Merge pull request #515 from akutz/bugfix/verify-peers

TLS Verify Peers Fix
thecodeteam · Apr 24, 2017 · ded0789 · ded0789
2 parents 8570256 + f788278
commit ded0789
Show file tree

Hide file tree

Showing 7 changed files with 183 additions and 46 deletions.
diff --git a/.tls/cacerts b/.tls/cacerts
@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGiTCCBHGgAwIBAgIJANAQ2YHcXD/EMA0GCSqGSIb3DQEBBQUAMIGJMQswCQYD
+VQQGEwJVUzEOMAwGA1UECBMFVGV4YXMxDzANBgNVBAcTBkF1c3RpbjEMMAoGA1UE
+ChMDRU1DMRIwEAYDVQQLFAlFTUN7Y29kZX0xFjAUBgNVBAMTDWxpYnN0b3JhZ2Ut
+Y2ExHzAdBgkqhkiG9w0BCQEWEHNha3V0ekBnbWFpbC5jb20wHhcNMTYwMzE2MTAy
+ODU4WhcNMjYwMzE0MTAyODU4WjCBiTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRl
+eGFzMQ8wDQYDVQQHEwZBdXN0aW4xDDAKBgNVBAoTA0VNQzESMBAGA1UECxQJRU1D
+e2NvZGV9MRYwFAYDVQQDEw1saWJzdG9yYWdlLWNhMR8wHQYJKoZIhvcNAQkBFhBz
+YWt1dHpAZ21haWwuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
+oQxXtfcdtaEv9CI0mMK0p14Mg+QIKrvndpPHwEZrx1NVIohQDWHFuVCaTcxpagAN
+C8FYB3nV8ZXXFMWioTGQ57Py7ip3EB8GPIjPFr2cGt8obo3fHNlXMdZWp+N6Z2S9
+JFdKbGyUWoexKNebWh9WsEhLWlzMJg7zP7FwuJFjvc9XtdAIib7eZRNN2rwmU4Hc
+478RoeGY5VlJcuyuB/UTQDLAy/rj8RvsMrMp8OkaavcbvVodK5W/l/rTkXhObl+V
+wTBPiAWB6R0vJ9DptBwmtRH2MC64W6OThPGj04UHVMwUvYFFNG1qMYsiJMTN2Kxb
+D9JvldwvC3ZAouI9PjwugCfqxsHL87yuFchEQKgts58Mx7uXo68pqQuxijgTdSH2
+cjux6fnhb2Cz6jl3VNd6cYxstIUR5Q4YdXJNm/V5Mr1/clSwJ+1QsuCyIHHzygrc
+2ST8gzpQzhjHPHI9yMRzIbwAhQKCh2Bs+UiisULN4XZi1hRT3I4tFfLm9OKpO71+
+YXK7BdBuf7cAYm5uRqz8CikkM8XFirgG8SWThNkCpqbYBvj22Czcz4OgQgvVacaF
+I+BCJaOfTHD+yyNAlWVRiMLNpdDiwRw2CSBdJCNwd6n8TjbzapeeoxBCb/DGSWCP
+FSgkO1oENNJVxxN/Pq9A7ZnwK3dm4YCM7KVAOpzV2JMCAwEAAaOB8TCB7jAdBgNV
+HQ4EFgQUDt3bDhWHZ8ACc2lzcjDjvRgmJxkwgb4GA1UdIwSBtjCBs4AUDt3bDhWH
+Z8ACc2lzcjDjvRgmJxmhgY+kgYwwgYkxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVU
+ZXhhczEPMA0GA1UEBxMGQXVzdGluMQwwCgYDVQQKEwNFTUMxEjAQBgNVBAsUCUVN
+Q3tjb2RlfTEWMBQGA1UEAxMNbGlic3RvcmFnZS1jYTEfMB0GCSqGSIb3DQEJARYQ
+c2FrdXR6QGdtYWlsLmNvbYIJANAQ2YHcXD/EMAwGA1UdEwQFMAMBAf8wDQYJKoZI
+hvcNAQEFBQADggIBAEUGVPw4ROG9MROGQhlZAIszWOKfBSvQcw43nodd5G1ljJNP
+PKZr7hM+BbRgO2kWDf42MganAaHDnJ70vvpmF8XiRIwUoZwshO44efCUN5GlU9q1
+5qjINvMZWNstN9Ls/B4GrmxvgqM3sPc/ykeYqY9S9tNvtophGbgWc9r2HOCaEmN8
+pT2Nz40LDHW/FnJxb23bR7lnS7cuvngCjSYsBSYyeYigDKUhgkKrH8HT+QzsoJTG
+gK/11G2yiCmWdoGdTh06P+aG2n0WmnpvfT0EIZk1yPnj0ewAv5hfT8d030A/6jKH
