| 1 |
commit 441d3eb6d1be940a67ce45a286602a967601b157 |
| 2 |
Author: Daniel P. Berrange <berrange@redhat.com> |
| 3 |
Date: Thu Oct 5 17:54:28 2017 +0100 |
| 4 |
|
| 5 |
qemu: ensure TLS clients always verify the server certificate |
| 6 |
|
| 7 |
The default_tls_x509_verify (and related) parameters in qemu.conf |
| 8 |
control whether the QEMU TLS servers request & verify certificates |
| 9 |
from clients. This works as a simple access control system for |
| 10 |
servers by requiring the CA to issue certs to permitted clients. |
| 11 |
This use of client certificates is disabled by default, since it |
| 12 |
requires extra work to issue client certificates. |
| 13 |
|
| 14 |
Unfortunately the code was using this configuration parameter when |
| 15 |
setting up both TLS clients and servers in QEMU. The result was that |
| 16 |
TLS clients for character devices and disk devices had verification |
| 17 |
turned off, meaning they would ignore errors while validating the |
| 18 |
server certificate. |
| 19 |
|
| 20 |
This allows for trivial MITM attacks between client and server, |
| 21 |
as any certificate returned by the attacker will be accepted by |
| 22 |
the client. |
| 23 |
|
| 24 |
This is assigned CVE-2017-1000256 / LSN-2017-0002 |
| 25 |
|
| 26 |
Reviewed-by: Eric Blake <eblake@redhat.com> |
| 27 |
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> |
| 28 |
|
| 29 |
Index: libvirt-3.3.0/src/qemu/qemu_command.c |
| 30 |
=================================================================== |
| 31 |
--- libvirt-3.3.0.orig/src/qemu/qemu_command.c |
| 32 |
+++ libvirt-3.3.0/src/qemu/qemu_command.c |
| 33 |
@@ -728,7 +728,7 @@ qemuBuildTLSx509BackendProps(const char |
| 34 |
if (virJSONValueObjectCreate(propsret, |
| 35 |
"s:dir", path, |
| 36 |
"s:endpoint", (isListen ? "server": "client"), |
| 37 |
- "b:verify-peer", verifypeer, |
| 38 |
+ "b:verify-peer", (isListen ? verifypeer : true), |
| 39 |
NULL) < 0) |
| 40 |
goto cleanup; |
| 41 |
|
| 42 |
Index: libvirt-3.3.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args |
| 43 |
=================================================================== |
| 44 |
--- libvirt-3.3.0.orig/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args |
| 45 |
+++ libvirt-3.3.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args |
| 46 |
@@ -26,7 +26,7 @@ server,nowait \ |
| 47 |
localport=1111 \ |
| 48 |
-device isa-serial,chardev=charserial0,id=serial0 \ |
| 49 |
-object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ |
| 50 |
-endpoint=client,verify-peer=no \ |
| 51 |
+endpoint=client,verify-peer=yes \ |
| 52 |
-chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ |
| 53 |
tls-creds=objcharserial1_tls0 \ |
| 54 |
-device isa-serial,chardev=charserial1,id=serial1 \ |
| 55 |
Index: libvirt-3.3.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args |
| 56 |
=================================================================== |
| 57 |
--- libvirt-3.3.0.orig/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args |
| 58 |
+++ libvirt-3.3.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args |
| 59 |
@@ -31,7 +31,7 @@ localport=1111 \ |
| 60 |
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ |
| 61 |
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ |
| 62 |
-object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ |
| 63 |
-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \ |
| 64 |
+endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \ |
| 65 |
-chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ |
| 66 |
tls-creds=objcharserial1_tls0 \ |
| 67 |
-device isa-serial,chardev=charserial1,id=serial1 \ |
Parent Directory
| 
Revision Log