Security Enhancements

This patch enhances libStorage security: * If discovered in '$LIBSTORAGE_PATHS_TLS' the following files are automatically loaded: * `libstorage.crt` * `libstorage.key` * `cacerts` * If `$LIBSTORAGE_PATHS_ETC/known_hosts` exists it is automatically loaded unless the property `libstorage.tls.knownHosts` is explicitly defined. This is the system's `known_hosts` file. * If `$HOME/.libstorage/known_hosts` exists it is automatically used when TLS security is set to verify peer certificates. This is the user's `known_hosts` file. * The above `known_hosts` files are line-delimited with each line following the format: 'HOST ALGORITHM FINGERPRINT' * The property `libstorage.tls.verifyPeers` is introduced. It's a boolean flag that indicates TLS connections should be verified against a known list of peer certificate fingerprints in the system's and user's `known_hosts` files. Enabling this property also sets `libstorage.tls.insecure` to `true`. The connection will be encrypted, but the certificate verification is disabled and deferred to the peer verification. * The property `libstorage.tls` can now be set to a simple string value of `verifyPeers` to indicate TLS connections should be verified against the system's and user's `known_hosts` files.
thecodeteam · Apr 14, 2017 · 2edd739 · 2edd739
1 parent b8f2b1b
commit 2edd739
Show file tree

Hide file tree

Showing 10 changed files with 435 additions and 93 deletions.
diff --git a/.docs/user-guide/config.md b/.docs/user-guide/config.md
@@ -367,7 +367,7 @@ expects. The following configuration achieves just that:
 libstorage:
   host: tcp://127.0.0.1:7979
   client:
-    tls: "sha256:15:92:77:BE:6C:90:D3:FB:59:29:9C:51:A7:DB:5C:16:55:BD:B9:9E:E7:7E:C1:9B:30:C3:74:99:21:5F:08:99"
+    tls: "libstorage sha256 15:92:77:BE:6C:90:D3:FB:59:29:9C:51:A7:DB:5C:16:55:BD:B9:9E:E7:7E:C1:9B:30:C3:74:99:21:5F:08:99"
   server:
     tls:
       certFile: /etc/libstorage/libstorage-server.crt

diff --git a/api/types/types_config.go b/api/types/types_config.go
@@ -99,6 +99,12 @@ const (
 	// ConfigTLSServerName is a config key.
 	ConfigTLSServerName = ConfigTLS + ".serverName"
 
+	// ConfigTLSKnownHosts is a config key.
+	ConfigTLSKnownHosts = ConfigTLS + ".knownHosts"
+
+	// ConfigTLSVerifyPeers is a config key.
+	ConfigTLSVerifyPeers = ConfigTLS + ".verifyPeers"
+
 	// ConfigTLSClientCertRequired is a config key.
 	ConfigTLSClientCertRequired = ConfigTLS + ".clientCertRequired"
 

diff --git a/api/types/types_paths.go b/api/types/types_paths.go
@@ -109,6 +109,22 @@ const (
 	// LSX is the path to the libStorage executor.
 	LSX
 
+	// DefaultTLSCertFile is the default path to the TLS cert file,
+	// libstorage.crt.
+	DefaultTLSCertFile
+
+	// DefaultTLSKeyFile is the default path to the TLS key file,
+	// libstorage.key.
+	DefaultTLSKeyFile
+
+	// DefaultTLSTrustedRootsFile is the default path to the TLS trusted roots
+	// file, cacerts.
+	DefaultTLSTrustedRootsFile
+
+	// DefaultTLSKnownHosts is the default path to the TLS known hosts file,
+	// known_hosts file.
+	DefaultTLSKnownHosts
+
 	maxFileKey
 )
 
@@ -167,6 +183,10 @@ func (k fileKey) parent() fileKey {
 		return Etc
 	case LSX:
 		return Lib
+	case DefaultTLSCertFile,
+		DefaultTLSKeyFile,
+		DefaultTLSTrustedRootsFile:
+		return TLS
 	default:
 		return Home
 	}
@@ -195,6 +215,14 @@ func (k fileKey) key() string {
 		return "tls"
 	case LSX:
 		return "lsx"
+	case DefaultTLSCertFile:
+		return "crt"
+	case DefaultTLSKeyFile:
+		return "key"
+	case DefaultTLSTrustedRootsFile:
+		return "tca"
+	case DefaultTLSKnownHosts:
+		return "hst"
 	}
 	return ""
 }
@@ -239,6 +267,14 @@ func (k fileKey) defaultVal() string {
 		default:
 			return fmt.Sprintf("lsx-%s", runtime.GOOS)
 		}
+	case DefaultTLSCertFile:
+		return "libstorage.crt"
+	case DefaultTLSKeyFile:
+		return "libstorage.key"
+	case DefaultTLSTrustedRootsFile:
+		return "cacerts"
+	case DefaultTLSKnownHosts:
+		return "known_hosts"
 	}
 	return ""
 }

diff --git a/api/types/types_paths_test.go b/api/types/types_paths_test.go
@@ -25,6 +25,11 @@ func TestPaths(t *testing.T) {
 	t.Logf("%5[1]s  %[2]s", Home.key(), Home)
 	t.Logf("%5[1]s  %[2]s", Etc.key(), Etc)
 	t.Logf("%5[1]s  %[2]s", TLS.key(), TLS)
+	t.Logf("%5[1]s  %[2]s", DefaultTLSCertFile.key(), DefaultTLSCertFile)
+	t.Logf("%5[1]s  %[2]s", DefaultTLSKeyFile.key(), DefaultTLSKeyFile)
+	t.Logf("%5[1]s  %[2]s",
+		DefaultTLSTrustedRootsFile.key(), DefaultTLSTrustedRootsFile)
+	t.Logf("%5[1]s  %[2]s", DefaultTLSKnownHosts.key(), DefaultTLSKnownHosts)
 	t.Logf("%5[1]s  %[2]s", Lib.key(), Lib)
 	t.Logf("%5[1]s  %[2]s", Log.key(), Log)
 	t.Logf("%5[1]s  %[2]s", Run.key(), Run)

diff --git a/api/types/types_tls.go b/api/types/types_tls.go
@@ -7,6 +7,16 @@ import "crypto/tls"
 type TLSConfig struct {
 	tls.Config
 
+	// VerifyPeers is a flag that indicates whether peer certificates
+	// should be validated against a PeerFingerprint or known hosts files.
+	VerifyPeers bool
+
+	// SysKnownHosts is the path to the system's known_hosts file.
+	SysKnownHosts string
+
+	// UsrKnownHosts is the path to the user's known_hosts file.
+	UsrKnownHosts string
+
 	// PeerFingerprint is the expected SHA256 fingerprint of a peer certificate.
 	PeerFingerprint []byte
 }