search for: old_handshake

...t;but handle TLS setting is 'require' (2)"); return 0; } diff --git a/generator/states-oldstyle.c b/generator/states-oldstyle.c index 1aff185..babefc0 100644 --- a/generator/states-oldstyle.c +++ b/generator/states-oldstyle.c @@ -46,13 +46,13 @@ gflags = be16toh (h->sbuf.old_handshake.gflags); eflags = be16toh (h->sbuf.old_handshake.eflags); - /* Server is unable to upgrade to TLS. If h->tls is not require (2) + /* Server is unable to upgrade to TLS. If h->tls is not 'require' (2) * then we can continue unencrypted. */ - if (h->tls == 2) { +...

...2971b14f1e # Parent d7d5078d08c711032837dcac79a4450226ec2ce5 nbdkit: Fix flags in old-style connection diff -r d7d5078d08c7 -r dbd1ea0a401c src/connections.c --- a/src/connections.c Sun Sep 25 05:04:02 2016 +0200 +++ b/src/connections.c Mon Sep 26 17:28:54 2016 +0200 @@ -155,7 +155,7 @@ struct old_handshake handshake; int64_t r; uint64_t exportsize; - uint16_t gflags, eflags; + uint32_t flags; int fl; r = plugin_get_size (conn); @@ -169,14 +169,13 @@ exportsize = (uint64_t) r; conn->exportsize = exportsize; - gflags = 0; - eflags = NBD_FLAG_HAS_FLAGS; + flags = NBD_FLAG_H...

Experimental and only very lightly tested so far. Rich.

...n->is_rotational = 1; + } + + fl = plugin_can_trim (conn); + if (fl == -1) + return -1; + if (fl) { + eflags |= NBD_FLAG_SEND_TRIM; + conn->can_trim = 1; + } + + *flags = eflags; + return 0; +} + +static int _negotiate_handshake_oldstyle (struct connection *conn) { struct old_handshake handshake; int64_t r; uint64_t exportsize; uint16_t gflags, eflags; - int fl; /* In --tls=require / FORCEDTLS mode, old style handshakes are * rejected because they cannot support TLS. @@ -265,43 +309,8 @@ _negotiate_handshake_oldstyle (struct connection *conn) conn->exports...

We discovered a possible Downgrade Attack in libnbd. Lifecycle --------- Reported: 2019-09-14 Fixed: 2019-09-16 Published: 2019-09-16 There is no CVE number assigned for this issue yet, but the bug is being categorized and processed by Red Hat's security team which may result in a CVE being published later. Description ----------- Libnbd includes the method nbd_set_tls(h,

Accepting only Unix sockets can be a bit limiting; let's be more flexible. Eric Blake (2): nbd: Refactor Unix socket connection nbd: Support TCP socket plugins/nbd/nbdkit-nbd-plugin.pod | 36 ++++-- plugins/nbd/nbd.c | 175 ++++++++++++++++++++++-------- TODO | 3 - 3 files changed, 161 insertions(+), 53 deletions(-) -- 2.20.1

...ic void * nbd_open (int readonly) @@ -492,6 +644,7 @@ nbd_open (int readonly) } version = be64toh (old.version); if (version == OLD_VERSION) { + nbdkit_debug ("trying oldstyle connection"); if (read_full (h->fd, (char *) &old + offsetof (struct old_handshake, exportsize), sizeof old - offsetof (struct old_handshake, exportsize))) { @@ -508,6 +661,7 @@ nbd_open (int readonly) struct new_handshake_finish finish; size_t expect; + nbdkit_debug ("trying newstyle connection"); if (read_full (h->fd, &gfl...

...&trans); + assert (err < 0 || cookie == trans.cookie); + if (err > 0) + errno = err; + return err ? -1 : 0; +} + +/* Create the per-connection handle. */ +static void * +nbd_open (int readonly) +{ + struct handle *h; + struct sockaddr_un sock = { .sun_family = AF_UNIX }; + struct old_handshake old; + uint64_t version; + + h = calloc (1, sizeof *h); + if (h == NULL) { + nbdkit_error ("malloc: %m"); + return NULL; + } + h->fd = socket (AF_UNIX, SOCK_STREAM, 0); + if (h->fd < 0) { + nbdkit_error ("socket: %m"); + return NULL; + } + strncpy (s...

...tocol.h b/common/protocol/nbd-protocol.h index 60d35d0..724ffb6 100644 --- a/common/protocol/nbd-protocol.h +++ b/common/protocol/nbd-protocol.h @@ -40,37 +40,46 @@ * these structures. */ +#define NBD_MAX_STRING 4096 /* Maximum length of a string field */ + /* Old-style handshake. */ -struct old_handshake { +struct nbd_old_handshake { char nbdmagic[8]; /* "NBDMAGIC" */ - uint64_t version; /* OLD_VERSION */ + uint64_t version; /* NBD_OLD_VERSION */ uint64_t exportsize; uint16_t gflags; /* global flags */ uint16_t eflags; /* p...

