block: pass desired TLS hostname through from block driver client
In
commit a71d597b989fd701b923f09b3c20ac4fcaa55e81
Author: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Date: Thu Jun 10 13:08:00 2021 +0300
block/nbd: reuse nbd_co_do_establish_connection() in nbd_open()
the use of the 'hostname' field from the BDRVNBDState struct was
lost, and 'nbd_connect' just hardcoded it to match the IP socket
address. This was a harmless bug at the time since we block use
with anything other than IP sockets.
Shortly though, we want to allow the caller to override the hostname
used in the TLS certificate checks. This is to allow for TLS
when doing port forwarding or tunneling. Thus we need to reinstate
the passing along of the 'hostname'.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220304193610.3293146-3-berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Commit: a0cd6d297283bedffafce939dce38f3d06f3e2cd
https://github.com/qemu/qemu/commit/a0cd6d297283bedffafce939dce38f3d06f3e2cd
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-03-07 (Mon, 07 Mar 2022)
Changed paths:
M block/nbd.c
M qapi/block-core.json
Log Message:
-----------
block/nbd: support override of hostname for TLS certificate validation
When connecting to an NBD server with TLS and x509 credentials,
the client must validate the hostname it uses for the connection,
against that published in the server's certificate. If the client
is tunnelling its connection over some other channel, however, the
hostname it uses may not match the info reported in the server's
certificate. In such a case, the user needs to explicitly set an
override for the hostname to use for certificate validation.
This is achieved by adding a 'tls-hostname' property to the NBD
block driver.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220304193610.3293146-4-berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Commit: 003b2b252112572cd8c92bffe5e532a53b28d1e4
https://github.com/qemu/qemu/commit/003b2b252112572cd8c92bffe5e532a53b28d1e4
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-03-07 (Mon, 07 Mar 2022)
Changed paths:
M docs/tools/qemu-nbd.rst
M qemu-nbd.c
Log Message:
-----------
qemu-nbd: add --tls-hostname option for TLS certificate validation
When using the --list option, qemu-nbd acts as an NBD client rather
than a server. As such when using TLS, it has a need to validate
the server certificate. This adds a --tls-hostname option which can
be used to override the default hostname used for certificate
validation.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220304193610.3293146-5-berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Commit: e8ae8b1a75e8f6420c37be31797bd13aa7e95778
https://github.com/qemu/qemu/commit/e8ae8b1a75e8f6420c37be31797bd13aa7e95778
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-03-07 (Mon, 07 Mar 2022)
Changed paths:
M block/nbd.c
M blockdev-nbd.c
M qemu-nbd.c
Log Message:
-----------
block/nbd: don't restrict TLS usage to IP sockets
The TLS usage for NBD was restricted to IP sockets because validating
x509 certificates requires knowledge of the hostname that the client
is connecting to.
TLS does not have to use x509 certificates though, as PSK (pre-shared
keys) provide an alternative credential option. These have no
requirement for a hostname and can thus be trivially used for UNIX
sockets.
Furthermore, with the ability to overide the default hostname for
TLS validation in the previous patch, it is now also valid to want
to use x509 certificates with FD passing and UNIX sockets.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220304193610.3293146-6-berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Commit: cf168e398b83f8ed963b1e6b0bc546c6387be598
https://github.com/qemu/qemu/commit/cf168e398b83f8ed963b1e6b0bc546c6387be598
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-03-07 (Mon, 07 Mar 2022)
Changed paths:
M tests/qemu-iotests/testrunner.py
Log Message:
-----------
tests/qemu-iotests: add QEMU_IOTESTS_REGEN=1 to update reference file
When developing an I/O test it is typical to add some logic to the
test script, run it to view the output diff, and then apply the
output diff to the reference file. This can be drastically simplified
by letting the test runner update the reference file in place.
By setting 'QEMU_IOTESTS_REGEN=1', the test runner will report the
failure and show the diff, but at the same time update the reference
file. So next time the I/O test is run it will succeed.
