Displaying 20 results from an estimated 6000 matches similar to: "[LIBNBD SECURITY PATCH 0/1] NBD Protocol Downgrade Attack in libnbd"
2019 Sep 16
1
[libnbd PATCH] states: Avoid magic number for h->tls
When we moved to an enum instead of raw int for nbd_set_tls(), we
should have also updated our code to prefer the enum values. While at
it, improve the grammar of error messages (confusing since 632196ec,
and copy-and-pasted into more locations since then).
Fixes: 4488cf2a
Thanks: Rich Jones
---
Rich noticed this while reviewing the patch for today's CVE fix. It's
not a show-stopper if
2019 Sep 16
1
[libnbd PATCH] api: Add set_handshake_flags for integration
Similar to the recent --mask-handshake command line added to nbdkit to
test client fallbacks to crippled servers, it can be worth testing
server fallbacks to crippled clients. And just as we have exposed
whether the client will request structured replies, we can also expose
whether the client will understand various handshake flags from the
NBD protocol.
Of course, we default to supporting all
2019 Sep 17
3
[PATCH libnbd 1/2] api: Add new API to read whether TLS was negotiated.
When LIBNBD_TLS_ALLOW is used we don't have a way to find out if TLS
was really negotiated. This adds a flag and a way to read it back.
Unfortunately there is no test yet, because LIBNBD_TLS_ALLOW is not
tested -- it really should be but requires quite a complicated set of
tests because ideally we'd like to find out whether it falls back
correctly for all supported servers.
---
TODO
2020 Aug 11
3
Re: [libnbd PATCH] API: Add nbd_set_opt_mode to expose NEGOTIATING state
On 8/11/20 12:12 PM, Richard W.M. Jones wrote:
> I think this needs extra documentation in docs/libnbd.pod because it's
> definitely not clear just from the rather thin manual page for
> set_opt_mode how it works. docs/libnbd.pod is a good place for a
> broader description of how it works.
Yes, good idea.
State-wise, the existing flow was:
Created
- Progress only by command
2019 Sep 17
0
[PATCH libnbd 2/2] api: New API for reading NBD protocol.
This commit adds a new API which can be used from the connected to
state to read back which NBD protocol (eg. oldstyle, newstyle-fixed)
we are using.
It was helpful to add a new state in newstyle negotiation
(%NEWSTYLE.FINISHED) so we can route all successful option
negotiations through a single path before moving to the %READY state,
allowing us to set h->protocol in one place.
---
2019 Sep 24
11
[PATCH nbdkit 0/4] common/protocol: Unify public <nbd-protocol.h>
We should have only one NBD protocol file. Let's make nbdkit's
version the canonical one, and use it in libnbd.
Rich.
2016 Jan 11
1
[PATCH] Add support for newstyle NBD protocol (RHBZ#1297100).
Experimental and only very lightly tested so far.
Rich.
2020 Aug 11
3
[libnbd PATCH] API: Add nbd_set_opt_mode to expose NEGOTIATING state
This is the bare minimum needed to allow the user to take control over
the rest of option negotiating. This patch adds several new API:
nbd_set_opt_mode() - called during Created to enable the new mode
nbd_get_opt_mode() - query whether opt mode is enabled
nbd_opt_go() - used in Negotiating state to attempt to use export
nbd_opt_abort() - used in Negotiating state to skip Connected state
2020 Aug 14
18
[libnbd PATCH v2 00/13] Adding nbd_set_opt_mode to improve nbdinfo
Well, I'm not quite done (I still want to get nbdinfo to work on a
single nbd connection for all cases when reading the heads of the
file is not required), but I'm happy with patches 1-11, and 12-13
show where I'm headed for getting NBD_OPT_INFO to work. Posting
now to see if some of the earlier patches are ready to commit while
I continue working on the latter half.
Eric Blake (13):
2019 Sep 25
3
[nbdkit PATCH 0/2] more protocol.h tweaks
More nbd-protocol.h improvements
Eric Blake (2):
common/protocol: Switch nbdmagic to uint64_t
common/protocol: Declare additional constants
common/protocol/nbd-protocol.h | 16 ++++++++++------
server/protocol-handshake-newstyle.c | 2 +-
server/protocol-handshake-oldstyle.c | 2 +-
plugins/nbd/nbd-standalone.c | 2 +-
tests/test-layers.c | 2 +-
5 files
2019 Sep 17
1
Re: [PATCH libnbd 2/2] api: New API for reading NBD protocol.