I got annoyed by qemu-nbd's default of only allowing a single connection; combine that with nbdkit's nbd plugin, and even 'qemu-nbd --list' of nbdkit counts as the single connection and immediately hangs up. If we introduce a shared mode, then 'qemu-nbd --list' can connect as many times as it wants without killing the original qemu-nbd wrapped by nbdkit. But this in turn

...if (errno == EINTR || errno == EAGAIN) + continue; + return -1; + } + buf += r; + len -= r; + } + return 0; +} + +/* Create the per-connection handle. */ +static void * +nbd_open (int readonly) +{ + struct handle *h; + struct sockaddr_un sock = { .sun_family = AF_UNIX }; + struct old_handshake old; + uint64_t version; + + h = calloc (1, sizeof *h); + if (h == NULL) { + nbdkit_error ("malloc: %m"); + return NULL; + } + h->fd = socket (AF_UNIX, SOCK_STREAM, 0); + if (h->fd < 0) { + nbdkit_error ("socket: %m"); + return NULL; + } + strncpy (s...

...gs == 0 from server"); return -1; } } diff --git a/generator/states-oldstyle.c b/generator/states-oldstyle.c index 95b7df9..29cb341 100644 --- a/generator/states-oldstyle.c +++ b/generator/states-oldstyle.c @@ -47,14 +47,10 @@ eflags = be16toh (conn->sbuf.old_handshake.eflags); conn->gflags = gflags; - conn->h->exportsize = exportsize; - conn->h->eflags = eflags; - debug (conn->h, "exportsize: %" PRIu64 " eflags: 0x%" PRIx16 - " gflags: 0x%" PRIx16, - exportsize, eflags, gflags); - if (eflag...

...sizeof (int)) == -1) { - nbdkit_error ("cannot set TCP_NODELAY option: %m"); - close (fd); - return -1; - } - return fd; -} - /* Create the shared or per-connection handle. */ static struct handle * nbdplug_open_handle (int readonly) { struct handle *h; - struct old_handshake old; - uint64_t version; + int r; h = calloc (1, sizeof *h); if (h == NULL) { nbdkit_error ("malloc: %m"); return NULL; } + if (pipe (h->fds)) { + nbdkit_error ("pipe: %m"); + free (h); + return NULL; + } retry: + h->fd = -1; + h->n...

...sizeof (int)) == -1) { - nbdkit_error ("cannot set TCP_NODELAY option: %m"); - close (fd); - return -1; - } - return fd; -} - /* Create the shared or per-connection handle. */ static struct handle * nbdplug_open_handle (int readonly) { struct handle *h; - struct old_handshake old; - uint64_t version; + int r; h = calloc (1, sizeof *h); if (h == NULL) { nbdkit_error ("malloc: %m"); return NULL; } + if (pipe (h->fds)) { + nbdkit_error ("pipe: %m"); + free (h); + return NULL; + } retry: + h->fd = -1; + h->n...

I'm still working on the interleaving (and Rich reminded me on IRC that we still don't have THREAD_MODEL_PARALLEL working anywhere yet, anyways). Since nbdkit doesn't really have a parallel plugin yet, my testing on that front will have to use qemu-nbd as the original server, as well as qemu-io as the driver (qemu-io's aio_read and aio_write commands can be used to trigger

This isn't quite finished because not all of the tests or examples have been updated, but it demonstrates an idea: Should we forget about the concept of having multiple connections managed under a single handle? In this patch there is a single ‘struct nbd_handle *’ which manages a single state machine and connection (and therefore no nbd_connection). To connect to a multi-conn server you must

...buf, size_t len) @@ -960,9 +979,9 @@ nbd_connect_tcp (void) return fd; } -/* Create the per-connection handle. */ -static void * -nbd_open (int readonly) +/* Create the shared or per-connection handle. */ +static struct handle * +nbd_open_handle (int readonly) { struct handle *h; struct old_handshake old; @@ -1091,12 +1110,19 @@ nbd_open (int readonly) return NULL; } +/* Create the per-connection handle. */ +static void * +nbd_open (int readonly) +{ + if (shared) + return shared_handle; + return nbd_open_handle (readonly); +} + /* Free up the per-connection handle. */ static void -n...

Patch 1 played with an early draft of Rich's Fedora 30 libnbd package: https://bugzilla.redhat.com/show_bug.cgi?id=1713767#c17 Note that comment 21 provides a newer package 0.1.1-1 with a different API; and that libnbd has more unreleased API changes in the pipeline (whether that will be called 0.2 or 0.1.2); so we'll have to tweak things based on what is actually available in distros.

libnbd-0.1.2-1 is now available in Fedora 29/30 updates-testing, although it was not compiled against libxml2 so it lacks uri support (I ended up testing patch 4 with a self-built libnbd). Diffs since v1 - rebase to master, bump from libnbd 0.1 to 0.1.2, add URI support, better timing results Still not done - patch 5 needs associated tests Eric Blake (5): nbd: Check for libnbd nbd:

libnbd-0.1.4-1 is now available in Fedora 29/30 updates testing. Diffs since v2 - rebase to master, bump from libnbd 0.1.2 to 0.1.3+, add tests to TLS usage which flushed out the need to turn relative pathnames into absolute, doc tweaks Now that the testsuite covers TLS and libnbd has been fixed to provide the things I found lacking when developing v2, I'm leaning towards pushing this on