Continuing to display the diff when updating the reference gives the
developer a chance to review what was changed.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220304193610.3293146-7-berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Commit: 7470bf87d30f3105777003a1e3a56c223ce47d2e
https://github.com/qemu/qemu/commit/7470bf87d30f3105777003a1e3a56c223ce47d2e
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-03-07 (Mon, 07 Mar 2022)
Changed paths:
M tests/qemu-iotests/common.filter
Log Message:
-----------
tests/qemu-iotests: expand _filter_nbd rules
Some tests will want to use 'localhost' instead of '127.0.0.1', and
some will use the image options syntax rather than the classic URI
syntax.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220304193610.3293146-8-berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Commit: 9960fda9fa207a2f993a8ddcf43fc5d059db607e
https://github.com/qemu/qemu/commit/9960fda9fa207a2f993a8ddcf43fc5d059db607e
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-03-07 (Mon, 07 Mar 2022)
Changed paths:
M tests/qemu-iotests/241
M tests/qemu-iotests/241.out
M tests/qemu-iotests/common.filter
Log Message:
-----------
tests/qemu-iotests: introduce filter for qemu-nbd export list
Introduce a filter for the output of qemu-nbd export list so it can be
reused in multiple tests.
The filter is a bit more permissive that what test 241 currently uses,
as its allows printing of the export count, along with any possible
error messages that might be emitted.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220304193610.3293146-9-berrange@redhat.com>
Tested-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Commit: ebc0141ba7e5d594ef9ea0efbf841e2e90edea7c
https://github.com/qemu/qemu/commit/ebc0141ba7e5d594ef9ea0efbf841e2e90edea7c
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-03-07 (Mon, 07 Mar 2022)
Changed paths:
M tests/qemu-iotests/233
M tests/qemu-iotests/233.out
Log Message:
-----------
tests/qemu-iotests: convert NBD TLS test to use standard filters
Using standard filters is more future proof than rolling our own.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220304193610.3293146-10-berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Commit: 3da93d4bc6749d56349cd16340f07ca9825996ed
https://github.com/qemu/qemu/commit/3da93d4bc6749d56349cd16340f07ca9825996ed
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-03-07 (Mon, 07 Mar 2022)
Changed paths:
M tests/qemu-iotests/233
M tests/qemu-iotests/233.out
M tests/qemu-iotests/common.tls
Log Message:
-----------
tests/qemu-iotests: validate NBD TLS with hostname mismatch
This validates that connections to an NBD server where the certificate
hostname does not match will fail. It further validates that using the
new 'tls-hostname' override option can solve the failure.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220304193610.3293146-11-berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Commit: f0620835c513afa36660eedbc8995ce4dbc72f98
https://github.com/qemu/qemu/commit/f0620835c513afa36660eedbc8995ce4dbc72f98
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-03-07 (Mon, 07 Mar 2022)
Changed paths:
M tests/qemu-iotests/233
M tests/qemu-iotests/233.out
Log Message:
-----------
tests/qemu-iotests: validate NBD TLS with UNIX sockets
This validates that connections to an NBD server running on a UNIX
socket can use TLS, and require a TLS hostname override to pass
certificate validation.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220304193610.3293146-12-berrange@redhat.com>
[eblake: squash in rebase fix]
Tested-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Commit: 10cc95c38f95e62c5ff5e1cffbf8bfef748e9d6f
https://github.com/qemu/qemu/commit/10cc95c38f95e62c5ff5e1cffbf8bfef748e9d6f
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-03-07 (Mon, 07 Mar 2022)
Changed paths:
M tests/qemu-iotests/233
M tests/qemu-iotests/233.out
M tests/qemu-iotests/common.tls
Log Message:
-----------
tests/qemu-iotests: validate NBD TLS with UNIX sockets and PSK
This validates that connections to an NBD server running on a UNIX
socket can use TLS with pre-shared keys (PSK).
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220304193610.3293146-13-berrange@redhat.com>
[eblake: squash in rebase fix]
Tested-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Commit: 314b9026212f1841a380ae8dbd1166288dff9712
https://github.com/qemu/qemu/commit/314b9026212f1841a380ae8dbd1166288dff9712
Author: Eric Blake <eblake@redhat.com>
Date: 2022-03-07 (Mon, 07 Mar 2022)
Changed paths:
M nbd/server.c
Log Message:
-----------
nbd/server: Minor cleanups
Spelling fixes, grammar improvements and consistent spacing, noticed
while preparing other patches in this file.
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20211203231539.3900865-2-eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Commit: 087f2fb3763fd85082fb09ba03ec66ff1d3f5cd7
https://github.com/qemu/qemu/commit/087f2fb3763fd85082fb09ba03ec66ff1d3f5cd7
Author: Eric Blake <eblake@redhat.com>
Date: 2022-03-07 (Mon, 07 Mar 2022)
Changed paths:
M qemu-io-cmds.c
Log Message:
-----------
qemu-io: Utilize 64-bit status during map
The block layer has supported 64-bit block status from drivers since
commit 86a3d5c688 ("block: Add .bdrv_co_block_status() callback",
v2.12) and friends, with individual driver callbacks responsible for
capping things where necessary. Artificially capping things below 2G
in the qemu-io 'map' command, added in commit d6a644bbfe ("block: Make
bdrv_is_allocated() byte-based", v2.10) is thus no longer necessary.
