rpms/libnbd
7
0
Fork 0
Code Issues Pull Requests Releases Activity
771d9ffc13
libnbd/0011-lib-Allow-tls-certificates-DIR-query-parameter-in-UR.patch
Richard W.M. Jones 771d9ffc13 Fix CVE-2024-7383 NBD server improper certificate validation 
resolves: RHEL-52728
2024-08-27 19:56:54 +01:00

195 lines
7.2 KiB
Diff
Raw Blame History

From ee3f88640062372d04406da321270a775377eb6c Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Fri, 3 Sep 2021 08:42:31 +0100
Subject: [PATCH] lib: Allow tls-certificates=<DIR> query parameter in URIs
For nbd_connect_uri, this allows a non-default path to a certificates
directory to be specified. For example:
nbds+unix://user@/?socket=/tmp/sock&tls-certificates=tests/pki
nbd_get_uri is also extended to produce the tls-certificates query
field if nbd_set_tls_certificates was called.
The main work here is extending the test suite so it actually tests
TLS URIs properly. Firstly we need to add --tls-verify-peer to the
nbdkit command line so it checks TLS client credentials at all
(previously it enabled TLS but didn't verify the client). Then we
need to add tests which use TLS certificates (previously only PSK was
being tested). And finally I loosened the rules for comparing URIs
since the order that query strings are returned by nbd_get_uri is not
necessarily the same as the query strings in nbd_connect_uri.
(cherry picked from commit 847e0b9830f6a9f07b4c242e1a500cd2b90cca5a)
(cherry picked from commit 5e85582ec79460c95552f06c6d6c41d15dae092f)
---
.gitignore | 5 +++--
generator/API.ml | 10 ++++++++++
lib/uri.c | 14 ++++++++++++--
tests/Makefile.am | 47 +++++++++++++++++++++++++++++------------------
4 files changed, 54 insertions(+), 22 deletions(-)
diff --git a/.gitignore b/.gitignore
index 4935b81b..c974e27b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -167,9 +167,10 @@ Makefile.in
/tests/connect-unix
/tests/connect-uri-nbd
/tests/connect-uri-nbd-unix
-/tests/connect-uri-nbds
+/tests/connect-uri-nbds-certs
/tests/connect-uri-nbds-psk
-/tests/connect-uri-nbds-unix
+/tests/connect-uri-nbds-unix-certs
+/tests/connect-uri-nbds-unix-psk
/tests/debug
/tests/debug-environment
/tests/errors
diff --git a/generator/API.ml b/generator/API.ml
index a46c6407..4b2a62e8 100644
--- a/generator/API.ml
+++ b/generator/API.ml
@@ -1231,6 +1231,11 @@ Connect over the Unix domain socket F</tmp/nbd.sock> to
an NBD server running locally. The export name is set to C<foo>
(note without any leading C</> character).
+=item C<nbds+unix://alice@/?socket=/tmp/nbd.sock&tls-certificates=certs>
+
+Connect over a Unix domain socket, enabling TLS and setting the
+path to a directory containing certificates and keys.
+
=item C<nbd+vsock:///>
In this scenario libnbd is running in a virtual machine. Connect
@@ -1291,6 +1296,11 @@ Specifies the Unix domain socket to connect on.
Must be present for the C<+unix> transport and must not
be present for the other transports.
+=item B<tls-certificates=>F<DIR>
+
+Set the certificates directory. See L<nbd_set_tls_certificates(3)>.
+Note this is not allowed by default - see next section.
+
=item B<tls-psk-file=>F<PSKFILE>
Set the PSK file. See L<nbd_set_tls_psk_file(3)>. Note
diff --git a/lib/uri.c b/lib/uri.c
index 9f5a2901..c8d9041e 100644
--- a/lib/uri.c
+++ b/lib/uri.c
@@ -249,9 +249,19 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri)
if (tls && nbd_unlocked_set_tls (h, LIBNBD_TLS_REQUIRE) == -1)
goto cleanup;
- /* Look for some tls-* parameters. XXX More to come. */
+ /* Look for some tls-* parameters. */
for (i = 0; i < queries.size; i++) {
- if (strcmp (queries.ptr[i].name, "tls-psk-file") == 0) {
+ if (strcmp (queries.ptr[i].name, "tls-certificates") == 0) {
+ if (! h->uri_allow_local_file) {
