From patchwork Tue Jan 19 13:09:22 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= X-Patchwork-Id: 8061851 Return-Path: X-Original-To: patchwork-qemu-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 90CD99F818 for ; Tue, 19 Jan 2016 13:18:15 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id CC7F420386 for ; Tue, 19 Jan 2016 13:18:13 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id A88A820138 for ; Tue, 19 Jan 2016 13:18:09 +0000 (UTC) Received: from localhost ([::1]:36957 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aLWAj-0002Xt-1F for patchwork-qemu-devel@patchwork.kernel.org; Tue, 19 Jan 2016 08:18:09 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:39881) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aLW2i-0007b3-GD for qemu-devel@nongnu.org; Tue, 19 Jan 2016 08:09:53 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aLW2h-0005zH-8B for qemu-devel@nongnu.org; Tue, 19 Jan 2016 08:09:52 -0500 Received: from mx1.redhat.com ([209.132.183.28]:57215) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aLW2a-0005xO-AS; Tue, 19 Jan 2016 08:09:44 -0500 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (Postfix) with ESMTPS id 113ACC0BF2A4; Tue, 19 Jan 2016 13:09:44 +0000 (UTC) Received: from t530wlan.home.berrange.com.com (vpn1-6-80.ams2.redhat.com [10.36.6.80]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u0JD9Qb6012785; Tue, 19 Jan 2016 08:09:43 -0500 From: "Daniel P. Berrange" To: qemu-devel@nongnu.org Date: Tue, 19 Jan 2016 13:09:22 +0000 Message-Id: <1453208963-16834-13-git-send-email-berrange@redhat.com> In-Reply-To: <1453208963-16834-1-git-send-email-berrange@redhat.com> References: <1453208963-16834-1-git-send-email-berrange@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 209.132.183.28 Cc: Paolo Bonzini , qemu-block@nongnu.org Subject: [Qemu-devel] [PATCH v3 12/13] nbd: enable use of TLS with qemu-nbd server X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This modifies the qemu-nbd program so that it is possible to request the use of TLS with the server. It simply adds a new command line option --tls-creds which is used to provide the ID of a QCryptoTLSCreds object previously created via the --object command line option. For example qemu-nbd --object tls-creds-x509,id=tls0,endpoint=server,\ dir=/home/berrange/security/qemutls \ --tls-creds tls0 \ --exportname default Note that it is mandatory to supply the --exportname argument when requesting TLS, since it requires use of the new style NBD protocol where the client requests a volume name explicitly. TLS is only supported when using an IPv4/IPv6 socket listener. It is not possible to use with UNIX sockets, which includes when connecting the NBD server to a host device. Signed-off-by: Daniel P. Berrange --- qemu-nbd.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- qemu-nbd.texi | 4 ++++ 2 files changed, 64 insertions(+), 1 deletion(-) diff --git a/qemu-nbd.c b/qemu-nbd.c index b5d8a53..6d92c61 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -45,6 +45,7 @@ #define QEMU_NBD_OPT_DETECT_ZEROES 259 #define QEMU_NBD_OPT_OBJECT 260 #define QEMU_NBD_OPT_IMAGE_OPTS 261 +#define QEMU_NBD_OPT_TLSCREDS 262 static NBDExport *exp; static bool newproto; @@ -57,6 +58,7 @@ static int shared = 1; static int nb_fds; static QIOChannelSocket *server_ioc; static int server_watch = -1; +static QCryptoTLSCreds *tlscreds; static void usage(const char *name) { @@ -345,7 +347,7 @@ static gboolean nbd_accept(QIOChannel *ioc, GIOCondition cond, gpointer opaque) nb_fds++; nbd_update_server_watch(); nbd_client_new(newproto ? NULL : exp, cioc, - NULL, NULL, nbd_client_closed); + tlscreds, NULL, nbd_client_closed); object_unref(OBJECT(cioc)); return TRUE; @@ -434,6 +436,37 @@ static int object_create(void *opaque, QemuOpts *opts, Error **errp) return 0; } + +static QCryptoTLSCreds *nbd_get_tls_creds(const char *id, Error **errp) +{ + Object *obj; + QCryptoTLSCreds *creds; + + obj = object_resolve_path_component( + object_get_objects_root(), id); + if (!obj) { + error_setg(errp, "No TLS credentials with id '%s'", + id); + return NULL; + } + creds = (QCryptoTLSCreds *) + object_dynamic_cast(obj, TYPE_QCRYPTO_TLS_CREDS); + if (!creds) { + error_setg(errp, "Object with id '%s' is not TLS credentials", + id); + return NULL; + } + + if (creds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) { + error_setg(errp, + "Expecting TLS credentials with a server endpoint"); + return NULL; + } + object_ref(obj); + return creds; +} + + int main(int argc, char **argv) { BlockBackend *blk; @@ -475,6 +508,7 @@ int main(int argc, char **argv) { "object", required_argument, NULL, QEMU_NBD_OPT_OBJECT }, { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS }, { "exportname", required_argument, NULL, 'x' }, + { "tls-creds", required_argument, NULL, QEMU_NBD_OPT_TLSCREDS }, { NULL, 0, NULL, 0 } }; int ch; @@ -494,6 +528,7 @@ int main(int argc, char **argv) QemuOpts *opts; bool imageOpts = false; const char *exportname = NULL; + const char *tlscredsid = NULL; /* The client thread uses SIGTERM to interrupt the server. A signal * handler ensures that "qemu-nbd -v -c" exits with a nice status code. @@ -669,6 +704,9 @@ int main(int argc, char **argv) case QEMU_NBD_OPT_IMAGE_OPTS: imageOpts = true; break; + case QEMU_NBD_OPT_TLSCREDS: + tlscredsid = optarg; + break; case '?': error_report("Try `%s --help' for more information.", argv[0]); exit(EXIT_FAILURE); @@ -687,6 +725,27 @@ int main(int argc, char **argv) exit(1); } + if (tlscredsid) { + if (!exportname) { + error_report("Export name is required when using TLS"); + exit(EXIT_FAILURE); + } + if (sockpath) { + error_report("TLS is only supported with IPv4/IPv6"); + exit(EXIT_FAILURE); + } + if (device) { + error_report("TLS is not supported with a host device"); + exit(EXIT_FAILURE); + } + tlscreds = nbd_get_tls_creds(tlscredsid, &local_err); + if (local_err) { + error_report("Failed to get TLS creds %s", + error_get_pretty(local_err)); + exit(EXIT_FAILURE); + } + } + if (disconnect) { int nbdfd = open(argv[optind], O_RDWR); if (nbdfd < 0) { diff --git a/qemu-nbd.texi b/qemu-nbd.texi index 22d6b5a..34e59a1 100644 --- a/qemu-nbd.texi +++ b/qemu-nbd.texi @@ -66,6 +66,10 @@ Export QEMU disk image using NBD protocol. @item -x NAME, --exportname=NAME set the NDB volume export name. This switches the server to use the new style NBD protocol negotiation +@item --tls-creds=ID + enable mandatory TLS encryption for the server by setting the ID + of the TLS credentials object previously created with the --object + option. @item -v, --verbose display extra debugging information @item -h, --help