From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Eric Blake <eblake@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>,
"open list:Network Block Dev..." <qemu-block@nongnu.org>,
qemu-devel@nongnu.org, Markus Armbruster <armbru@redhat.com>,
rjones@redhat.com, Max Reitz <mreitz@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v2 RFC] qemu-nbd: Permit TLS with Unix sockets
Date: Fri, 5 Jul 2019 11:31:36 +0100 [thread overview]
Message-ID: <20190705103136.GF32473@redhat.com> (raw)
In-Reply-To: <20190703224707.12437-1-eblake@redhat.com>
On Wed, Jul 03, 2019 at 05:47:07PM -0500, Eric Blake wrote:
> Although you generally won't use encryption with a Unix socket (after
> all, everything is local, so why waste the CPU power), there are
> situations in testsuites where Unix sockets are much nicer than TCP
> sockets. Since nbdkit allows encryption over both types of sockets,
> it makes sense for qemu-nbd to do likewise.
>
> The restriction has been present since its introduction in commits
> 145614a1 and 75822a12 (v2.6), where the former documented the
> limitation but did not provide any additional explanation why it was
> added; but looking closer, it seems the most likely reason is that
> x509 verification requires a hostname. But we can do the same as
> migration did, and add a tls-hostname parameter to supply that
> information.
Yes, the x509 cert validation is precisely the reason.
The client must validate the hostname it is connecting to, against
the x509 certificate received from the server. If it doesn't use
IP, then it had no hostnmae to validate the cert against.
Since that time though, we added support for PSK credentials with
TLS which requires no hostname validation, so the restriction no
longer makes sense.
Adding ability to set a tls-hostname parameter further enables its
use with x509 credentials.
> RFC: The test is racy - it sometimes passes, and sometimes fails with:
>
> == check TLS with authorization over Unix ==
> qemu-img: Could not open 'driver=nbd,path=SOCKET,tls-creds=tls0,tls-hostname=localhost': Failed to read option reply: Cannot read from TLS channel: Input/output error
> -qemu-img: Could not open 'driver=nbd,path=SOCKET,tls-creds=tls0,tls-hostname=localhost': Failed to read option reply: Cannot read from TLS channel: Input/output error
> +qemu-img: Could not open 'driver=nbd,path=SOCKET,tls-creds=tls0,tls-hostname=localhost': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort
It is a bit complex to debug this because unfortunately gnutls API
doesn't allow us to propagate the root cause error accurately.
We return ECONNABORTED when GNUTLS reports GNUTLS_E_PREMATURE_TERMINATION.
It reports this when it tries to read a packet header and gets EOF from
the socket.
We return EIO in other cases where there's no GNUTLS error code we
want to handle explicitly. With some debugging I find that GNUTLS
is returned GNUTLS_E_PULL_ERROR which is a generic code it returns
whenever the read() callback fails for a reason which isn't EAGAIN.
With more debugging I find the original recvfrom() is returning
ECONNRESET, so this is basically just another name for EOF.
I'm curious why we see EOF sometimes and ECONNRESET at other times.
I disabled the qio_channel_shutdown call on the server and that just
changed to a different race. Now we sometimes get ECONNRESET, and
sometimes get EIO when trying to send the first NBD option header
instead.
> I suspect that there is a bug in the qio TLS channel code when it
> comes to handling a failed TLS handshake, which results in the racy
> output. I'll need help solving that first. It might also be nice if
> we had a bit more visibility into the gnutls error message when TLS
> handshake fails.
I'm not sure there is a bug - it feels like there's just a few different
shutdown scenarios we can hit based on timing, due to the fact there is
no synchronization with the client when we drop the connection if
authz fails.
> @@ -1624,12 +1629,25 @@ static int nbd_open(BlockDriverState *bs, QDict *options, int flags,
> goto error;
> }
>
> - /* TODO SOCKET_ADDRESS_KIND_FD where fd has AF_INET or AF_INET6 */
> - if (s->saddr->type != SOCKET_ADDRESS_TYPE_INET) {
> - error_setg(errp, "TLS only supported over IP sockets");
> + switch (s->saddr->type) {
> + case SOCKET_ADDRESS_TYPE_INET:
> + hostname = s->saddr->u.inet.host;
> + if (qemu_opt_get(opts, "tls-hostname")) {
> + error_setg(errp, "tls-hostname not required with inet socket");
> + goto error;
> + }
We don't need to forbid this. Consider if you have setup an SSH tunnel
from localhost:someport, over to your remote server. NBD will get told
to connect to localhost, but will need to validate the cert against
the real remote hostname.
