libvirt/441d3eb6-qemu-tls-client-verify-server-cert.patch

commit 441d3eb6d1be940a67ce45a286602a967601b157
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Thu Oct 5 17:54:28 2017 +0100

    qemu: ensure TLS clients always verify the server certificate
    
    The default_tls_x509_verify (and related) parameters in qemu.conf
    control whether the QEMU TLS servers request & verify certificates
    from clients. This works as a simple access control system for
    servers by requiring the CA to issue certs to permitted clients.
    This use of client certificates is disabled by default, since it
    requires extra work to issue client certificates.
    
    Unfortunately the code was using this configuration parameter when
    setting up both TLS clients and servers in QEMU. The result was that
    TLS clients for character devices and disk devices had verification
    turned off, meaning they would ignore errors while validating the
    server certificate.
    
    This allows for trivial MITM attacks between client and server,
    as any certificate returned by the attacker will be accepted by
    the client.
    
    This is assigned CVE-2017-1000256  / LSN-2017-0002
    
    Reviewed-by: Eric Blake <eblake@redhat.com>
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

Index: libvirt-3.8.0/src/qemu/qemu_command.c
===================================================================
--- libvirt-3.8.0.orig/src/qemu/qemu_command.c
+++ libvirt-3.8.0/src/qemu/qemu_command.c
@@ -721,7 +721,7 @@ qemuBuildTLSx509BackendProps(const char
     if (virJSONValueObjectCreate(propsret,
                                  "s:dir", path,
                                  "s:endpoint", (isListen ? "server": "client"),
-                                 "b:verify-peer", verifypeer,
+                                 "b:verify-peer", (isListen ? verifypeer : true),
                                  NULL) < 0)
         goto cleanup;
 
Index: libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
===================================================================
--- libvirt-3.8.0.orig/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+++ libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
@@ -26,7 +26,7 @@ server,nowait \
 localport=1111 \
 -device isa-serial,chardev=charserial0,id=serial0 \
 -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
-endpoint=client,verify-peer=no \
+endpoint=client,verify-peer=yes \
 -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
 tls-creds=objcharserial1_tls0 \
 -device isa-serial,chardev=charserial1,id=serial1 \
Index: libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
===================================================================
--- libvirt-3.8.0.orig/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+++ libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
@@ -31,7 +31,7 @@ localport=1111 \
 data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
 keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
 -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \
+endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \
 -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
 tls-creds=objcharserial1_tls0 \
 -device isa-serial,chardev=charserial1,id=serial1 \
Accepting request 534320 from home:jfehlig:branches:Virtualization Fix for CVE-2017-1000256. - qemu: ensure TLS clients always verify the server certificate CVE-2017-1000256 bsc#1062563 OBS-URL: https://build.opensuse.org/request/show/534320 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=631 2017-10-17 01:27:53 +02:00			`commit 441d3eb6d1be940a67ce45a286602a967601b157`
			`Author: Daniel P. Berrange <berrange@redhat.com>`
			`Date: Thu Oct 5 17:54:28 2017 +0100`

			`qemu: ensure TLS clients always verify the server certificate`

			`The default_tls_x509_verify (and related) parameters in qemu.conf`
			`control whether the QEMU TLS servers request & verify certificates`
			`from clients. This works as a simple access control system for`
			`servers by requiring the CA to issue certs to permitted clients.`
			`This use of client certificates is disabled by default, since it`
			`requires extra work to issue client certificates.`

			`Unfortunately the code was using this configuration parameter when`
			`setting up both TLS clients and servers in QEMU. The result was that`
			`TLS clients for character devices and disk devices had verification`
			`turned off, meaning they would ignore errors while validating the`
			`server certificate.`

			`This allows for trivial MITM attacks between client and server,`
			`as any certificate returned by the attacker will be accepted by`
			`the client.`

			`This is assigned CVE-2017-1000256 / LSN-2017-0002`

			`Reviewed-by: Eric Blake <eblake@redhat.com>`
			`Signed-off-by: Daniel P. Berrange <berrange@redhat.com>`

			`Index: libvirt-3.8.0/src/qemu/qemu_command.c`
			`===================================================================`
			`--- libvirt-3.8.0.orig/src/qemu/qemu_command.c`
			`+++ libvirt-3.8.0/src/qemu/qemu_command.c`
			`@@ -721,7 +721,7 @@ qemuBuildTLSx509BackendProps(const char`
			`if (virJSONValueObjectCreate(propsret,`
			`"s:dir", path,`
			`"s:endpoint", (isListen ? "server": "client"),`
			`- "b:verify-peer", verifypeer,`
			`+ "b:verify-peer", (isListen ? verifypeer : true),`
			`NULL) < 0)`
			`goto cleanup;`

			`Index: libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args`
			`===================================================================`
			`--- libvirt-3.8.0.orig/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args`
			`+++ libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args`
			`@@ -26,7 +26,7 @@ server,nowait \`
			`localport=1111 \`
			`-device isa-serial,chardev=charserial0,id=serial0 \`
			`-object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\`
			`-endpoint=client,verify-peer=no \`
			`+endpoint=client,verify-peer=yes \`
			`-chardev socket,id=charserial1,host=127.0.0.1,port=5555,\`
			`tls-creds=objcharserial1_tls0 \`
			`-device isa-serial,chardev=charserial1,id=serial1 \`
			`Index: libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args`
			`===================================================================`
			`--- libvirt-3.8.0.orig/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args`
			`+++ libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args`
			`@@ -31,7 +31,7 @@ localport=1111 \`
			`data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\`
			`keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \`
			`-object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\`
			`-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \`
			`+endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \`
			`-chardev socket,id=charserial1,host=127.0.0.1,port=5555,\`
			`tls-creds=objcharserial1_tls0 \`
			`-device isa-serial,chardev=charserial1,id=serial1 \`