search for: libnbd_tls_requir

...re connecting: - nbd_set_tls (nbd, 1); // to allow TLS, but fall back to unencrypted - nbd_set_tls (nbd, 2); // to require TLS, and fail otherwise + // to allow TLS, but fall back to unencrypted + nbd_set_tls (nbd, LIBNBD_TLS_ALLOW); + // to require TLS, and fail otherwise + nbd_set_tls (nbd, LIBNBD_TLS_REQUIRE); It may also be necessary to verify that the server’s identity is correct. For some servers it may be necessary to verify to the server diff --git a/interop/interop.c b/interop/interop.c index a3973db..662d871 100644 --- a/interop/interop.c +++ b/interop/interop.c @@ -77,7 +77,7 @@ main (int...

This neutral refactoring adds -DTLS_MODE. We can in future change the requested TLS mode, but not in this commit. It also checks that nbd_get_tls_negotiated returns true after connecting, when the requested mode was set to LIBNBD_TLS_REQUIRE. --- interop/Makefile.am | 4 ++++ interop/interop.c | 26 ++++++++++++++++++++------ 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/interop/Makefile.am b/interop/Makefile.am index 9cb8071..8a5b787 100644 --- a/interop/Makefile.am +++ b/interop/Makefile.am @@ -100,6 +100,7 @@...

I was a little surprised to find that LIBNBD_TLS_ALLOW worked out of the box, so I had to examine the logs whereupon I saw the magic message ... libnbd: debug: nbd1: nbd_connect_command: server refused TLS (policy), continuing with unencrypted connection I don't believe this path has ever been tested before. It's possible the tests could be improved if they actually checked for this

...8,13 +88,13 @@ return 0; } - /* Server refused to upgrade to TLS. If h->tls is not require (2) + /* Server refused to upgrade to TLS. If h->tls is not 'require' (2) * then we can continue unencrypted. */ - if (h->tls == 2) { + if (h->tls == LIBNBD_TLS_REQUIRE) { SET_NEXT_STATE (%.DEAD); set_error (ENOTSUP, "handshake: server refused TLS, " - "but handle TLS setting is require (2)"); + "but handle TLS setting is 'require' (2)"); return 0; } diff --git a/gene...

...019-09-14 Fixed: 2019-09-16 Published: 2019-09-16 There is no CVE number assigned for this issue yet, but the bug is being categorized and processed by Red Hat's security team which may result in a CVE being published later. Description ----------- Libnbd includes the method nbd_set_tls(h, LIBNBD_TLS_REQUIRE) which is documented to let a client refuse to connect to a server that is not using TLS encryption. However, if the server uses the oldstyle protocol, a flaw in libnbd meant that the client would proceed with an unencrypted connection without warning. An attacker, perhaps acting as a man-in-the-...

This largish series adds several new features to the generator. Enum maps to enumerated types (like enum in C). The only current use for this is replacing the nbd_set_tls (nbd, 0/1/2) parameter with LIBNBD_TLS_DISABLE, LIBNBD_TLS_ALLOW, LIBNBD_TLS_REQUIRE (and natural equivalents in other programming languages). Flags maps to any uint32_t bitmask. It is basically a non-optional, generalized variation on OFlags with some nice features. Two commits also add checking so that we check that the Enum, Flags or OFlags parameters don't contain value...

...ck_LDADD = $(top_builddir)/lib/libnbd.la + endif HAVE_NBDKIT check-valgrind: diff --git a/interop/interop.c b/interop/interop.c index 2772721..3d916f2 100644 --- a/interop/interop.c +++ b/interop/interop.c @@ -147,12 +147,30 @@ main (int argc, char *argv[]) #endif #if TLS - if (TLS_MODE == LIBNBD_TLS_REQUIRE && - nbd_get_tls_negotiated (nbd) != 1) { - fprintf (stderr, - "%s: TLS required, but not negotiated on the connection\n", - argv[0]); - goto out; + if (TLS_MODE == LIBNBD_TLS_REQUIRE) { + if (nbd_get_tls_negotiated (nbd) != 1) { + fpri...

