From patchwork Fri Apr 8 22:05:41 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 8786501 Return-Path: X-Original-To: patchwork-qemu-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 9D4789F659 for ; Fri, 8 Apr 2016 22:10:32 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 068AD202EB for ; Fri, 8 Apr 2016 22:10:32 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4A949202E9 for ; Fri, 8 Apr 2016 22:10:31 +0000 (UTC) Received: from localhost ([::1]:58553 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aoebm-0001pQ-H8 for patchwork-qemu-devel@patchwork.kernel.org; Fri, 08 Apr 2016 18:10:30 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56160) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aoeXl-0001oC-T0 for qemu-devel@nongnu.org; Fri, 08 Apr 2016 18:06:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aoeXi-0007S6-Ki for qemu-devel@nongnu.org; Fri, 08 Apr 2016 18:06:21 -0400 Received: from mx1.redhat.com ([209.132.183.28]:45515) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aoeXi-0007S2-G0 for qemu-devel@nongnu.org; Fri, 08 Apr 2016 18:06:18 -0400 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 220EE80E4A; Fri, 8 Apr 2016 22:06:18 +0000 (UTC) Received: from red.redhat.com (ovpn-113-199.phx2.redhat.com [10.3.113.199]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u38M67U7029137; Fri, 8 Apr 2016 18:06:17 -0400 From: Eric Blake To: qemu-devel@nongnu.org Date: Fri, 8 Apr 2016 16:05:41 -0600 Message-Id: <1460153158-21612-2-git-send-email-eblake@redhat.com> In-Reply-To: <1460153158-21612-1-git-send-email-eblake@redhat.com> References: <1460153158-21612-1-git-send-email-eblake@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 01/18] nbd: Don't kill server on client that doesn't request TLS X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Paolo Bonzini , alex@alex.org.uk Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Upstream NBD is documenting that servers MAY choose to operate in a conditional mode, where it is up to the client whether to use TLS. For qemu's case, we want to always be in FORCEDTLS mode, because of the risk of man-in-the-middle attacks, and since we never export more than one device; likewise, the qemu client will ALWAYS send NBD_OPT_STARTTLS as its first option. But now that SELECTIVETLS servers exist, it is feasible to encounter a (non-qemu) client that does not do NBD_OPT_STARTTLS first, but rather wants to take advantage of the conditional modes it might find elsewhere. Since we require TLS, we are within our rights to drop connections on any client that doesn't negotiate it right away, or which attempts to negotiate it incorrectly, without violating the intent of the NBD Protocol. However, it's better to allow the client to continue trying, on the grounds that maybe the client will get the hint to send NBD_OPT_STARTTLS. Signed-off-by: Eric Blake Reviewed-by: Alex Bligh --- nbd/server.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/nbd/server.c b/nbd/server.c index 2a4dd10..e7e4881 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -451,9 +451,12 @@ static int nbd_negotiate_options(NBDClient *client) default: TRACE("Option 0x%x not permitted before TLS", clientflags); + if (nbd_negotiate_drop_sync(client->ioc, length) != length) { + return -EIO; + } nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_TLS_REQD, clientflags); - return -EINVAL; + break; } } else if (fixedNewstyle) { switch (clientflags) { @@ -471,6 +474,9 @@ static int nbd_negotiate_options(NBDClient *client) return nbd_negotiate_handle_export_name(client, length); case NBD_OPT_STARTTLS: + if (nbd_negotiate_drop_sync(client->ioc, length) != length) { + return -EIO; + } if (client->tlscreds) { TRACE("TLS already enabled"); nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_INVALID, @@ -480,7 +486,7 @@ static int nbd_negotiate_options(NBDClient *client) nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_POLICY, clientflags); } - return -EINVAL; + break; default: TRACE("Unsupported option 0x%x", clientflags); if (nbd_negotiate_drop_sync(client->ioc, length) != length) {