From patchwork Thu Jan 21 16:37:25 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= X-Patchwork-Id: 8083091 Return-Path: X-Original-To: patchwork-qemu-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 37A099F440 for ; Thu, 21 Jan 2016 16:43:15 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 6C197204FF for ; Thu, 21 Jan 2016 16:43:14 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 80BEC2043C for ; Thu, 21 Jan 2016 16:43:13 +0000 (UTC) Received: from localhost ([::1]:48701 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aMIKG-0006Sv-SR for patchwork-qemu-devel@patchwork.kernel.org; Thu, 21 Jan 2016 11:43:12 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41747) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aMIFI-0005GR-NO for qemu-devel@nongnu.org; Thu, 21 Jan 2016 11:38:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aMIFE-0004JZ-BT for qemu-devel@nongnu.org; Thu, 21 Jan 2016 11:38:04 -0500 Received: from mx1.redhat.com ([209.132.183.28]:54440) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aMIF6-0004FT-9G; Thu, 21 Jan 2016 11:37:52 -0500 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (Postfix) with ESMTPS id E4C731839; Thu, 21 Jan 2016 16:37:51 +0000 (UTC) Received: from t530wlan.home.berrange.com.com (vpn1-6-170.ams2.redhat.com [10.36.6.170]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u0LGbXn9001020; Thu, 21 Jan 2016 11:37:50 -0500 From: "Daniel P. Berrange" To: qemu-devel@nongnu.org Date: Thu, 21 Jan 2016 16:37:25 +0000 Message-Id: <1453394247-2267-13-git-send-email-berrange@redhat.com> In-Reply-To: <1453394247-2267-1-git-send-email-berrange@redhat.com> References: <1453394247-2267-1-git-send-email-berrange@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 209.132.183.28 Cc: Paolo Bonzini , qemu-block@nongnu.org Subject: [Qemu-devel] [PATCH v4 12/14] nbd: enable use of TLS with NBD block driver X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This modifies the NBD driver so that it is possible to request use of TLS. This is done by providing the 'tls-creds' parameter with the ID of a previously created QCryptoTLSCreds object. For example $QEMU -object tls-creds-x509,id=tls0,endpoint=client,\ dir=/home/berrange/security/qemutls \ -drive driver=nbd,host=localhost,port=9000,tls-creds=tls0 The client will drop the connection if the NBD server does not provide TLS. Signed-off-by: Daniel P. Berrange --- block/nbd-client.c | 10 ++++--- block/nbd-client.h | 2 ++ block/nbd.c | 78 +++++++++++++++++++++++++++++++++++++++++++++++------- 3 files changed, 78 insertions(+), 12 deletions(-) diff --git a/block/nbd-client.c b/block/nbd-client.c index 1c79e4b..6a9b4c7 100644 --- a/block/nbd-client.c +++ b/block/nbd-client.c @@ -394,8 +394,12 @@ void nbd_client_close(BlockDriverState *bs) nbd_teardown_connection(bs); } -int nbd_client_init(BlockDriverState *bs, QIOChannelSocket *sioc, - const char *export, Error **errp) +int nbd_client_init(BlockDriverState *bs, + QIOChannelSocket *sioc, + const char *export, + QCryptoTLSCreds *tlscreds, + const char *hostname, + Error **errp) { NbdClientSession *client = nbd_get_client_session(bs); int ret; @@ -406,7 +410,7 @@ int nbd_client_init(BlockDriverState *bs, QIOChannelSocket *sioc, ret = nbd_receive_negotiate(QIO_CHANNEL(sioc), export, &client->nbdflags, - NULL, NULL, + tlscreds, hostname, &client->ioc, &client->size, errp); if (ret < 0) { diff --git a/block/nbd-client.h b/block/nbd-client.h index e8b3283..53f116d 100644 --- a/block/nbd-client.h +++ b/block/nbd-client.h @@ -39,6 +39,8 @@ NbdClientSession *nbd_get_client_session(BlockDriverState *bs); int nbd_client_init(BlockDriverState *bs, QIOChannelSocket *sock, const char *export_name, + QCryptoTLSCreds *tlscreds, + const char *hostname, Error **errp); void nbd_client_close(BlockDriverState *bs); diff --git a/block/nbd.c b/block/nbd.c index d7116e2..db57b49 100644 --- a/block/nbd.c +++ b/block/nbd.c @@ -258,36 +258,92 @@ static QIOChannelSocket *nbd_establish_connection(SocketAddress *saddr, return sioc; } + +static QCryptoTLSCreds *nbd_get_tls_creds(const char *id, Error **errp) +{ + Object *obj; + QCryptoTLSCreds *creds; + + obj = object_resolve_path_component( + object_get_objects_root(), id); + if (!obj) { + error_setg(errp, "No TLS credentials with id '%s'", + id); + return NULL; + } + creds = (QCryptoTLSCreds *) + object_dynamic_cast(obj, TYPE_QCRYPTO_TLS_CREDS); + if (!creds) { + error_setg(errp, "Object with id '%s' is not TLS credentials", + id); + return NULL; + } + + if (creds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT) { + error_setg(errp, + "Expecting TLS credentials with a client endpoint"); + return NULL; + } + object_ref(obj); + return creds; +} + + static int nbd_open(BlockDriverState *bs, QDict *options, int flags, Error **errp) { BDRVNBDState *s = bs->opaque; char *export = NULL; - int result; - QIOChannelSocket *sioc; + QIOChannelSocket *sioc = NULL; SocketAddress *saddr; + const char *tlscredsid; + QCryptoTLSCreds *tlscreds = NULL; + const char *hostname = NULL; + int ret = -EINVAL; /* Pop the config into our state object. Exit if invalid. */ saddr = nbd_config(s, options, &export, errp); if (!saddr) { - return -EINVAL; + goto error; + } + + tlscredsid = g_strdup(qdict_get_try_str(options, "tls-creds")); + if (tlscredsid) { + qdict_del(options, "tls-creds"); + tlscreds = nbd_get_tls_creds(tlscredsid, errp); + if (!tlscreds) { + goto error; + } + + if (saddr->type != SOCKET_ADDRESS_KIND_INET) { + error_setg(errp, "TLS only supported over IP sockets"); + goto error; + } + hostname = saddr->u.inet->host; } /* establish TCP connection, return error if it fails * TODO: Configurable retry-until-timeout behaviour. */ sioc = nbd_establish_connection(saddr, errp); - qapi_free_SocketAddress(saddr); if (!sioc) { - g_free(export); - return -ECONNREFUSED; + ret = -ECONNREFUSED; + goto error; } /* NBD handshake */ - result = nbd_client_init(bs, sioc, export, errp); - object_unref(OBJECT(sioc)); + ret = nbd_client_init(bs, sioc, export, + tlscreds, hostname, errp); + error: + if (sioc) { + object_unref(OBJECT(sioc)); + } + if (tlscreds) { + object_unref(OBJECT(tlscreds)); + } + qapi_free_SocketAddress(saddr); g_free(export); - return result; + return ret; } static int nbd_co_readv(BlockDriverState *bs, int64_t sector_num, @@ -349,6 +405,7 @@ static void nbd_refresh_filename(BlockDriverState *bs, QDict *options) const char *host = qdict_get_try_str(options, "host"); const char *port = qdict_get_try_str(options, "port"); const char *export = qdict_get_try_str(options, "export"); + const char *tlscreds = qdict_get_try_str(options, "tls-creds"); qdict_put_obj(opts, "driver", QOBJECT(qstring_from_str("nbd"))); @@ -383,6 +440,9 @@ static void nbd_refresh_filename(BlockDriverState *bs, QDict *options) if (export) { qdict_put_obj(opts, "export", QOBJECT(qstring_from_str(export))); } + if (tlscreds) { + qdict_put_obj(opts, "tls-creds", QOBJECT(qstring_from_str(tlscreds))); + } bs->full_open_options = opts; }