+BNPxmEYe0TpaZi5zPACjqWumiqQaoR9e0RLdVttYSWTvAhGPlvLWJvfZyYqyxlpZ
+CXKmbbL4xQM2FKU/lGkWu1/uAlBcB+CgTXWPkJ3Suqbaw0MPKZNnXo2xK+Cap3G2
+1tcb6vPgLMCg3qRkfb2GTvEC2/glc0nnqCrlb98FH1LIXgGAgUTEHi+LGs1sJzfo
+ud4IoENw2VKT7FeIUts5FNaaLgdoKDmnH+TiXlNypXuCM8/LHGBKq+sgFygAhHK+
+kW7bmO5Y2MRR3JUlGNZOupkiJiRyFpBueOTIlZ3IXQ1f6nhcPGZozW6Xi1B3++qc
+5+9W+wetsqzDL2P3l22QsspfHQ4PB02UOJ4xVuxyKAIyQFMqHcNqJa717USp
+-----END CERTIFICATE-----
diff --git a/.tls/libstorage.crt b/.tls/libstorage.crt
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF8jCCA9qgAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwgYkxCzAJBgNVBAYTAlVT
+MQ4wDAYDVQQIEwVUZXhhczEPMA0GA1UEBxMGQXVzdGluMQwwCgYDVQQKEwNFTUMx
+EjAQBgNVBAsUCUVNQ3tjb2RlfTEWMBQGA1UEAxMNbGlic3RvcmFnZS1jYTEfMB0G
+CSqGSIb3DQEJARYQc2FrdXR6QGdtYWlsLmNvbTAeFw0xNjAzMTYxMTAxMTZaFw0y
+NjAzMTQxMTAxMTZaMIGNMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVGV4YXMxDzAN
+BgNVBAcTBkF1c3RpbjEMMAoGA1UEChMDRU1DMRIwEAYDVQQLFAlFTUN7Y29kZX0x
+GjAYBgNVBAMTEWxpYnN0b3JhZ2Utc2VydmVyMR8wHQYJKoZIhvcNAQkBFhBzYWt1
+dHpAZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqHYs
+sa1RYfdLhuMczur9DAHjN+sX7KHs9HoBAThZN0gtDgGNjX/ffvtB+SO+KQV43VIg
+b1xy4dCSCpWpKLGie6GeaJ54g8JFZV02251p5X4VFb0jTS7dXvVfaed+eOk/TRMU
+ASlZOVLNd556usMIQL7BCeF+yK+JPIaYBFrYXwg6vtUmsAyN4Dxo2aPvmA2bly7P
+M0PIwAlCOof64mgi5OH/jUpCHC8XGYA0FVyFq6aURhzkwefc7yzDaS3LXbgVH/Oo
+KQJXLQ8m77+aHAB+OYG84beZl2KkGE4B/aO0+MVWm6X4h27gAfcAncBo28lWQPDb
+R4yV2M94xl5N4m7IeQIDAQABo4IBXDCCAVgwCQYDVR0TBAIwADARBglghkgBhvhC
+AQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZl
+ciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUR1oERbiB0eVemnCPH5XY2Wbyy6wwgb4G
+A1UdIwSBtjCBs4AUDt3bDhWHZ8ACc2lzcjDjvRgmJxmhgY+kgYwwgYkxCzAJBgNV
+BAYTAlVTMQ4wDAYDVQQIEwVUZXhhczEPMA0GA1UEBxMGQXVzdGluMQwwCgYDVQQK
+EwNFTUMxEjAQBgNVBAsUCUVNQ3tjb2RlfTEWMBQGA1UEAxMNbGlic3RvcmFnZS1j
+YTEfMB0GCSqGSIb3DQEJARYQc2FrdXR6QGdtYWlsLmNvbYIJANAQ2YHcXD/EMA4G
+A1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUF
+AAOCAgEATzR15dlZIHwDDh/+YL5fhrLKZX7TPJKACdvSHjszs7Sf0EsBcVLirBeQ
+sUnBndIU+N1crbxHX0ISlAm4y6RBE+kH8AimHRsIECFszO0yQvrqnmSEVg3rJCDW
+QRqRU3OAfKrkfp/LpQvnkIo9TEzCaQJMyVr/00xkM8bP9HI0CoJaXEN14MUKSIUJ
+IH+YkeoG3m6sVxqshzeTGl6tq4TuFsQJYJcDwJ5uHtvluVuDysBayufL+X7IPqGO