> + break;
> + case SOCKET_ADDRESS_TYPE_UNIX:
> + hostname = qemu_opt_get(opts, "tls-hostname");
> + break;
> + default:
> + /* TODO SOCKET_ADDRESS_KIND_FD where fd has AF_INET or AF_INET6 */
> + error_setg(errp, "TLS only supported over IP or Unix sockets");
> goto error;
> }
I don't think we need any of this switch, instead just something like thus:
hostname = qemu_opt_get(opts, "tls-hostname");
if (!hostname) {
if (s->saddr->type == SOCKET_ADDRESS_TYPE_INET) {
hostname = s->sadddr->u.inet.host;
} else {
error_setg(errp, "tls-hostname is required for non-IP sockets");
goto error;
}
}
> - hostname = s->saddr->u.inet.host;
> + } else if (qemu_opt_get(opts, "tls-hostname")) {
> + error_setg(errp, "tls-hostname not supported without tls-creds");
> + goto error;
> }
>
> /* NBD handshake */
> @@ -1752,6 +1770,7 @@ static const char *const nbd_strong_runtime_opts[] = {
> "port",
> "export",
> "tls-creds",
> + "tls-hostname",
> "server.",
>
> NULL
> diff --git a/qemu-nbd.c b/qemu-nbd.c
> index a8cb39e51043..40ea1e299dc7 100644
> --- a/qemu-nbd.c
> +++ b/qemu-nbd.c
> @@ -62,6 +62,7 @@
> #define QEMU_NBD_OPT_FORK 263
> #define QEMU_NBD_OPT_TLSAUTHZ 264
> #define QEMU_NBD_OPT_PID_FILE 265
> +#define QEMU_NBD_OPT_TLSHOST 266
>
> #define MBR_SIZE 512
>
> @@ -76,6 +77,7 @@ static int nb_fds;
> static QIONetListener *server;
> static QCryptoTLSCreds *tlscreds;
> static const char *tlsauthz;
> +static const char *tlshost;
>
> static void usage(const char *name)
> {
> @@ -640,6 +642,7 @@ int main(int argc, char **argv)
> { "description", required_argument, NULL, 'D' },
> { "tls-creds", required_argument, NULL, QEMU_NBD_OPT_TLSCREDS },
> { "tls-authz", required_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ },
> + { "tls-hostname", required_argument, NULL, QEMU_NBD_OPT_TLSHOST },
> { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS },
> { "trace", required_argument, NULL, 'T' },
> { "fork", no_argument, NULL, QEMU_NBD_OPT_FORK },
> @@ -864,6 +867,9 @@ int main(int argc, char **argv)
> case QEMU_NBD_OPT_TLSAUTHZ:
> tlsauthz = optarg;
> break;
> + case QEMU_NBD_OPT_TLSHOST:
> + tlshost = optarg;
> + break;
> case QEMU_NBD_OPT_FORK:
> fork_process = true;
> break;
> @@ -931,18 +937,22 @@ int main(int argc, char **argv)
> }
>
> if (tlscredsid) {
> - if (sockpath) {
> - error_report("TLS is only supported with IPv4/IPv6");
> - exit(EXIT_FAILURE);
> - }
> if (device) {
> error_report("TLS is not supported with a host device");
> exit(EXIT_FAILURE);
> }
> if (tlsauthz && list) {
> - error_report("TLS authorization is incompatible with export list");
> + error_report("TLS authorization is incompatible with --list");
> exit(EXIT_FAILURE);
> }
> + if (tlshost) {
> + if (!list) {
> + error_report("TLS hostname is only for use with --list");
> + exit(EXIT_FAILURE);
> + }
> + } else {
> + tlshost = bindto;
I was a bit confused by the "bindto" name being used as the hostname
to connect to for the --list client. Perhas we should rename it to
something neutral - just hostname perhaps.
> + }
> tlscreds = nbd_get_tls_creds(tlscredsid, list, &local_err);
> if (local_err) {
> error_report("Failed to get TLS creds %s",
> @@ -954,11 +964,15 @@ int main(int argc, char **argv)
> error_report("--tls-authz is not permitted without --tls-creds");
> exit(EXIT_FAILURE);
> }
> + if (tlshost) {
> + error_report("--tls-hostname is not permitted without --tls-creds");
> + exit(EXIT_FAILURE);
> + }
> }
>
> if (list) {
> saddr = nbd_build_socket_address(sockpath, bindto, port);
> - return qemu_nbd_client_list(saddr, tlscreds, bindto);
> + return qemu_nbd_client_list(saddr, tlscreds, tlshost);
> }
>
> #if !HAVE_NBD_DEVICE
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2019-07-05 10:33 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-03 22:47 [Qemu-devel] [PATCH v2 RFC] qemu-nbd: Permit TLS with Unix sockets Eric Blake
2019-07-04 3:09 ` no-reply
2019-07-05 9:31 ` Max Reitz
2019-07-05 10:34 ` Daniel P. Berrangé
2019-07-05 21:07 ` Eric Blake
2019-07-05 10:31 ` Daniel P. Berrangé [this message]
2019-07-05 10:37 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190705103136.GF32473@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=eblake@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).