+ set_error (EPERM,
+ "local file access (tls-certificates) is not allowed, "
+ "call nbd_set_uri_allow_local_file to enable this");
+ goto cleanup;
+ }
+ if (nbd_unlocked_set_tls_certificates (h, queries.ptr[i].value) == -1)
+ goto cleanup;
+ }
+ else if (strcmp (queries.ptr[i].name, "tls-psk-file") == 0) {
if (! h->uri_allow_local_file) {
set_error (EPERM,
"local file access (tls-psk-file) is not allowed, "
diff --git a/tests/Makefile.am b/tests/Makefile.am
index ed5585a5..3c33b747 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -539,33 +539,32 @@ if HAVE_GNUTLS
if HAVE_CERTTOOL
check_PROGRAMS += \
- connect-uri-nbds \
- connect-uri-nbds-unix \
+ connect-uri-nbds-certs \
+ connect-uri-nbds-unix-certs \
$(NULL)
TESTS += \
- connect-uri-nbds \
- connect-uri-nbds-unix \
+ connect-uri-nbds-certs \
+ connect-uri-nbds-unix-certs \
$(NULL)
RANDOM2 := $(shell bash -c "echo $$(( 32768 + (RANDOM & 16383) ))")
-connect_uri_nbds_SOURCES = connect-uri.c
-connect_uri_nbds_CPPFLAGS = \
+connect_uri_nbds_certs_SOURCES = connect-uri.c
+connect_uri_nbds_certs_CPPFLAGS = \
$(AM_CPPFLAGS) \
- -DSERVER_PARAMS='"-p", "$(RANDOM2)", "--tls=require", "--tls-certificates=pki"' \
- -DPIDFILE='"connect-uri-nbds.pid"' \
- -DURI='"nbds://localhost:$(RANDOM2)/"' \
+ -DSERVER_PARAMS='"-p", "$(RANDOM2)", "--tls=require", "--tls-verify-peer", "--tls-certificates=pki"' \
+ -DPIDFILE='"connect-uri-nbds-certs.pid"' \
+ -DURI='"nbds://localhost:$(RANDOM2)/?tls-certificates=pki"' \
$(NULL)
-connect_uri_nbds_LDADD = $(top_builddir)/lib/libnbd.la
+connect_uri_nbds_certs_LDADD = $(top_builddir)/lib/libnbd.la
-connect_uri_nbds_unix_SOURCES = connect-uri.c
-connect_uri_nbds_unix_CPPFLAGS = \
+connect_uri_nbds_unix_certs_SOURCES = connect-uri.c
+connect_uri_nbds_unix_certs_CPPFLAGS = \
$(AM_CPPFLAGS) \
-DNEEDS_UNIX_SOCKET=1 \
- -DSERVER_PARAMS='"-U", UNIX_SOCKET, "--tls=require", "--tls-certificates=pki"' \
- -DPIDFILE='"connect-uri-nbds-unix.pid"' \
- -DURI='"nbds+unix:///?socket="' # UNIX_SOCKET appended
-connect_uri_nbds_unix_CFLAGS = $(WARNINGS_CFLAGS)
-connect_uri_nbds_unix_LDADD = $(top_builddir)/lib/libnbd.la
+ -DSERVER_PARAMS='"-U", UNIX_SOCKET, "--tls=require", "--tls-verify-peer", "--tls-certificates=pki"' \
+ -DPIDFILE='"connect-uri-nbds-unix-certs.pid"' \
+ -DURI='"nbds+unix://alice@/?tls-certificates=pki&socket="' # UNIX_SOCKET appended
+connect_uri_nbds_unix_certs_LDADD = $(top_builddir)/lib/libnbd.la
endif HAVE_CERTTOOL
@@ -573,21 +572,33 @@ if HAVE_PSKTOOL
check_PROGRAMS += \
connect-uri-nbds-psk \
+ connect-uri-nbds-unix-psk \
$(NULL)
TESTS += \
connect-uri-nbds-psk \
+ connect-uri-nbds-unix-psk \
$(NULL)
RANDOM3 := $(shell bash -c "echo $$(( 32768 + (RANDOM & 16383) ))")
connect_uri_nbds_psk_SOURCES = connect-uri.c
connect_uri_nbds_psk_CPPFLAGS = \
$(AM_CPPFLAGS) \
- -DSERVER_PARAMS='"-p", "$(RANDOM3)", "--tls=require", "--tls-psk=keys.psk"' \
+ -DSERVER_PARAMS='"-p", "$(RANDOM3)", "--tls=require", "--tls-verify-peer", "--tls-psk=keys.psk"' \
-DPIDFILE='"connect-uri-nbds-psk.pid"' \
-DURI='"nbds://alice@localhost:$(RANDOM3)/?tls-psk-file=keys.psk"' \
$(NULL)
connect_uri_nbds_psk_LDADD = $(top_builddir)/lib/libnbd.la
+connect_uri_nbds_unix_psk_SOURCES = connect-uri.c
+connect_uri_nbds_unix_psk_CPPFLAGS = \
+ $(AM_CPPFLAGS) \
+ -DNEEDS_UNIX_SOCKET=1 \
+ -DSERVER_PARAMS='"-U", UNIX_SOCKET, "--tls=require", "--tls-verify-peer", "--tls-psk=keys.psk"' \
+ -DPIDFILE='"connect-uri-nbds-unix-psk.pid"' \
+ -DURI='"nbds+unix://alice@/?tls-psk-file=keys.psk&socket="' # UNIX_SOCKET appended \
+ $(NULL)
+connect_uri_nbds_unix_psk_LDADD = $(top_builddir)/lib/libnbd.la
+
endif HAVE_PSKTOOL
endif HAVE_GNUTLS
--
2.43.0
Reference in New Issue View Git Blame Copy Permalink