+p5aOY+Q+f5MHgr/ayjfiD58riMbH9G4fFDNUALUqKgJlpm6oriVryJD2xT3Itrkk
+U8n6F8OJpMguqXFldbJsFb9QrpQYx5xVcQDcCGAnxanoQKPBtXT0U+jVVYT40JPg
+tI0fjy3k4Y3s8IpY8p23GWVAnnL4LkDPJa2dvFTCbEPxOw8uDqtUO3SLOMOwhWA/
+TOAio381/g+Zwmfxbsfn9FhW7GmLyYu9+srdF1P1MpV2KTH4u7dd9p2OwtdYbFsA
+ssVVg84raQozNarj0grTcYyXfcGMZ/BO1mXQtUCxA/D+PRnEloUesrGWNyu4LDbF
+6f7GWMiPj2dls3IfY+szcTw6oRB+Y7zUxgoQVXlg8Hs0i1r1bFo5vRjEOARmoQr+
+E7ptnZvwPbN/nluLOOdlkBaZ6l8q0P9Ogf01KsA/UFq9Y5XMRN4=
+-----END CERTIFICATE-----
diff --git a/.tls/libstorage.key b/.tls/libstorage.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAqHYssa1RYfdLhuMczur9DAHjN+sX7KHs9HoBAThZN0gtDgGN
+jX/ffvtB+SO+KQV43VIgb1xy4dCSCpWpKLGie6GeaJ54g8JFZV02251p5X4VFb0j
+TS7dXvVfaed+eOk/TRMUASlZOVLNd556usMIQL7BCeF+yK+JPIaYBFrYXwg6vtUm
+sAyN4Dxo2aPvmA2bly7PM0PIwAlCOof64mgi5OH/jUpCHC8XGYA0FVyFq6aURhzk
+wefc7yzDaS3LXbgVH/OoKQJXLQ8m77+aHAB+OYG84beZl2KkGE4B/aO0+MVWm6X4
+h27gAfcAncBo28lWQPDbR4yV2M94xl5N4m7IeQIDAQABAoIBAQCRyEKBN+V3i9P2
+VM/3WG/HVlLVb0Ly6mXuYy4/ag36wyEKP9nJm+FDOBgti/rh8PRZQtsCw9Q/Col3
+U3Bh4OclagV1r73G9/Wp9HKmtqCPkv6YI2dLQcUciecZ9NUDuYWoI1xqbOfjrX5V
+h/XZbTHVJb5T2Koo7Y8rq6YeDqe0BDmFm/rJHgHNakD2FpNFKUBYHoUfGPU0zuip
+1p6ZKSX/pWRxinrSPJH54Zl3WeoN15pKbtXdwh94fkrygcwYcehapYN9ujcHZcUJ
+tXgOZJ0XalBk4WytwM+QkwVe0baIXERDnqCQS7av9MSeHibnLVmMxpI+fR84Evz7
+z6LFq/EhAoGBANZuK6LOZhMv85eBUoDsYbV0eebbklE7J9neclnSBS2bHuSk/nIR
++trtHFv9l4k5K+Oop63nbsHX5aEbLrlp7BZuTBQID2BZ6q55XWSJKK08sUMlulLw
+NwPRjtbROvVofj3Q6Amdlf66zpJ0fR3nds2iMgfE+sI+8qYsh0l6NbW9AoGBAMke
+ppIBQw1tpnzvF7rUdN42SLIBmF5L7IOhEZweJ6+LjyQVnH33H0M7Jv2wbCx8Jkeh
+lBZ8eeUMSsry0lyqOHyg7UETqVuDV7ErCSR8FL861nPn8kFNoq2apeZ0drw2xeE6
+BeSEsvDhIPPnQep8oZ0O8Rjf39Pib44ToWq0JvNtAoGAJKeyl+MWeeMxjc2Sj+1Y
+io89o2QXcAFfv5OSEp6fOfuRXV6DDHbcXf44YdVIyTFXulQDTewI9+PzIgYmh5V+
+wRrbsHTsQ/k679ZZS61SocKFPsg9QJ5FmUaCV2Bu5rKVGfYTJEmm8WN3mnuFQ85k
+daRrTv6yKvBdxGBKRBo7AjUCgYANvGYr+qIVvLNuPPYl8HS66II2hh1d81mH8+w7
++WNEfgecs00o3UPpV5TmJrJ8p04F/mca0g2RMzG4grUTVxzchjEuDKW4dlP66bGK
+KF9SYDZdXC4Tf7XonXNPNg0V9be2FjxoyxddlEKn5dd+qFxxWZ/lzwR+eCyeS4Du
+xLcUUQKBgChMF5AuwW/So3bNq3tjdbbjw14fFlFFZrPYYhm3IjypqVzNRk9v9Gun
+fpp58Sk+xfLGhFhh5b/E5fBz/0hzMpr2eKmfju0WTzO/pspygacdQeAcRHVEePuK
+iH6U+wS/TIS4FWir+hW874b1Q6qochoi/8F6ks/xE1b40paJoHy4
+-----END RSA PRIVATE KEY-----
diff --git a/api/tests/tests.go b/api/tests/tests.go
@@ -47,9 +47,23 @@ var (
 
