search for: 1aff185

..., "handshake: server is not fixed newstyle, " - "but handle TLS setting is require (2)"); + "but handle TLS setting is 'require' (2)"); return 0; } diff --git a/generator/states-oldstyle.c b/generator/states-oldstyle.c index 1aff185..babefc0 100644 --- a/generator/states-oldstyle.c +++ b/generator/states-oldstyle.c @@ -46,13 +46,13 @@ gflags = be16toh (h->sbuf.old_handshake.gflags); eflags = be16toh (h->sbuf.old_handshake.eflags); - /* Server is unable to upgrade to TLS. If h->tls is not require (2) + /* Ser...

We discovered a possible Downgrade Attack in libnbd. Lifecycle --------- Reported: 2019-09-14 Fixed: 2019-09-16 Published: 2019-09-16 There is no CVE number assigned for this issue yet, but the bug is being categorized and processed by Red Hat's security team which may result in a CVE being published later. Description ----------- Libnbd includes the method nbd_set_tls(h,

...>gflags & NBD_FLAG_FIXED_NEWSTYLE) == 0) + h->protocol = "newstyle"; + else + h->protocol = "newstyle-fixed"; + + SET_NEXT_STATE (%.READY); + return 0; + } /* END STATE MACHINE */ diff --git a/generator/states-oldstyle.c b/generator/states-oldstyle.c index 1aff185..cb4f0da 100644 --- a/generator/states-oldstyle.c +++ b/generator/states-oldstyle.c @@ -64,6 +64,8 @@ return 0; } + h->protocol = "oldstyle"; + SET_NEXT_STATE (%.READY); return 0; diff --git a/lib/handle.c b/lib/handle.c index bc4206c..85d10cd 100644 --- a/lib/handle...

When LIBNBD_TLS_ALLOW is used we don't have a way to find out if TLS was really negotiated. This adds a flag and a way to read it back. Unfortunately there is no test yet, because LIBNBD_TLS_ALLOW is not tested -- it really should be but requires quite a complicated set of tests because ideally we'd like to find out whether it falls back correctly for all supported servers. --- TODO