review.tizen.org Git - platform/upstream/nbd.git/commit

author	Eric Blake <eblake@redhat.com>
	Thu, 12 Aug 2021 14:52:13 +0000 (09:52 -0500)
committer	Eric Blake <eblake@redhat.com>
	Mon, 16 Aug 2021 18:21:10 +0000 (13:21 -0500)
commit	77e55378096aa0486cdde08665084128de050b37
tree	a961b59a6c5d88ede05d1dc28f227d964f6faf5a	tree \| snapshot
parent	b7cb250ce59429a15b8bb15e831dba8e9739d198	commit \| diff

spec: Clarify STARTTLS vs. STRUCTURED_REPLY

Consider a SELECTIVETLS server and a MitM attacker, under the
following NBD_OPT_ handshake scenario:

client:                  mitm:                    server:
> _STARTTLS
                          > _STRUCTURED_REPLY
                                                   < _REP_ACK
                          > _STARTTLS
                                                   < _REP_ACK
                          < _REP_ACK
> _GO
                          > _GO
                                                   < _REP_ACK
                          < _REP_ACK
> NBD_CMD_READ

In this scenario, the client is NOT expecting structured replies from
the server, but if the server feels obligated to send them based on
the plaintext negotiation, it may confuse the client.  The MitM
attacker was thus able to corrupt the connection, even without having
any encryption keys.  The only sane approach is to forbid ALL stateful
negotiations from having any effect post-encryption (the MitM's
injected packet is effectively ignored, and the client proceeds
without structured replies).

Unfortunately, nbdkit 1.26.0 is buggy in this regards - a CVE will be
opened against that product.  nbd-server does not yet understand
NBD_OPT_STRUCTURED_REPLY, and qemu as server does not use SELECTIVETLS
mode, so they are immune.