One way to test this is with qemu-nbd as server on a raw file larger
than 4G (the entire file should show as allocated), plus 'qemu-io -f
raw -c map nbd://localhost --trace=nbd_\*' as client. Prior to this
patch, the NBD_CMD_BLOCK_STATUS requests are fragmented at 0x7ffffe00
distances; with this patch, the fragmenting changes to 0x7fffffff
(since the NBD protocol is currently still limited to 32-bit
transactions - see block/nbd.c:nbd_client_co_block_status). Then in
later patches, once I add an NBD extension for a 64-bit block status,
the same map command completes with just one NBD_CMD_BLOCK_STATUS.
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20211203231539.3900865-3-eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Commit: 395aecd037dc35d110b8e1e8cc7d20c1082894b5
https://github.com/qemu/qemu/commit/395aecd037dc35d110b8e1e8cc7d20c1082894b5
Author: Eric Blake <eblake@redhat.com>
Date: 2022-03-07 (Mon, 07 Mar 2022)
Changed paths:
M qemu-io-cmds.c
Log Message:
-----------
qemu-io: Allow larger write zeroes under no fallback
When writing zeroes can fall back to a slow write, permitting an
overly large request can become an amplification denial of service
attack in triggering a large amount of work from a small request. But
the whole point of the no fallback flag is to quickly determine if
writing an entire device to zero can be done quickly (such as when it
is already known that the device started with zero contents); in those
cases, artificially capping things at 2G in qemu-io itself doesn't
help us.
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20211203231539.3900865-4-eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Commit: fdee2c96923dfd38aa7a264abb7de6d403f81c4d
https://github.com/qemu/qemu/commit/fdee2c96923dfd38aa7a264abb7de6d403f81c4d
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2022-03-09 (Wed, 09 Mar 2022)
Changed paths:
M block/nbd.c
M blockdev-nbd.c
M crypto/tlssession.c
M docs/tools/qemu-nbd.rst
M include/block/nbd.h
M nbd/client-connection.c
M nbd/server.c
M qapi/block-core.json
M qemu-io-cmds.c
M qemu-nbd.c
M tests/qemu-iotests/233
M tests/qemu-iotests/233.out
M tests/qemu-iotests/241
M tests/qemu-iotests/241.out
M tests/qemu-iotests/common.filter
M tests/qemu-iotests/common.tls
M tests/qemu-iotests/testrunner.py
Log Message:
-----------
Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2022-03-07' into
staging
nbd patches for 2022-03-07
- Dan Berrange: Allow qemu-nbd to support TLS over Unix sockets
- Eric Blake: Minor cleanups related to 64-bit block operations
# gpg: Signature made Tue 08 Mar 2022 01:41:35 GMT
# gpg: using RSA key 71C2CC22B1C4602927D2F3AAA7A16B4A2527436A
# gpg: Good signature from "Eric Blake <eblake@redhat.com>" [full]
# gpg: aka "Eric Blake (Free Software Programmer)
<ebb9@byu.net>" [full]
# gpg: aka "[jpeg image of size 6874]" [full]
# Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2 F3AA A7A1 6B4A 2527 436A
* remotes/ericb/tags/pull-nbd-2022-03-07:
qemu-io: Allow larger write zeroes under no fallback
qemu-io: Utilize 64-bit status during map
nbd/server: Minor cleanups
tests/qemu-iotests: validate NBD TLS with UNIX sockets and PSK
tests/qemu-iotests: validate NBD TLS with UNIX sockets
tests/qemu-iotests: validate NBD TLS with hostname mismatch
tests/qemu-iotests: convert NBD TLS test to use standard filters
tests/qemu-iotests: introduce filter for qemu-nbd export list
tests/qemu-iotests: expand _filter_nbd rules
tests/qemu-iotests: add QEMU_IOTESTS_REGEN=1 to update reference file
block/nbd: don't restrict TLS usage to IP sockets
qemu-nbd: add --tls-hostname option for TLS certificate validation
block/nbd: support override of hostname for TLS certificate validation
block: pass desired TLS hostname through from block driver client
crypto: mandate a hostname when checking x509 creds on a client
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Compare: https://github.com/qemu/qemu/compare/f14ad81eed53...fdee2c96923d