mirror of
https://gitlab.com/qemu-project/qemu
synced 2024-11-05 20:35:44 +00:00
d2f1d29b95
The QEMU instance that runs as the server for the migration data transport (ie the target QEMU) needs to be able to configure access control so it can prevent unauthorized clients initiating an incoming migration. This adds a new 'tls-authz' migration parameter that is used to provide the QOM ID of a QAuthZ subclass instance that provides the access control check. This is checked against the x509 certificate obtained during the TLS handshake. For example, when starting a QEMU for incoming migration, it is possible to give an example identity of the source QEMU that is intended to be connecting later: $QEMU \ -monitor stdio \ -incoming defer \ ...other args... (qemu) object_add tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\ endpoint=server,verify-peer=yes \ (qemu) object_add authz-simple,id=auth0,identity=CN=laptop.example.com,,\ O=Example Org,,L=London,,ST=London,,C=GB \ (qemu) migrate_incoming tcp:localhost:9000 Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
165 lines
4.9 KiB
C
165 lines
4.9 KiB
C
/*
|
|
* QEMU migration TLS support
|
|
*
|
|
* Copyright (c) 2015 Red Hat, Inc.
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2 of the License, or (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
|
|
*
|
|
*/
|
|
|
|
#include "qemu/osdep.h"
|
|
#include "channel.h"
|
|
#include "migration.h"
|
|
#include "tls.h"
|
|
#include "io/channel-tls.h"
|
|
#include "crypto/tlscreds.h"
|
|
#include "qemu/error-report.h"
|
|
#include "qapi/error.h"
|
|
#include "trace.h"
|
|
|
|
static QCryptoTLSCreds *
|
|
migration_tls_get_creds(MigrationState *s,
|
|
QCryptoTLSCredsEndpoint endpoint,
|
|
Error **errp)
|
|
{
|
|
Object *creds;
|
|
QCryptoTLSCreds *ret;
|
|
|
|
creds = object_resolve_path_component(
|
|
object_get_objects_root(), s->parameters.tls_creds);
|
|
if (!creds) {
|
|
error_setg(errp, "No TLS credentials with id '%s'",
|
|
s->parameters.tls_creds);
|
|
return NULL;
|
|
}
|
|
ret = (QCryptoTLSCreds *)object_dynamic_cast(
|
|
creds, TYPE_QCRYPTO_TLS_CREDS);
|
|
if (!ret) {
|
|
error_setg(errp, "Object with id '%s' is not TLS credentials",
|
|
s->parameters.tls_creds);
|
|
return NULL;
|
|
}
|
|
if (ret->endpoint != endpoint) {
|
|
error_setg(errp,
|
|
"Expected TLS credentials for a %s endpoint",
|
|
endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT ?
|
|
"client" : "server");
|
|
return NULL;
|
|
}
|
|
|
|
object_ref(OBJECT(ret));
|
|
return ret;
|
|
}
|
|
|
|
|
|
static void migration_tls_incoming_handshake(QIOTask *task,
|
|
gpointer opaque)
|
|
{
|
|
QIOChannel *ioc = QIO_CHANNEL(qio_task_get_source(task));
|
|
Error *err = NULL;
|
|
|
|
if (qio_task_propagate_error(task, &err)) {
|
|
trace_migration_tls_incoming_handshake_error(error_get_pretty(err));
|
|
error_report_err(err);
|
|
} else {
|
|
trace_migration_tls_incoming_handshake_complete();
|
|
migration_channel_process_incoming(ioc);
|
|
}
|
|
object_unref(OBJECT(ioc));
|
|
}
|
|
|
|
void migration_tls_channel_process_incoming(MigrationState *s,
|
|
QIOChannel *ioc,
|
|
Error **errp)
|
|
{
|
|
QCryptoTLSCreds *creds;
|
|
QIOChannelTLS *tioc;
|
|
|
|
creds = migration_tls_get_creds(
|
|
s, QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, errp);
|
|
if (!creds) {
|
|
return;
|
|
}
|
|
|
|
tioc = qio_channel_tls_new_server(
|
|
ioc, creds,
|
|
s->parameters.tls_authz,
|
|
errp);
|
|
if (!tioc) {
|
|
return;
|
|
}
|
|
|
|
trace_migration_tls_incoming_handshake_start();
|
|
qio_channel_set_name(QIO_CHANNEL(tioc), "migration-tls-incoming");
|
|
qio_channel_tls_handshake(tioc,
|
|
migration_tls_incoming_handshake,
|
|
NULL,
|
|
NULL,
|
|
NULL);
|
|
}
|
|
|
|
|
|
static void migration_tls_outgoing_handshake(QIOTask *task,
|
|
gpointer opaque)
|
|
{
|
|
MigrationState *s = opaque;
|
|
QIOChannel *ioc = QIO_CHANNEL(qio_task_get_source(task));
|
|
Error *err = NULL;
|
|
|
|
if (qio_task_propagate_error(task, &err)) {
|
|
trace_migration_tls_outgoing_handshake_error(error_get_pretty(err));
|
|
} else {
|
|
trace_migration_tls_outgoing_handshake_complete();
|
|
}
|
|
migration_channel_connect(s, ioc, NULL, err);
|
|
object_unref(OBJECT(ioc));
|
|
}
|
|
|
|
|
|
void migration_tls_channel_connect(MigrationState *s,
|
|
QIOChannel *ioc,
|
|
const char *hostname,
|
|
Error **errp)
|
|
{
|
|
QCryptoTLSCreds *creds;
|
|
QIOChannelTLS *tioc;
|
|
|
|
creds = migration_tls_get_creds(
|
|
s, QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, errp);
|
|
if (!creds) {
|
|
return;
|
|
}
|
|
|
|
if (s->parameters.tls_hostname && *s->parameters.tls_hostname) {
|
|
hostname = s->parameters.tls_hostname;
|
|
}
|
|
if (!hostname) {
|
|
error_setg(errp, "No hostname available for TLS");
|
|
return;
|
|
}
|
|
|
|
tioc = qio_channel_tls_new_client(
|
|
ioc, creds, hostname, errp);
|
|
if (!tioc) {
|
|
return;
|
|
}
|
|
|
|
trace_migration_tls_outgoing_handshake_start(hostname);
|
|
qio_channel_set_name(QIO_CHANNEL(tioc), "migration-tls-outgoing");
|
|
qio_channel_tls_handshake(tioc,
|
|
migration_tls_outgoing_handshake,
|
|
s,
|
|
NULL,
|
|
NULL);
|
|
}
|