Displaying 20 results from an estimated 27 matches for "libnbd_tls_requir".
Did you mean:
libnbd_tls_require
2019 Aug 10
0
[PATCH libnbd 4/9] api: Change nbd_set_tls (, 2) -> nbd_set_tls (, LIBNBD_TLS_REQUIRE).
...re connecting:
- nbd_set_tls (nbd, 1); // to allow TLS, but fall back to unencrypted
- nbd_set_tls (nbd, 2); // to require TLS, and fail otherwise
+ // to allow TLS, but fall back to unencrypted
+ nbd_set_tls (nbd, LIBNBD_TLS_ALLOW);
+ // to require TLS, and fail otherwise
+ nbd_set_tls (nbd, LIBNBD_TLS_REQUIRE);
It may also be necessary to verify that the server’s identity is
correct. For some servers it may be necessary to verify to the server
diff --git a/interop/interop.c b/interop/interop.c
index a3973db..662d871 100644
--- a/interop/interop.c
+++ b/interop/interop.c
@@ -77,7 +77,7 @@ main (int...
2019 Sep 17
0
[PATCH libnbd 4/5] interop: Add -DTLS_MODE to the test.
This neutral refactoring adds -DTLS_MODE. We can in future change the
requested TLS mode, but not in this commit.
It also checks that nbd_get_tls_negotiated returns true after
connecting, when the requested mode was set to LIBNBD_TLS_REQUIRE.
---
interop/Makefile.am | 4 ++++
interop/interop.c | 26 ++++++++++++++++++++------
2 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/interop/Makefile.am b/interop/Makefile.am
index 9cb8071..8a5b787 100644
--- a/interop/Makefile.am
+++ b/interop/Makefile.am
@@ -100,6 +100,7 @@...
2019 Sep 17
7
[PATCH libnbd 0/5] interop: Check that LIBNBD_TLS_ALLOW works against nbdkit.
I was a little surprised to find that LIBNBD_TLS_ALLOW worked out of
the box, so I had to examine the logs whereupon I saw the magic
message ...
libnbd: debug: nbd1: nbd_connect_command: server refused TLS (policy), continuing with unencrypted connection
I don't believe this path has ever been tested before.
It's possible the tests could be improved if they actually checked for
this
2019 Sep 16
1
[libnbd PATCH] states: Avoid magic number for h->tls
...8,13 +88,13 @@
return 0;
}
- /* Server refused to upgrade to TLS. If h->tls is not require (2)
+ /* Server refused to upgrade to TLS. If h->tls is not 'require' (2)
* then we can continue unencrypted.
*/
- if (h->tls == 2) {
+ if (h->tls == LIBNBD_TLS_REQUIRE) {
SET_NEXT_STATE (%.DEAD);
set_error (ENOTSUP, "handshake: server refused TLS, "
- "but handle TLS setting is require (2)");
+ "but handle TLS setting is 'require' (2)");
return 0;
}
diff --git a/gene...
2019 Sep 16
2
[LIBNBD SECURITY PATCH 0/1] NBD Protocol Downgrade Attack in libnbd
...019-09-14 Fixed: 2019-09-16 Published: 2019-09-16
There is no CVE number assigned for this issue yet, but the bug is
being categorized and processed by Red Hat's security team which may
result in a CVE being published later.
Description
-----------
Libnbd includes the method nbd_set_tls(h, LIBNBD_TLS_REQUIRE) which is
documented to let a client refuse to connect to a server that is not
using TLS encryption. However, if the server uses the oldstyle
protocol, a flaw in libnbd meant that the client would proceed with an
unencrypted connection without warning.
An attacker, perhaps acting as a man-in-the-...
2019 Aug 10
17
[PATCH libnbd 0/9] Add Enum and Flags types.
This largish series adds several new features to the generator.
Enum maps to enumerated types (like enum in C). The only current use
for this is replacing the nbd_set_tls (nbd, 0/1/2) parameter with
LIBNBD_TLS_DISABLE, LIBNBD_TLS_ALLOW, LIBNBD_TLS_REQUIRE (and natural
equivalents in other programming languages).
Flags maps to any uint32_t bitmask. It is basically a non-optional,
generalized variation on OFlags with some nice features.
Two commits also add checking so that we check that the Enum, Flags or
OFlags parameters don't contain value...
2019 Sep 17
0
[PATCH libnbd 5/5] interop: Add tests of nbdkit + LIBNBD_TLS_ALLOW.
...ck_LDADD = $(top_builddir)/lib/libnbd.la
+
endif HAVE_NBDKIT
check-valgrind:
diff --git a/interop/interop.c b/interop/interop.c
index 2772721..3d916f2 100644
--- a/interop/interop.c
+++ b/interop/interop.c
@@ -147,12 +147,30 @@ main (int argc, char *argv[])
#endif
#if TLS
- if (TLS_MODE == LIBNBD_TLS_REQUIRE &&
- nbd_get_tls_negotiated (nbd) != 1) {
- fprintf (stderr,
- "%s: TLS required, but not negotiated on the connection\n",
- argv[0]);
- goto out;
+ if (TLS_MODE == LIBNBD_TLS_REQUIRE) {
+ if (nbd_get_tls_negotiated (nbd) != 1) {
+ fpri...
