From patchwork Fri Apr 15 17:02:22 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kevin Wolf X-Patchwork-Id: 611074 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3qmkdl3FtFz9t6X for ; Sat, 16 Apr 2016 03:13:31 +1000 (AEST) Received: from localhost ([::1]:38084 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ar7J5-0001K7-Oi for incoming@patchwork.ozlabs.org; Fri, 15 Apr 2016 13:13:23 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46284) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ar79C-0004cH-KR for qemu-devel@nongnu.org; Fri, 15 Apr 2016 13:03:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ar79B-000477-KA for qemu-devel@nongnu.org; Fri, 15 Apr 2016 13:03:10 -0400 Received: from mx1.redhat.com ([209.132.183.28]:46267) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ar795-00042T-0C; Fri, 15 Apr 2016 13:03:03 -0400 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 93B037F08B; Fri, 15 Apr 2016 17:03:02 +0000 (UTC) Received: from noname.redhat.com (ovpn-116-83.ams2.redhat.com [10.36.116.83]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u3FH2RWo018652; Fri, 15 Apr 2016 13:03:01 -0400 From: Kevin Wolf To: qemu-block@nongnu.org Date: Fri, 15 Apr 2016 19:02:22 +0200 Message-Id: <1460739742-5315-20-git-send-email-kwolf@redhat.com> In-Reply-To: <1460739742-5315-1-git-send-email-kwolf@redhat.com> References: <1460739742-5315-1-git-send-email-kwolf@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 19/19] nbd: Don't kill server on client that doesn't request TLS X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" From: Eric Blake Upstream NBD documents (as of commit 4feebc95) that servers MAY choose to operate in a conditional mode, where it is up to the client whether to use TLS. For qemu's case, we want to always be in FORCEDTLS mode, because of the risk of man-in-the-middle attacks, and since we never export more than one device; likewise, the qemu client will ALWAYS send NBD_OPT_STARTTLS as its first option. But now that SELECTIVETLS servers exist, it is feasible to encounter a (non-qemu) client that is programmed to talk to such a server, and does not do NBD_OPT_STARTTLS first, but rather wants to probe if it can use a non-encrypted export. The NBD protocol documents that we should let such a client continue trying, on the grounds that maybe the client will get the hint to send NBD_OPT_STARTTLS, rather than immediately dropping the connection. Note that NBD_OPT_EXPORT_NAME is a special case: since it is the only option request that can't have an error return, we have to (continue to) drop the connection on that one; rather, what we are fixing here is that all other replies prior to TLS initiation tell the client NBD_REP_ERR_TLS_REQD, but keep the connection alive. Signed-off-by: Eric Blake Message-id: 1460671343-18485-1-git-send-email-eblake@redhat.com Signed-off-by: Max Reitz --- nbd/server.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/nbd/server.c b/nbd/server.c index 2a4dd10..a13a691 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -449,11 +449,19 @@ static int nbd_negotiate_options(NBDClient *client) client->ioc = QIO_CHANNEL(tioc); break; + case NBD_OPT_EXPORT_NAME: + /* No way to return an error to client, so drop connection */ + TRACE("Option 0x%x not permitted before TLS", clientflags); + return -EINVAL; + default: TRACE("Option 0x%x not permitted before TLS", clientflags); + if (nbd_negotiate_drop_sync(client->ioc, length) != length) { + return -EIO; + } nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_TLS_REQD, clientflags); - return -EINVAL; + break; } } else if (fixedNewstyle) { switch (clientflags) { @@ -471,6 +479,9 @@ static int nbd_negotiate_options(NBDClient *client) return nbd_negotiate_handle_export_name(client, length); case NBD_OPT_STARTTLS: + if (nbd_negotiate_drop_sync(client->ioc, length) != length) { + return -EIO; + } if (client->tlscreds) { TRACE("TLS already enabled"); nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_INVALID, @@ -480,7 +491,7 @@ static int nbd_negotiate_options(NBDClient *client) nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_POLICY, clientflags); } - return -EINVAL; + break; default: TRACE("Unsupported option 0x%x", clientflags); if (nbd_negotiate_drop_sync(client->ioc, length) != length) {