Previous discussion: https://www.redhat.com/archives/libguestfs/2019-August/msg00102.html Last night I experimentally added support for URIs that contain the query parameter tls-psk-file, as part of rewriting the tests to cover more of the URI code. So you can now have a URI like: nbds://alice@localhost/?tls-psk-file=keys.psk However there's an obvious security problem here because now

...The per-connection handle */ @@ -160,11 +160,12 @@ nbdplug_config (const char *key, const char *value) if (strcasecmp (value, "require") == 0 || strcasecmp (value, "required") == 0 || strcasecmp (value, "force") == 0) - tls = 2; + tls = LIBNBD_TLS_REQUIRE; else { - tls = nbdkit_parse_bool (value); - if (tls == -1) + r = nbdkit_parse_bool (value); + if (r == -1) exit (EXIT_FAILURE); + tls = r ? LIBNBD_TLS_ALLOW : LIBNBD_TLS_DISABLE; } } else if (strcmp (key, "tls-certificates") == 0) { @@ -...

...+ +=over 4 + +=item C<LIBNBD_TLS_DISABLE> + +TLS URIs are not permitted, ie. a URI such as C<nbds://...> +will be rejected. + +=item C<LIBNBD_TLS_ALLOW> + +This is the default. TLS may be used or not, depending on +whether the URI uses C<nbds> or C<nbd>. + +=item C<LIBNBD_TLS_REQUIRE> + +TLS URIs are required. All URIs must use C<nbs>. + +=back"; + see_also = ["L<nbd_connect_uri(3)>"; "L<nbd_set_uri_allow_transports(3)>"]; + }; + + "set_uri_allow_local_file", { + default_call with + args = [ Bool "allow&q...

Now that we have implemented systemd socket activation, we can use this to run qemu-nbd in tests. The first patch leaves some dead code around (the -DSERVE_OVER_TCP=1 path). It's possible we might want to use this to test against a putative future NBD server that only supports TCP, but on the other hand maybe we should just remove it. Tests & valgrind still pass for me. Rich.

...ecurity issues found in libnbd. + +For how to report new security issues, see the C<SECURITY> file in the +top level source directory, also available online here: +L<https://github.com/libguestfs/libnbd/blob/master/SECURITY> + +=head2 CVE-2019-14842 +protocol downgrade attack when using LIBNBD_TLS_REQUIRE + +See the full announcement and links to mitigation, tests and fixes +here: +https://www.redhat.com/archives/libguestfs/2019-September/msg00128.html + +=head1 SEE ALSO + +L<libnbd(1)>. + +=head1 AUTHORS + +Eric Blake + +Richard W.M. Jones + +=head1 COPYRIGHT + +Copyright (C) 2019 Red Hat In...

Previously nbd_set_tls had an integer argument which was 0 for disable, 1 for allow and 2 for require. This commit adds a proper enumerated type to describe this, defining LIBNBD_TLS_DISABLE = 0, LIBNBD_TLS_ALLOW = 1 and LIBNBD_TLS_REQUIRE = 2. (Note the C API doesn't change). In C the enumerated type is still defined and passed as an int (not as an enum). While we could define an enum type for this, there are ABI stability problems inherent in enums in C. In OCaml this is implemented as a variant type. There is no equivale...

...apper code this adds checks for all Enum parameters. Since only nbd_set_tls uses an Enum parameter, the only extra code generated by this change is: int nbd_set_tls (struct nbd_handle *h, int tls) { // ... switch (tls) { case LIBNBD_TLS_DISABLE: case LIBNBD_TLS_ALLOW: case LIBNBD_TLS_REQUIRE: break; default: set_error (EINVAL, "%s: invalid value for parameter: %d", "tls", tls); ret = -1; goto out; } This doesn't change the C API, but previously this parameter was not checked. So programs using this API which pr...

