aboutsummaryrefslogtreecommitdiff
path: root/nbd/server.c
diff options
context:
space:
mode:
authorEric Blake <eblake@redhat.com>2016-04-14 16:02:23 -0600
committerMax Reitz <mreitz@redhat.com>2016-04-15 17:56:56 +0200
commitd1129a8ad96af6bc47404490769a637bcd860493 (patch)
treecb982c9869a1919426e1b74366f5788c744bea31 /nbd/server.c
parent23994a5f524aa575c7a4b2e5250f17b127d2cf2f (diff)
downloadqemu-d1129a8ad96af6bc47404490769a637bcd860493.zip
qemu-d1129a8ad96af6bc47404490769a637bcd860493.tar.gz
qemu-d1129a8ad96af6bc47404490769a637bcd860493.tar.bz2
nbd: Don't kill server on client that doesn't request TLS
Upstream NBD documents (as of commit 4feebc95) that servers MAY choose to operate in a conditional mode, where it is up to the client whether to use TLS. For qemu's case, we want to always be in FORCEDTLS mode, because of the risk of man-in-the-middle attacks, and since we never export more than one device; likewise, the qemu client will ALWAYS send NBD_OPT_STARTTLS as its first option. But now that SELECTIVETLS servers exist, it is feasible to encounter a (non-qemu) client that is programmed to talk to such a server, and does not do NBD_OPT_STARTTLS first, but rather wants to probe if it can use a non-encrypted export. The NBD protocol documents that we should let such a client continue trying, on the grounds that maybe the client will get the hint to send NBD_OPT_STARTTLS, rather than immediately dropping the connection. Note that NBD_OPT_EXPORT_NAME is a special case: since it is the only option request that can't have an error return, we have to (continue to) drop the connection on that one; rather, what we are fixing here is that all other replies prior to TLS initiation tell the client NBD_REP_ERR_TLS_REQD, but keep the connection alive. Signed-off-by: Eric Blake <eblake@redhat.com> Message-id: 1460671343-18485-1-git-send-email-eblake@redhat.com Signed-off-by: Max Reitz <mreitz@redhat.com>
Diffstat (limited to 'nbd/server.c')
-rw-r--r--nbd/server.c15
1 files changed, 13 insertions, 2 deletions
diff --git a/nbd/server.c b/nbd/server.c
index 2a4dd10..a13a691 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -449,11 +449,19 @@ static int nbd_negotiate_options(NBDClient *client)
client->ioc = QIO_CHANNEL(tioc);
break;
+ case NBD_OPT_EXPORT_NAME:
+ /* No way to return an error to client, so drop connection */
+ TRACE("Option 0x%x not permitted before TLS", clientflags);
+ return -EINVAL;
+
default:
TRACE("Option 0x%x not permitted before TLS", clientflags);
+ if (nbd_negotiate_drop_sync(client->ioc, length) != length) {
+ return -EIO;
+ }
nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_TLS_REQD,
clientflags);
- return -EINVAL;
+ break;
}
} else if (fixedNewstyle) {
switch (clientflags) {
@@ -471,6 +479,9 @@ static int nbd_negotiate_options(NBDClient *client)
return nbd_negotiate_handle_export_name(client, length);
case NBD_OPT_STARTTLS:
+ if (nbd_negotiate_drop_sync(client->ioc, length) != length) {
+ return -EIO;
+ }
if (client->tlscreds) {
TRACE("TLS already enabled");
nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_INVALID,
@@ -480,7 +491,7 @@ static int nbd_negotiate_options(NBDClient *client)
nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_POLICY,
clientflags);
}
- return -EINVAL;
+ break;
default:
TRACE("Unsupported option 0x%x", clientflags);
if (nbd_negotiate_drop_sync(client->ioc, length) != length) {