 	printConfigOnFail, _ = strconv.ParseBool(os.Getenv(
 		"LIBSTORAGE_TEST_PRINT_CONFIG_ON_FAIL"))
+
+	tlsPath = path.Join(
+		os.Getenv("GOPATH"),
+		"/src/github.com/codedellemc/libstorage/.tls")
+	serverCrt    = path.Join(tlsPath, "libstorage-server.crt")
+	serverKey    = path.Join(tlsPath, "libstorage-server.key")
+	clientCrt    = path.Join(tlsPath, "libstorage-client.crt")
+	clientKey    = path.Join(tlsPath, "libstorage-client.key")
+	trustedCerts = path.Join(tlsPath, "libstorage-ca.crt")
+	knownHosts   = path.Join(tlsPath, "known_hosts")
 )
 
 func init() {
+	if tcpTLSTest || tcpTLSPeersTest || sockTLSTest {
+		os.Setenv("LIBSTORAGE_HOME_ETC_TLS", tlsPath)
+	}
+
 	goof.IncludeFieldsInFormat = true
 	if runtime.GOOS == "windows" {
 		lsxbin = "lsx-windows.exe"
@@ -64,18 +78,6 @@ func init() {
 	}
 }
 
-var (
-	tlsPath = path.Join(
-		os.Getenv("GOPATH"),
-		"/src/github.com/codedellemc/libstorage/.tls")
-	serverCrt    = path.Join(tlsPath, "libstorage-server.crt")
-	serverKey    = path.Join(tlsPath, "libstorage-server.key")
-	clientCrt    = path.Join(tlsPath, "libstorage-client.crt")
-	clientKey    = path.Join(tlsPath, "libstorage-client.key")
-	trustedCerts = path.Join(tlsPath, "libstorage-ca.crt")
-	knownHosts   = path.Join(tlsPath, "known_hosts")
-)
-
 var (
 	debugConfig = []byte(`
 libstorage:
@@ -484,19 +486,19 @@ func initTestConfigs(ctx types.Context, config map[string]interface{}) {
 			}
 		}
 		return map[string]interface{}{
-			"serverName":       "libstorage-server",
-			"certFile":         clientCrt,
-			"keyFile":          clientKey,
-			"trustedCertsFile": trustedCerts,
+			"serverName": "libstorage-server",
+			"certFile":   clientCrt,
+			"keyFile":    clientKey,
+			//"trustedCertsFile": trustedCerts,
 		}
 	}
 
 	serverTLSConfig := func(clientCertRequired bool) map[string]interface{} {
 		return map[string]interface{}{
-			"serverName":         "libstorage-server",
-			"certFile":           serverCrt,
-			"keyFile":            serverKey,
-			"trustedCertsFile":   trustedCerts,
+			"serverName": "libstorage-server",
+			//"certFile":           serverCrt,
+			//"keyFile":            serverKey,
+			//"trustedCertsFile":   trustedCerts,
 			"clientCertRequired": clientCertRequired,
 		}
 	}
@@ -505,6 +507,7 @@ func initTestConfigs(ctx types.Context, config map[string]interface{}) {
 
 		"tcp": map[string]interface{}{
 			"libstorage": map[string]interface{}{
+				"tls":  false,
 				"host": tcpHost,
 				"server": map[string]interface{}{
 					"endpoints": map[string]interface{}{
@@ -552,6 +555,7 @@ func initTestConfigs(ctx types.Context, config map[string]interface{}) {
 
 		"unix": map[string]interface{}{
 			"libstorage": map[string]interface{}{
+				"tls":  false,
 				"host": unixHost,
 				"server": map[string]interface{}{
 					"endpoints": map[string]interface{}{

diff --git a/api/utils/utils_tls.go b/api/utils/utils_tls.go
@@ -59,6 +59,10 @@ func ParseTLSConfig(
 
 	ctx.Debug("parsing tls config")
 
+	// disabled is a flag that indicates whether or not TLS was
+	// explicitly disabled
+	var disabled bool
+
 	pathConfig := context.MustPathConfig(ctx)
 
 	f := func(k string, v interface{}) {
@@ -75,7 +79,8 @@ func ParseTLSConfig(
 	// locations and thus there is no reason not to use them if they are
 	// placed in their known locations
 	defer func() {
-		if tlsConfig == nil {
+		if tlsConfig == nil && disabled {
+			ctx.Info("tls not configured & explicitly disabled")
 			return
 		}
 
@@ -86,10 +91,18 @@ func ParseTLSConfig(
 			}
 		}()
 
+		newTLS := func() {
+			if tlsConfig != nil {
+				return
+			}
+			tlsConfig = &types.TLSConfig{Config: tls.Config{}}
+		}
+
 		// always check for the user's known_hosts file
 		func() {
 			khFile := path.Join(gotil.HomeDir(), ".libstorage", "known_hosts")
 			if gotil.FileExists(khFile) {
+				newTLS()
 				tlsConfig.UsrKnownHosts = khFile
 				tlsConfig.VerifyPeers = true
 			}
@@ -116,8 +129,8 @@ func ParseTLSConfig(
 				return nil
 			}
 
+			newTLS()
 			f(types.ConfigTLSKnownHosts, khFile)
-
 			tlsConfig.SysKnownHosts = khFile
 			tlsConfig.VerifyPeers = true
 
@@ -148,6 +161,7 @@ func ParseTLSConfig(
 				return nil
 			}
 
+			newTLS()
 			f(types.ConfigTLSTrustedCertsFile, caCerts)
 
 			buf, err := func() ([]byte, error) {
@@ -198,6 +212,7 @@ func ParseTLSConfig(
 				return nil
 			}
 
+			newTLS()
 			f(types.ConfigTLSKeyFile, keyFile)
 
 			crtFile := getString(config, types.ConfigTLSCertFile, roots...)
@@ -234,6 +249,7 @@ func ParseTLSConfig(
 	if ok := getBool(config, types.ConfigTLSDisabled, roots...); ok {
 		f(types.ConfigTLSDisabled, true)
 		ctx.WithField(types.ConfigTLSDisabled, false).Info("tls disabled")
+		disabled = true
 		return nil, nil
 	}
 
@@ -245,6 +261,14 @@ func ParseTLSConfig(
 	}
 
 	if v := getString(config, types.ConfigTLS, roots...); v != "" {
+		// check to see if TLS is disabled
+		if strings.EqualFold(v, "false") {
+			f(types.ConfigTLS, "false")
+			ctx.WithField(types.ConfigTLS, "false").Info("tls disabled")
+			disabled = true
+			return nil, nil
+		}
+
 		// check to see if TLS is enabled with insecure
 		if strings.EqualFold(v, "insecure") {
 			f(types.ConfigTLS, "insecure")
@@ -282,6 +306,7 @@ func ParseTLSConfig(
 
 	// tls is enabled; figure out its configuration
 	tlsConfig = &types.TLSConfig{Config: tls.Config{}}
+	ctx.Info("tls config created")
 
 	if getBool(config, types.ConfigTLSInsecure, roots...) {
 		tlsConfig.InsecureSkipVerify = true

diff --git a/drivers/storage/libstorage/libstorage_driver.go b/drivers/storage/libstorage/libstorage_driver.go
@@ -104,26 +104,36 @@ func (d *driver) Init(ctx types.Context, config gofig.Config) error {
 				return conn, nil
 			}
 
-			if err := verifyKnownHost(
+			peerCerts := conn.ConnectionState().PeerCertificates
+
+			if ok, err := verifyKnownHost(
 				d.ctx,
-				conn.ConnectionState().PeerCertificates,
-				tlsConfig.KnownHost); err != nil {
+				peerCerts,
+				tlsConfig.KnownHost); ok {
+
+				return conn, nil
+
+			} else if err != nil {
 
 				d.ctx.WithError(err).Error("error matching peer fingerprint")
 				return nil, err
 			}
 
-			if err := verifyKnownHostFiles(
+			if ok, err := verifyKnownHostFiles(
 				d.ctx,
-				conn.ConnectionState().PeerCertificates,
+				peerCerts,
 				tlsConfig.UsrKnownHosts,
-				tlsConfig.SysKnownHosts); err != nil {
+				tlsConfig.SysKnownHosts); ok {
 
-				d.ctx.WithError(err).Error("error matching known host")
+				return conn, nil
+
+			} else if err != nil {
+
+				d.ctx.WithError(err).Error("error matching peer fingerprint")
 				return nil, err
 			}
 
-			return conn, nil
+			return nil, newErrKnownHost(peerCerts)
 		},
 		DisableKeepAlives: disableKeepAlive,
 	}