From patchwork Thu Jan 21 16:37:26 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= X-Patchwork-Id: 8083101 Return-Path: X-Original-To: patchwork-qemu-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 29A219F440 for ; Thu, 21 Jan 2016 16:44:37 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 6BF8E203F7 for ; Thu, 21 Jan 2016 16:44:36 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 7FF8C20390 for ; Thu, 21 Jan 2016 16:44:35 +0000 (UTC) Received: from localhost ([::1]:48717 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aMILa-0000Yb-Vo for patchwork-qemu-devel@patchwork.kernel.org; Thu, 21 Jan 2016 11:44:34 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41688) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aMIFE-000597-Rd for qemu-devel@nongnu.org; Thu, 21 Jan 2016 11:38:01 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aMIFA-0004I4-Jm for qemu-devel@nongnu.org; Thu, 21 Jan 2016 11:38:00 -0500 Received: from mx1.redhat.com ([209.132.183.28]:54475) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aMIF7-0004HG-QJ; Thu, 21 Jan 2016 11:37:53 -0500 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (Postfix) with ESMTPS id 697979135C; Thu, 21 Jan 2016 16:37:53 +0000 (UTC) Received: from t530wlan.home.berrange.com.com (vpn1-6-170.ams2.redhat.com [10.36.6.170]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u0LGbXnA001020; Thu, 21 Jan 2016 11:37:52 -0500 From: "Daniel P. Berrange" To: qemu-devel@nongnu.org Date: Thu, 21 Jan 2016 16:37:26 +0000 Message-Id: <1453394247-2267-14-git-send-email-berrange@redhat.com> In-Reply-To: <1453394247-2267-1-git-send-email-berrange@redhat.com> References: <1453394247-2267-1-git-send-email-berrange@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 209.132.183.28 Cc: Paolo Bonzini , qemu-block@nongnu.org Subject: [Qemu-devel] [PATCH v4 13/14] nbd: enable use of TLS with qemu-nbd server X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This modifies the qemu-nbd program so that it is possible to request the use of TLS with the server. It simply adds a new command line option --tls-creds which is used to provide the ID of a QCryptoTLSCreds object previously created via the --object command line option. For example qemu-nbd --object tls-creds-x509,id=tls0,endpoint=server,\ dir=/home/berrange/security/qemutls \ --tls-creds tls0 \ --exportname default TLS requires the new style NBD protocol, so if no export name is set (via --export-name), then we use the default NBD protocol export name "" TLS is only supported when using an IPv4/IPv6 socket listener. It is not possible to use with UNIX sockets, which includes when connecting the NBD server to a host device. Signed-off-by: Daniel P. Berrange --- qemu-nbd.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- qemu-nbd.texi | 4 ++++ 2 files changed, 65 insertions(+), 1 deletion(-) diff --git a/qemu-nbd.c b/qemu-nbd.c index 19fac3d..20e4fa6 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -45,6 +45,7 @@ #define QEMU_NBD_OPT_DETECT_ZEROES 259 #define QEMU_NBD_OPT_OBJECT 260 #define QEMU_NBD_OPT_IMAGE_OPTS 261 +#define QEMU_NBD_OPT_TLSCREDS 262 static NBDExport *exp; static bool newproto; @@ -57,6 +58,7 @@ static int shared = 1; static int nb_fds; static QIOChannelSocket *server_ioc; static int server_watch = -1; +static QCryptoTLSCreds *tlscreds; static void usage(const char *name) { @@ -345,7 +347,7 @@ static gboolean nbd_accept(QIOChannel *ioc, GIOCondition cond, gpointer opaque) nb_fds++; nbd_update_server_watch(); nbd_client_new(newproto ? NULL : exp, cioc, - NULL, NULL, nbd_client_closed); + tlscreds, NULL, nbd_client_closed); object_unref(OBJECT(cioc)); return TRUE; @@ -434,6 +436,37 @@ static int object_create(void *opaque, QemuOpts *opts, Error **errp) return 0; } + +static QCryptoTLSCreds *nbd_get_tls_creds(const char *id, Error **errp) +{ + Object *obj; + QCryptoTLSCreds *creds; + + obj = object_resolve_path_component( + object_get_objects_root(), id); + if (!obj) { + error_setg(errp, "No TLS credentials with id '%s'", + id); + return NULL; + } + creds = (QCryptoTLSCreds *) + object_dynamic_cast(obj, TYPE_QCRYPTO_TLS_CREDS); + if (!creds) { + error_setg(errp, "Object with id '%s' is not TLS credentials", + id); + return NULL; + } + + if (creds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) { + error_setg(errp, + "Expecting TLS credentials with a server endpoint"); + return NULL; + } + object_ref(obj); + return creds; +} + + int main(int argc, char **argv) { BlockBackend *blk; @@ -475,6 +508,7 @@ int main(int argc, char **argv) { "object", required_argument, NULL, QEMU_NBD_OPT_OBJECT }, { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS }, { "export-name", required_argument, NULL, 'x' }, + { "tls-creds", required_argument, NULL, QEMU_NBD_OPT_TLSCREDS }, { NULL, 0, NULL, 0 } }; int ch; @@ -494,6 +528,7 @@ int main(int argc, char **argv) QemuOpts *opts; bool imageOpts = false; const char *export_name = NULL; + const char *tlscredsid = NULL; /* The client thread uses SIGTERM to interrupt the server. A signal * handler ensures that "qemu-nbd -v -c" exits with a nice status code. @@ -669,6 +704,9 @@ int main(int argc, char **argv) case QEMU_NBD_OPT_IMAGE_OPTS: imageOpts = true; break; + case QEMU_NBD_OPT_TLSCREDS: + tlscredsid = optarg; + break; case '?': error_report("Try `%s --help' for more information.", argv[0]); exit(EXIT_FAILURE); @@ -688,6 +726,28 @@ int main(int argc, char **argv) exit(1); } + if (tlscredsid) { + if (sockpath) { + error_report("TLS is only supported with IPv4/IPv6"); + exit(EXIT_FAILURE); + } + if (device) { + error_report("TLS is not supported with a host device"); + exit(EXIT_FAILURE); + } + if (!export_name) { + /* Set the default NBD protocol export name, since + * we *must* use new style protocol for TLS */ + export_name = ""; + } + tlscreds = nbd_get_tls_creds(tlscredsid, &local_err); + if (local_err) { + error_report("Failed to get TLS creds %s", + error_get_pretty(local_err)); + exit(EXIT_FAILURE); + } + } + if (disconnect) { int nbdfd = open(argv[optind], O_RDWR); if (nbdfd < 0) { diff --git a/qemu-nbd.texi b/qemu-nbd.texi index 5fbe486..edeaf9f 100644 --- a/qemu-nbd.texi +++ b/qemu-nbd.texi @@ -66,6 +66,10 @@ Export QEMU disk image using NBD protocol. @item -x NAME, --export-name=NAME set the NDB volume export name. This switches the server to use the new style NBD protocol negotiation +@item --tls-creds=ID + enable mandatory TLS encryption for the server by setting the ID + of the TLS credentials object previously created with the --object + option. @item -v, --verbose display extra debugging information @item -h, --help