2019 Oct 20
2
[PATCH libnbd] api: Allow NBD URIs to be restricted.
Previous discussion:
https://www.redhat.com/archives/libguestfs/2019-August/msg00102.html
Last night I experimentally added support for URIs that contain the
query parameter tls-psk-file, as part of rewriting the tests to cover
more of the URI code. So you can now have a URI like:
nbds://alice@localhost/?tls-psk-file=keys.psk
However there's an obvious security problem here because now
2019 Aug 15
3
[nbdkit PATCH] nbd: Another libnbd version bump
...The per-connection handle */
@@ -160,11 +160,12 @@ nbdplug_config (const char *key, const char *value)
if (strcasecmp (value, "require") == 0 ||
strcasecmp (value, "required") == 0 ||
strcasecmp (value, "force") == 0)
- tls = 2;
+ tls = LIBNBD_TLS_REQUIRE;
else {
- tls = nbdkit_parse_bool (value);
- if (tls == -1)
+ r = nbdkit_parse_bool (value);
+ if (r == -1)
exit (EXIT_FAILURE);
+ tls = r ? LIBNBD_TLS_ALLOW : LIBNBD_TLS_DISABLE;
}
}
else if (strcmp (key, "tls-certificates") == 0) {
@@ -...
2019 Oct 20
0
[PATCH libnbd] api: Allow NBD URIs to be restricted.
...+
+=over 4
+
+=item C<LIBNBD_TLS_DISABLE>
+
+TLS URIs are not permitted, ie. a URI such as C<nbds://...>
+will be rejected.
+
+=item C<LIBNBD_TLS_ALLOW>
+
+This is the default. TLS may be used or not, depending on
+whether the URI uses C<nbds> or C<nbd>.
+
+=item C<LIBNBD_TLS_REQUIRE>
+
+TLS URIs are required. All URIs must use C<nbs>.
+
+=back";
+ see_also = ["L<nbd_connect_uri(3)>"; "L<nbd_set_uri_allow_transports(3)>"];
+ };
+
+ "set_uri_allow_local_file", {
+ default_call with
+ args = [ Bool "allow&q...
2019 Oct 01
3
[PATCH libnbd 0/2] Change qemu-nbd interop tests to use socket activation.
Now that we have implemented systemd socket activation, we can use
this to run qemu-nbd in tests.
The first patch leaves some dead code around (the -DSERVE_OVER_TCP=1
path). It's possible we might want to use this to test against a
putative future NBD server that only supports TCP, but on the other
hand maybe we should just remove it.
Tests & valgrind still pass for me.
Rich.
2019 Oct 01
1
[libnbd PATCH] docs: Add libnbd-security(1) man page
...ecurity issues found in libnbd.
+
+For how to report new security issues, see the C<SECURITY> file in the
+top level source directory, also available online here:
+L<https://github.com/libguestfs/libnbd/blob/master/SECURITY>
+
+=head2 CVE-2019-14842
+protocol downgrade attack when using LIBNBD_TLS_REQUIRE
+
+See the full announcement and links to mitigation, tests and fixes
+here:
+https://www.redhat.com/archives/libguestfs/2019-September/msg00128.html
+
+=head1 SEE ALSO
+
+L<libnbd(1)>.
+
+=head1 AUTHORS
+
+Eric Blake
+
+Richard W.M. Jones
+
+=head1 COPYRIGHT
+
+Copyright (C) 2019 Red Hat In...
2019 Aug 10
0
[PATCH libnbd 3/9] generator: Add Enum type for enumerated types / unions.
Previously nbd_set_tls had an integer argument which was 0 for
disable, 1 for allow and 2 for require. This commit adds a proper
enumerated type to describe this, defining LIBNBD_TLS_DISABLE = 0,
LIBNBD_TLS_ALLOW = 1 and LIBNBD_TLS_REQUIRE = 2. (Note the C API
doesn't change).
In C the enumerated type is still defined and passed as an int (not as
an enum). While we could define an enum type for this, there are ABI
stability problems inherent in enums in C.
In OCaml this is implemented as a variant type.
There is no equivale...
2019 Aug 10
0
[PATCH libnbd 5/9] generator: On entry to API functions, check Enum parameters.
...apper code this adds checks for all Enum
parameters. Since only nbd_set_tls uses an Enum parameter, the only
extra code generated by this change is:
int
nbd_set_tls (struct nbd_handle *h, int tls) {
// ...
switch (tls) {
case LIBNBD_TLS_DISABLE:
case LIBNBD_TLS_ALLOW:
case LIBNBD_TLS_REQUIRE:
break;
default:
set_error (EINVAL, "%s: invalid value for parameter: %d",
"tls", tls);
ret = -1;
goto out;
}
This doesn't change the C API, but previously this parameter was not
checked. So programs using this API which pr...