...gt; @@ -160,11 +160,12 @@ nbdplug_config (const char *key, const char *value) > if (strcasecmp (value, "require") == 0 || > strcasecmp (value, "required") == 0 || > strcasecmp (value, "force") == 0) > - tls = 2; > + tls = LIBNBD_TLS_REQUIRE; > else { > - tls = nbdkit_parse_bool (value); > - if (tls == -1) > + r = nbdkit_parse_bool (value); > + if (r == -1) > exit (EXIT_FAILURE); > + tls = r ? LIBNBD_TLS_ALLOW : LIBNBD_TLS_DISABLE; Our feedback was the LIBNBD_TLS_ALLOW was r...

...to arbitrary code execution. Test if libnbd is vulnerable ---------------------------- (There is no simple test for this vulnerability) Workarounds ----------- It is highly recommended to apply the fix or upgrade to a fixed version. If you cannot do this, then you could use: nbd_set_tls (h, LIBNBD_TLS_REQUIRE) to only connect to trusted servers over TLS. Fixes ----- This affects all versions of libnbd. A fix is available for 1.0, and the current development branch. * development branch (1.1) https://github.com/libguestfs/libnbd/commit/f75f602a6361c0c5f42debfeea6980f698ce7f09 or use libnbd >...

On 9/17/19 5:35 PM, Richard W.M. Jones wrote: > This neutral refactoring adds -DTLS_MODE. We can in future change the > requested TLS mode, but not in this commit. > > It also checks that nbd_get_tls_negotiated returns true after > connecting, when the requested mode was set to LIBNBD_TLS_REQUIRE. > --- > interop/Makefile.am | 4 ++++ > interop/interop.c | 26 ++++++++++++++++++++------ > 2 files changed, 24 insertions(+), 6 deletions(-) > +#if CERTS || PSK > +#define TLS 1 > +#ifndef TLS_MODE > +#error "TLS_MODE must be defined when using CERTS || PSK&quo...

...t; + > +TLS URIs are not permitted, ie. a URI such as C<nbds://...> > +will be rejected. > + > +=item C<LIBNBD_TLS_ALLOW> > + > +This is the default. TLS may be used or not, depending on > +whether the URI uses C<nbds> or C<nbd>. > + > +=item C<LIBNBD_TLS_REQUIRE> > + > +TLS URIs are required. All URIs must use C<nbs>. C<nbds> > +=item Connect to Unix domain socket in the local filesystem > + > +Default: allowed > + > +To prevent this you must disable the C<+unix> transport Is the + in C<+unix> intention...

...ecurity issues found in libnbd. + +For how to report new security issues, see the C<SECURITY> file in the +top level source directory, also available online here: +L<https://github.com/libguestfs/libnbd/blob/master/SECURITY> + +=head2 CVE-2019-14842 +protocol downgrade attack when using LIBNBD_TLS_REQUIRE + +See the full announcement and links to mitigation, tests and fixes +here: +https://www.redhat.com/archives/libguestfs/2019-September/msg00128.html + +=head1 SEE ALSO + +L<libnbd(1)>. + +=head1 AUTHORS + +Eric Blake + +Richard W.M. Jones + +=head1 COPYRIGHT + +Copyright (C) 2019 Red Hat In...

...E.CHECK_GFLAGS: uint32_t cflags; - h->gflags = be16toh (h->gflags); - if ((h->gflags & NBD_FLAG_FIXED_NEWSTYLE) == 0 && + h->gflags &= be16toh (h->sbuf.gflags); + if ((h->gflags & LIBNBD_HANDSHAKE_FLAG_FIXED_NEWSTYLE) == 0 && h->tls == LIBNBD_TLS_REQUIRE) { SET_NEXT_STATE (%.DEAD); - set_error (ENOTSUP, "handshake: server is not fixed newstyle, " + set_error (ENOTSUP, "handshake: server is not using fixed newstyle, " "but handle TLS setting is 'require' (2)"); return 0; } -...