Skip to content

Commit

Permalink
Security Enhancements
Browse files Browse the repository at this point in the history 
This patch enhances libStorage security:

* If discovered in '$LIBSTORAGE_PATHS_TLS' the following files
  are automatically loaded:

  * `libstorage.crt`
  * `libstorage.key`
  * `cacerts`

* If `$LIBSTORAGE_PATHS_ETC/known_hosts` exists it is automatically
  loaded unless the property `libstorage.tls.knownHosts` is explicitly
  defined. This is the system's `known_hosts` file.

* If `$HOME/.libstorage/known_hosts` exists it is automatically used
  when TLS security is set to verify peer certificates. This is the
  user's `known_hosts` file.

* The above `known_hosts` files are line-delimited with each line
  following the format: 'HOST ALGORITHM FINGERPRINT'

* The property `libstorage.tls.verifyPeers` is introduced. It's a
  boolean flag that indicates TLS connections should be verified
  against a known list of peer certificate fingerprints in the
  system's and user's `known_hosts` files.

  Enabling this property also sets `libstorage.tls.insecure` to `true`.
  The connection will be encrypted, but the certificate verification is
  disabled and deferred to the peer verification.

* The property `libstorage.tls` can now be set to a simple string value
  of `verifyPeers` to indicate TLS connections should be verified
  against the system's and user's `known_hosts` files.
  • Loading branch information
@akutz
akutz committed Apr 14, 2017
1 parent b8f2b1b commit 206776f
Show file tree
Hide file tree
Showing 9 changed files with 434 additions and 92 deletions.
6 changes: 6 additions & 0 deletions api/types/types_config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,12 @@ const (
// ConfigTLSServerName is a config key.
ConfigTLSServerName = ConfigTLS + ".serverName"

// ConfigTLSKnownHosts is a config key.
ConfigTLSKnownHosts = ConfigTLS + ".knownHosts"

// ConfigTLSVerifyPeers is a config key.
ConfigTLSVerifyPeers = ConfigTLS + ".verifyPeers"

// ConfigTLSClientCertRequired is a config key.
ConfigTLSClientCertRequired = ConfigTLS + ".clientCertRequired"

Expand Down
36 changes: 36 additions & 0 deletions api/types/types_paths.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,22 @@ const (
// LSX is the path to the libStorage executor.
LSX

// DefaultTLSCertFile is the default path to the TLS cert file,
// libstorage.crt.
DefaultTLSCertFile

// DefaultTLSKeyFile is the default path to the TLS key file,
// libstorage.key.
DefaultTLSKeyFile

// DefaultTLSTrustedRootsFile is the default path to the TLS trusted roots
// file, cacerts.
DefaultTLSTrustedRootsFile

// DefaultTLSKnownHosts is the default path to the TLS known hosts file,
// known_hosts file.
DefaultTLSKnownHosts

maxFileKey
)

Expand Down Expand Up @@ -167,6 +183,10 @@ func (k fileKey) parent() fileKey {
return Etc
case LSX:
return Lib
case DefaultTLSCertFile,
DefaultTLSKeyFile,
DefaultTLSTrustedRootsFile:
return TLS
default:
return Home
}
Expand Down Expand Up @@ -195,6 +215,14 @@ func (k fileKey) key() string {
return "tls"
case LSX:
return "lsx"
case DefaultTLSCertFile:
return "crt"
case DefaultTLSKeyFile:
return "key"
case DefaultTLSTrustedRootsFile:
return "tca"
case DefaultTLSKnownHosts:
return "hst"
}
return ""
}
Expand Down Expand Up @@ -239,6 +267,14 @@ func (k fileKey) defaultVal() string {
default:
return fmt.Sprintf("lsx-%s", runtime.GOOS)
}
case DefaultTLSCertFile:
return "libstorage.crt"
case DefaultTLSKeyFile:
return "libstorage.key"
case DefaultTLSTrustedRootsFile:
return "cacerts"
case DefaultTLSKnownHosts:
return "known_hosts"
}
return ""
}
Expand Down
5 changes: 5 additions & 0 deletions api/types/types_paths_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,11 @@ func TestPaths(t *testing.T) {
t.Logf("%5[1]s %[2]s", Home.key(), Home)
t.Logf("%5[1]s %[2]s", Etc.key(), Etc)
t.Logf("%5[1]s %[2]s", TLS.key(), TLS)
t.Logf("%5[1]s %[2]s", DefaultTLSCertFile.key(), DefaultTLSCertFile)
t.Logf("%5[1]s %[2]s", DefaultTLSKeyFile.key(), DefaultTLSKeyFile)
t.Logf("%5[1]s %[2]s",
DefaultTLSTrustedRootsFile.key(), DefaultTLSTrustedRootsFile)
t.Logf("%5[1]s %[2]s", DefaultTLSKnownHosts.key(), DefaultTLSKnownHosts)
t.Logf("%5[1]s %[2]s", Lib.key(), Lib)
t.Logf("%5[1]s %[2]s", Log.key(), Log)
t.Logf("%5[1]s %[2]s", Run.key(), Run)
Expand Down
10 changes: 10 additions & 0 deletions api/types/types_tls.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,16 @@ import "crypto/tls"
type TLSConfig struct {
tls.Config

// VerifyPeers is a flag that indicates whether peer certificates
// should be validated against a PeerFingerprint or known hosts files.
VerifyPeers bool

// SysKnownHosts is the path to the system's known_hosts file.
SysKnownHosts string

// UsrKnownHosts is the path to the user's known_hosts file.
UsrKnownHosts string

// PeerFingerprint is the expected SHA256 fingerprint of a peer certificate.
PeerFingerprint []byte
}
Loading

0 comments on commit 206776f

Please sign in to comment.