2019 Aug 15
0
Re: [nbdkit PATCH] nbd: Another libnbd version bump
...gt; @@ -160,11 +160,12 @@ nbdplug_config (const char *key, const char *value)
> if (strcasecmp (value, "require") == 0 ||
> strcasecmp (value, "required") == 0 ||
> strcasecmp (value, "force") == 0)
> - tls = 2;
> + tls = LIBNBD_TLS_REQUIRE;
> else {
> - tls = nbdkit_parse_bool (value);
> - if (tls == -1)
> + r = nbdkit_parse_bool (value);
> + if (r == -1)
> exit (EXIT_FAILURE);
> + tls = r ? LIBNBD_TLS_ALLOW : LIBNBD_TLS_DISABLE;
Our feedback was the LIBNBD_TLS_ALLOW was r...
2019 Oct 09
0
LIBNBD SECURITY: Remote code execution vulnerability
...to arbitrary
code execution.
Test if libnbd is vulnerable
----------------------------
(There is no simple test for this vulnerability)
Workarounds
-----------
It is highly recommended to apply the fix or upgrade to a fixed
version. If you cannot do this, then you could use:
nbd_set_tls (h, LIBNBD_TLS_REQUIRE)
to only connect to trusted servers over TLS.
Fixes
-----
This affects all versions of libnbd. A fix is available for 1.0, and
the current development branch.
* development branch (1.1)
https://github.com/libguestfs/libnbd/commit/f75f602a6361c0c5f42debfeea6980f698ce7f09
or use libnbd >...
2019 Sep 18
1
Re: [PATCH libnbd 4/5] interop: Add -DTLS_MODE to the test.
On 9/17/19 5:35 PM, Richard W.M. Jones wrote:
> This neutral refactoring adds -DTLS_MODE. We can in future change the
> requested TLS mode, but not in this commit.
>
> It also checks that nbd_get_tls_negotiated returns true after
> connecting, when the requested mode was set to LIBNBD_TLS_REQUIRE.
> ---
> interop/Makefile.am | 4 ++++
> interop/interop.c | 26 ++++++++++++++++++++------
> 2 files changed, 24 insertions(+), 6 deletions(-)
> +#if CERTS || PSK
> +#define TLS 1
> +#ifndef TLS_MODE
> +#error "TLS_MODE must be defined when using CERTS || PSK&quo...
2019 Nov 04
1
Re: [PATCH libnbd] api: Allow NBD URIs to be restricted.
...t; +
> +TLS URIs are not permitted, ie. a URI such as C<nbds://...>
> +will be rejected.
> +
> +=item C<LIBNBD_TLS_ALLOW>
> +
> +This is the default. TLS may be used or not, depending on
> +whether the URI uses C<nbds> or C<nbd>.
> +
> +=item C<LIBNBD_TLS_REQUIRE>
> +
> +TLS URIs are required. All URIs must use C<nbs>.
C<nbds>
> +=item Connect to Unix domain socket in the local filesystem
> +
> +Default: allowed
> +
> +To prevent this you must disable the C<+unix> transport
Is the + in C<+unix> intention...
2019 Oct 01
0
[libnbd PATCH] docs: Add libnbd-security(1) man page
...ecurity issues found in libnbd.
+
+For how to report new security issues, see the C<SECURITY> file in the
+top level source directory, also available online here:
+L<https://github.com/libguestfs/libnbd/blob/master/SECURITY>
+
+=head2 CVE-2019-14842
+protocol downgrade attack when using LIBNBD_TLS_REQUIRE
+
+See the full announcement and links to mitigation, tests and fixes
+here:
+https://www.redhat.com/archives/libguestfs/2019-September/msg00128.html
+
+=head1 SEE ALSO
+
+L<libnbd(1)>.
+
+=head1 AUTHORS
+
+Eric Blake
+
+Richard W.M. Jones
+
+=head1 COPYRIGHT
+
+Copyright (C) 2019 Red Hat In...
2019 Sep 16
1
[libnbd PATCH] api: Add set_handshake_flags for integration
...E.CHECK_GFLAGS:
uint32_t cflags;
- h->gflags = be16toh (h->gflags);
- if ((h->gflags & NBD_FLAG_FIXED_NEWSTYLE) == 0 &&
+ h->gflags &= be16toh (h->sbuf.gflags);
+ if ((h->gflags & LIBNBD_HANDSHAKE_FLAG_FIXED_NEWSTYLE) == 0 &&
h->tls == LIBNBD_TLS_REQUIRE) {
SET_NEXT_STATE (%.DEAD);
- set_error (ENOTSUP, "handshake: server is not fixed newstyle, "
+ set_error (ENOTSUP, "handshake: server is not using fixed newstyle, "
"but handle TLS setting is 'require' (2)");
return 0;
}
-...