* [Qemu-devel] [PATCH v2 for-2.6] nbd: Don't kill server on client that doesn't request TLS
@ 2016-04-14 22:02 Eric Blake
2016-04-14 22:38 ` Max Reitz
0 siblings, 1 reply; 2+ messages in thread
From: Eric Blake @ 2016-04-14 22:02 UTC (permalink / raw)
To: qemu-devel; +Cc: mreitz, pbonzini, alex, qemu-block
Upstream NBD documents (as of commit 4feebc95) that servers MAY
choose to operate in a conditional mode, where it is up to the
client whether to use TLS. For qemu's case, we want to always be
in FORCEDTLS mode, because of the risk of man-in-the-middle
attacks, and since we never export more than one device; likewise,
the qemu client will ALWAYS send NBD_OPT_STARTTLS as its first
option. But now that SELECTIVETLS servers exist, it is feasible
to encounter a (non-qemu) client that is programmed to talk to
such a server, and does not do NBD_OPT_STARTTLS first, but rather
wants to probe if it can use a non-encrypted export.
The NBD protocol documents that we should let such a client
continue trying, on the grounds that maybe the client will get the
hint to send NBD_OPT_STARTTLS, rather than immediately dropping
the connection.
Note that NBD_OPT_EXPORT_NAME is a special case: since it is the
only option request that can't have an error return, we have to
(continue to) drop the connection on that one; rather, what we are
fixing here is that all other replies prior to TLS initiation tell
the client NBD_REP_ERR_TLS_REQD, but keep the connection alive.
Signed-off-by: Eric Blake <eblake@redhat.com>
---
In v2: tweak commit message, continue to drop connection on
NBD_OPT_EXPORT_NAME
nbd/server.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/nbd/server.c b/nbd/server.c
index 2a4dd10..a13a691 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -449,11 +449,19 @@ static int nbd_negotiate_options(NBDClient *client)
client->ioc = QIO_CHANNEL(tioc);
break;
+ case NBD_OPT_EXPORT_NAME:
+ /* No way to return an error to client, so drop connection */
+ TRACE("Option 0x%x not permitted before TLS", clientflags);
+ return -EINVAL;
+
default:
TRACE("Option 0x%x not permitted before TLS", clientflags);
+ if (nbd_negotiate_drop_sync(client->ioc, length) != length) {
+ return -EIO;
+ }
nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_TLS_REQD,
clientflags);
- return -EINVAL;
+ break;
}
} else if (fixedNewstyle) {
switch (clientflags) {
@@ -471,6 +479,9 @@ static int nbd_negotiate_options(NBDClient *client)
return nbd_negotiate_handle_export_name(client, length);
case NBD_OPT_STARTTLS:
+ if (nbd_negotiate_drop_sync(client->ioc, length) != length) {
+ return -EIO;
+ }
if (client->tlscreds) {
TRACE("TLS already enabled");
nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_INVALID,
@@ -480,7 +491,7 @@ static int nbd_negotiate_options(NBDClient *client)
nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_POLICY,
clientflags);
}
- return -EINVAL;
+ break;
default:
TRACE("Unsupported option 0x%x", clientflags);
if (nbd_negotiate_drop_sync(client->ioc, length) != length) {
--
2.5.5
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Qemu-devel] [PATCH v2 for-2.6] nbd: Don't kill server on client that doesn't request TLS
2016-04-14 22:02 [Qemu-devel] [PATCH v2 for-2.6] nbd: Don't kill server on client that doesn't request TLS Eric Blake
@ 2016-04-14 22:38 ` Max Reitz
0 siblings, 0 replies; 2+ messages in thread
From: Max Reitz @ 2016-04-14 22:38 UTC (permalink / raw)
To: Eric Blake, qemu-devel; +Cc: pbonzini, alex, qemu-block
[-- Attachment #1.1: Type: text/plain, Size: 1616 bytes --]
On 15.04.2016 00:02, Eric Blake wrote:
> Upstream NBD documents (as of commit 4feebc95) that servers MAY
> choose to operate in a conditional mode, where it is up to the
> client whether to use TLS. For qemu's case, we want to always be
> in FORCEDTLS mode, because of the risk of man-in-the-middle
> attacks, and since we never export more than one device; likewise,
> the qemu client will ALWAYS send NBD_OPT_STARTTLS as its first
> option. But now that SELECTIVETLS servers exist, it is feasible
> to encounter a (non-qemu) client that is programmed to talk to
> such a server, and does not do NBD_OPT_STARTTLS first, but rather
> wants to probe if it can use a non-encrypted export.
>
> The NBD protocol documents that we should let such a client
> continue trying, on the grounds that maybe the client will get the
> hint to send NBD_OPT_STARTTLS, rather than immediately dropping
> the connection.
>
> Note that NBD_OPT_EXPORT_NAME is a special case: since it is the
> only option request that can't have an error return, we have to
> (continue to) drop the connection on that one; rather, what we are
> fixing here is that all other replies prior to TLS initiation tell
> the client NBD_REP_ERR_TLS_REQD, but keep the connection alive.
>
> Signed-off-by: Eric Blake <eblake@redhat.com>
> ---
>
> In v2: tweak commit message, continue to drop connection on
> NBD_OPT_EXPORT_NAME
>
> nbd/server.c | 15 +++++++++++++--
> 1 file changed, 13 insertions(+), 2 deletions(-)
Thanks Eric, applied to my block branch:
https://github.com/XanClic/qemu/commits/block
Max
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-04-14 22:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-14 22:02 [Qemu-devel] [PATCH v2 for-2.6] nbd: Don't kill server on client that doesn't request TLS Eric Blake
2016-04-14 22:38 ` Max Reitz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).