Libguestfs - Aug 2021 - [PATCH] spec: Clarify STARTTLS vs. STRUCTURED_REPLY

Consider a SELECTIVETLS server and a MitM attacker, under the
following NBD_OPT_ handshake scenario:

 client:                  mitm:                    server:
 > _STARTTLS
                          > _STRUCTURED_REPLY
                                                   < _REP_ACK
                          > _STARTTLS
                                                   < _REP_ACK
                          < _REP_ACK
 > _GO
                          > _GO
                                                   < _REP_ACK
                          < _REP_ACK
 > NBD_CMD_READ

In this scenario, the client is NOT expecting structured replies from
the server, but if the server feels obligated to send them based on
the plaintext negotiation, it may confuse the client.  The MitM
attacker was thus able to corrupt the connection, even without having
any encryption keys.  The only sane approach is to forbid ALL stateful
negotiations from having any effect post-encryption (the MitM's
injected packet is effectively ignored, and the client proceeds
without structured replies).

Unfortunately, nbdkit 1.26.0 is buggy in this regards - a CVE will be
opened against that product.  nbd-server does not yet understand
NBD_OPT_STRUCTURED_REPLY, and qemu as server does not use SELECTIVETLS
mode, so they are immune.
---
 doc/proto.md | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/doc/proto.md b/doc/proto.md
index de4a7d7..9dd59da 100644
--- a/doc/proto.md
+++ b/doc/proto.md
@@ -1166,12 +1166,11 @@ of the newstyle negotiation.
     the client included data).

     When this command succeeds, the server MUST NOT preserve any
-    per-export state (such as metadata contexts from
-    `NBD_OPT_SET_META_CONTEXT`) issued before this command.  The
-    server MAY preserve global state such as a client request for
-    `NBD_OPT_STRUCTURED_REPLY`; however, a client SHOULD defer
-    stateful option requests until after it determines whether
-    encryption is available.
+    negotiation state (such as a request for
+    `NBD_OPT_STRUCTURED_REPLY`, or metadata contexts from
+    `NBD_OPT_SET_META_CONTEXT`) issued before this command.  A client
+    SHOULD defer all stateful option requests until after it
+    determines whether encryption is available.

     See the section on TLS above for further details.

@@ -1317,6 +1316,10 @@ of the newstyle negotiation.
     client MUST NOT make use of those extensions without first
     enabling the `NBD_OPT_STRUCTURED_REPLY` extension.

+    If the client requests `NBD_OPT_STARTTLS` after this option, it
+    MUST renegotiate structured replies and any other dependent
+    extensions that it desires to use.
+
 * `NBD_OPT_LIST_META_CONTEXT` (9)

     Return a list of `NBD_REP_META_CONTEXT` replies, one per context,
-- 
2.31.1