On 9/17/19 5:02 AM, Richard W.M. Jones wrote:
> This commit adds a new API which can be used from the connected to
> state to read back which NBD protocol (eg. oldstyle, newstyle-fixed)
> we are using.
Somewhat of an overlap with my get_handshake_flags (as newstyle-fixed
corresponds to whether handshake_flags includes the FIXED_NEWSTYLE
flag), but I don't see the redundancy as an
2019 Sep 24
0
[PATCH nbdkit 3/4] common/protocol: Update nbd-protocol.h so it matches libnbd’s copy.
Diff against libnbd’s copy of this file, and change this one until it
matches.
---
common/protocol/nbd-protocol.h | 76 +++++++++++++++++-----------
server/protocol-handshake-newstyle.c | 26 +++++-----
server/protocol-handshake-oldstyle.c | 4 +-
server/protocol.c | 25 ++++-----
tests/test-layers.c | 14 ++---
5 files changed, 81 insertions(+), 64
2019 May 23
5
[PATCH libnbd 0/3] Prevent some misuse of multi-conn.
Per recent discussion here:
https://www.redhat.com/archives/libguestfs/2019-May/thread.html#00175
2017 Nov 15
1
[nbdkit PATCH] connections: Extract common export flag computation code
No need to duplicate maintenance of export flag computation between
old and new style handshakes.
Signed-off-by: Eric Blake <eblake@redhat.com>
---
src/connections.c | 120 +++++++++++++++++++++---------------------------------
1 file changed, 47 insertions(+), 73 deletions(-)
diff --git a/src/connections.c b/src/connections.c
index 8dc1925..f9edea7 100644
--- a/src/connections.c
+++
2020 Aug 14
0
[libnbd PATCH v2 06/13] api: Add nbd_opt_abort and nbd_aio_opt_abort
It is finally time to introduce our first negotiating option command.
With this change, we can now enter NEWSTYLE.START more than once; as
such, it needs to know whether it is the first entry (proceed with
gflags/cflags, TLS, and structured reply) or a later entry (all
nbd_opt_* will cause an IssueCommand event to kick the state machine
out of NEGOTIATING, at which point we want to jump to the
2019 Sep 12
3
[nbdkit PATCH 0/2] Make client fallback testing easier
This is similar to the recent --no-sr option - it's a change that is
unlikely to ever be used except by someone testing whether a client is
compliant to the protocol, but in that niche case, it can be quite
handy (it's a lot nicer to be able to purposefully cripple a server
from the command line than from a one-off compile, when testing if a
client's fallback for a spec-compliant but
2019 May 23
0
[PATCH libnbd 1/3] states: Factor out common code for setting export size and eflags.
Simple refactoring.
---
generator/states-newstyle-opt-export-name.c | 12 +++++------
generator/states-newstyle-opt-go.c | 13 ++++++------
generator/states-oldstyle.c | 10 +++-------
lib/flags.c | 22 +++++++++++++++++++++
lib/internal.h | 5 +++++
5 files changed, 42 insertions(+), 20 deletions(-)
diff
2016 Sep 26
1
[PATCH] nbdkit: flags are 32 bits for oldstyle connections
# HG changeset patch
# User Carl-Daniel Hailfinger <Carl-Daniel.Hailfinger@inf.h-brs.de>
# Date 1474903734 -7200
# Mon Sep 26 17:28:54 2016 +0200
# Node ID dbd1ea0a401cedcfa426097a289d852971b14f1e
# Parent d7d5078d08c711032837dcac79a4450226ec2ce5
nbdkit: Fix flags in old-style connection
diff -r d7d5078d08c7 -r dbd1ea0a401c src/connections.c
--- a/src/connections.c Sun Sep 25 05:04:02
2019 Oct 20
2
[PATCH libnbd] api: Allow NBD URIs to be restricted.
Previous discussion:
https://www.redhat.com/archives/libguestfs/2019-August/msg00102.html
Last night I experimentally added support for URIs that contain the
query parameter tls-psk-file, as part of rewriting the tests to cover
more of the URI code. So you can now have a URI like:
nbds://alice@localhost/?tls-psk-file=keys.psk
However there's an obvious security problem here because now
2020 Aug 11
0
Re: [libnbd PATCH] API: Add nbd_set_opt_mode to expose NEGOTIATING state
I think this needs extra documentation in docs/libnbd.pod because it's
definitely not clear just from the rather thin manual page for
set_opt_mode how it works. docs/libnbd.pod is a good place for a
broader description of how it works.
IIUC let me try to explain: we get through as far as the end of group
OPT_STRUCTURED_REPLY before we check the opt flag, and then the
remainder of opt