From 16daadc708be65c2681f54d33ac4004ccaf6e82d Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Thu, 5 Oct 2017 17:54:28 +0100 Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate The default_tls_x509_verify (and related) parameters in qemu.conf control whether the QEMU TLS servers request & verify certificates from clients. This works as a simple access control system for servers by requiring the CA to issue certs to permitted clients. This use of client certificates is disabled by default, since it requires extra work to issue client certificates. Unfortunately the code was using this configuration parameter when setting up both TLS clients and servers in QEMU. The result was that TLS clients for character devices and disk devices had verification turned off, meaning they would ignore errors while validating the server certificate. This allows for trivial MITM attacks between client and server, as any certificate returned by the attacker will be accepted by the client. This is assigned CVE-2017-1000256 / LSN-2017-0002 Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrange (cherry picked from commit 441d3eb6d1be940a67ce45a286602a967601b157) --- src/qemu/qemu_command.c | 2 +- .../qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 +- .../qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index d459f8e3e3..f2c18f1102 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -729,7 +729,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath, if (virJSONValueObjectCreate(propsret, "s:dir", path, "s:endpoint", (isListen ? "server": "client"), - "b:verify-peer", verifypeer, + "b:verify-peer", (isListen ? verifypeer : true), NULL) < 0) goto cleanup; diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args index b456cce304..003d11de72 100644 --- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args +++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args @@ -26,7 +26,7 @@ server,nowait \ localport=1111 \ -device isa-serial,chardev=charserial0,id=serial0 \ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ -endpoint=client,verify-peer=no \ +endpoint=client,verify-peer=yes \ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ tls-creds=objcharserial1_tls0 \ -device isa-serial,chardev=charserial1,id=serial1 \ diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args index 7f9fedb6c2..a020ff0060 100644 --- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args +++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args @@ -31,7 +31,7 @@ localport=1111 \ data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ -endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \ +endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ tls-creds=objcharserial1_tls0 \ -device isa-serial,chardev=charserial1,id=serial1 \