Re: [Nbd] [PATCHv2 0/6] Introduce TLS on nbdserver

To: Alex Bligh <alex@...872...>
Cc: "nbd-general@lists.sourceforge.net" <nbd-general@lists.sourceforge.net>
Subject: Re: [Nbd] [PATCHv2 0/6] Introduce TLS on nbdserver
From: Wouter Verhelst <w@...112...>
Date: Mon, 11 Apr 2016 21:21:40 +0200
Message-id: <20160411192140.GD4281@...3...>
In-reply-to: <1460394939-24868-1-git-send-email-alex@...872...>
References: <1460394939-24868-1-git-send-email-alex@...872...>

On Mon, Apr 11, 2016 at 06:15:33PM +0100, Alex Bligh wrote:
> This is an RFC patch to introduce TLS support on nbdserver.
> 
> This is *NOT* production ready by any means, and is submitted for comment.
> 
> I have added crypto-gnutls.[ch] from:
>  github.com/abligh/tlsproxy
> which is my attempt at an MIT licenced GnuTLS proxy. The proxy element
> is standalone, and is incorporated here. Whilst it's not GPL licensed,
> MIT is compatible. Also it uses GNU format indentation (sorry about that).
> However, it (together with buffer.[ch]) is almost entirely self-contained.
> 
> The same approach (believe it or not) could be taken for nbdclient (which
> is my plan). As the proxy runs as an independent process, nbdclient can
> launch it, then call the DOIT ioctl() on one end of the created socketpair().
> The proxy process then drops into the background and closes after
> either the kernel closes the socket or the other end closes the socket.
> 
> I have tested this to a minimal extent against qemu-img (i.e. qemu
> acting as a client). The problem (see nbdgeneral ad nauseam) we have
> with NBD_CMD_DISC means that we see false reports of 'magic number mismatch'.
> This appears to be because read() returns 0 in negotiate(), and nbdserver
> does not check for this. It then reverses (again) the *previous* magic
> number, using ntohll(), and this causes the 'magic number mismatch' issue.
> This isn't really a problem but causes confusing errors.
> 
> The first two patches are preparatory work, and the third patch actually
> adds NBD_OPT_STARTTLS. The comment in that patch shows what is left to
> figure out.
> 
> Changes from v1:
> 
> * Added support for TLS to nbd-tester-client. Weirdly it passed first
>   time.

Cute :-)

> * In doing so, folded into this series the two patches to
>   ndb-tester-client.c into this series. Note the FIXED_NEWSTYLE patch
>   earlier missed host/network ordering.

Now he tells me ;-)

I've already merged it, but will add the necessary fix.

> * Per Wouter, use AM_CONDITIONAL rather than #ifdef'ing out files
> 
> * Per Wouter, do the test for GnuTLS later.
> 
> Alex Bligh (6):
>   Make nbd-tester-client use FIXED_NEWSTYLE negotiation
>   Fix whitespacing and indentation in nbd-tester-client.c

These two were merged (modulo the above)

>   Add GnuTLS infrastructure
>   Add options for TLS support for server
>   Add TLS support to server
>   Add TLS testing to nbd-tester-client.c

These weren't, for obvious reasons.

-- 
< ron> I mean, the main *practical* problem with C++, is there's like a dozen
       people in the world who think they really understand all of its rules,
       and pretty much all of them are just lying to themselves too.
 -- #debian-devel, OFTC, 2016-02-12

Reply to:

Follow-Ups:
- Re: [Nbd] [PATCHv2 0/6] Introduce TLS on nbdserver
  - From: Alex Bligh <alex@...872...>

References:
- [Nbd] [PATCHv2 0/6] Introduce TLS on nbdserver
  - From: Alex Bligh <alex@...872...>

Prev by Date: Re: [Nbd] [PATCH/RFC 0/3] Introduce TLS on nbdserver
Next by Date: Re: [Nbd] [PATCH v6 0/2] SHOULD / MUST / MAY
Previous by thread: Re: [Nbd] [PATCHv2 6/6] Add TLS testing to nbd-tester-client.c
Next by thread: Re: [Nbd] [PATCHv2 0/6] Introduce TLS on nbdserver
Index(es):
- Date
- Thread