Re: [Nbd] [PATCHv2 0/6] Introduce TLS on nbdserver
On Mon, Apr 11, 2016 at 06:15:33PM +0100, Alex Bligh wrote:
> This is an RFC patch to introduce TLS support on nbdserver.
>
> This is *NOT* production ready by any means, and is submitted for comment.
>
> I have added crypto-gnutls.[ch] from:
> github.com/abligh/tlsproxy
> which is my attempt at an MIT licenced GnuTLS proxy. The proxy element
> is standalone, and is incorporated here. Whilst it's not GPL licensed,
> MIT is compatible. Also it uses GNU format indentation (sorry about that).
> However, it (together with buffer.[ch]) is almost entirely self-contained.
>
> The same approach (believe it or not) could be taken for nbdclient (which
> is my plan). As the proxy runs as an independent process, nbdclient can
> launch it, then call the DOIT ioctl() on one end of the created socketpair().
> The proxy process then drops into the background and closes after
> either the kernel closes the socket or the other end closes the socket.
>
> I have tested this to a minimal extent against qemu-img (i.e. qemu
> acting as a client). The problem (see nbdgeneral ad nauseam) we have
> with NBD_CMD_DISC means that we see false reports of 'magic number mismatch'.
> This appears to be because read() returns 0 in negotiate(), and nbdserver
> does not check for this. It then reverses (again) the *previous* magic
> number, using ntohll(), and this causes the 'magic number mismatch' issue.
> This isn't really a problem but causes confusing errors.
>
> The first two patches are preparatory work, and the third patch actually
> adds NBD_OPT_STARTTLS. The comment in that patch shows what is left to
> figure out.
>
> Changes from v1:
>
> * Added support for TLS to nbd-tester-client. Weirdly it passed first
> time.
Cute :-)
> * In doing so, folded into this series the two patches to
> ndb-tester-client.c into this series. Note the FIXED_NEWSTYLE patch
> earlier missed host/network ordering.
Now he tells me ;-)
I've already merged it, but will add the necessary fix.
> * Per Wouter, use AM_CONDITIONAL rather than #ifdef'ing out files
>
> * Per Wouter, do the test for GnuTLS later.
>
> Alex Bligh (6):
> Make nbd-tester-client use FIXED_NEWSTYLE negotiation
> Fix whitespacing and indentation in nbd-tester-client.c
These two were merged (modulo the above)
> Add GnuTLS infrastructure
> Add options for TLS support for server
> Add TLS support to server
> Add TLS testing to nbd-tester-client.c
These weren't, for obvious reasons.
--
< ron> I mean, the main *practical* problem with C++, is there's like a dozen
people in the world who think they really understand all of its rules,
and pretty much all of them are just lying to themselves too.
-- #debian-devel, OFTC, 2016-02-12
Reply to: