diff --git a/SOURCES/0004-build-Move-to-minimum-gnutls-3.5.18.patch b/SOURCES/0004-build-Move-to-minimum-gnutls-3.5.18.patch new file mode 100644 index 0000000..f425d68 --- /dev/null +++ b/SOURCES/0004-build-Move-to-minimum-gnutls-3.5.18.patch @@ -0,0 +1,91 @@ +From 596626369b90016f6852610c217da22668158521 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Tue, 25 Jun 2024 10:55:54 +0100 +Subject: [PATCH] build: Move to minimum gnutls >= 3.5.18 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This version matches current qemu. + +RHEL 7 gnutls is too old (lacks gnutls_session_set_verify_cert), which +means TLS will be disabled on this platform. RHEL 8 has gnutls 3.6.14. + +I also unconditionally enabled the gnutls/socket.h header. This +header was added in 2016 (gnutls 3.5.3), so it's not present in RHEL 7. + +On RHEL 7 the configure-time test now prints: + + checking for GNUTLS... no + configure: WARNING: gnutls not found or < 3.5.18, TLS support will be disabled. + ... + Optional library features: + TLS support ............................ no + +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit 5ff09cdbbd19226dd2d5015d76134f88dee9321e) +(cherry picked from commit 177fd0847723640829eff8d1ab102f8d28a7328e) +--- + configure.ac | 5 ++--- + lib/crypto.c | 6 ------ + 2 files changed, 2 insertions(+), 9 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 91fe004b..c0d6a472 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -178,13 +178,13 @@ AC_ARG_WITH([gnutls], + [], + [with_gnutls=check]) + AS_IF([test "$with_gnutls" != "no"],[ +- PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.3.0], [ ++ PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.5.18], [ + printf "gnutls version is "; $PKG_CONFIG --modversion gnutls + AC_SUBST([GNUTLS_CFLAGS]) + AC_SUBST([GNUTLS_LIBS]) + AC_DEFINE([HAVE_GNUTLS],[1],[gnutls found at compile time.]) + ], [ +- AC_MSG_WARN([gnutls not found or < 3.3.0, TLS support will be disabled.]) ++ AC_MSG_WARN([gnutls not found or < 3.5.18, TLS support will be disabled.]) + ]) + ]) + AM_CONDITIONAL([HAVE_GNUTLS], [test "x$GNUTLS_LIBS" != "x"]) +@@ -210,7 +210,6 @@ AS_IF([test "$GNUTLS_LIBS" != ""],[ + old_LIBS="$LIBS" + LIBS="$GNUTLS_LIBS $LIBS" + AC_CHECK_FUNCS([\ +- gnutls_session_set_verify_cert \ + gnutls_transport_is_ktls_enabled \ + ]) + LIBS="$old_LIBS" +diff --git a/lib/crypto.c b/lib/crypto.c +index 22a1cfa5..d131f1d0 100644 +--- a/lib/crypto.c ++++ b/lib/crypto.c +@@ -28,10 +28,8 @@ + + #ifdef HAVE_GNUTLS + #include +-#ifdef HAVE_GNUTLS_SOCKET_H + #include + #endif +-#endif + + #include "internal.h" + #include "nbdkit-string.h" +@@ -532,12 +530,8 @@ set_up_certificate_credentials (struct nbd_handle *h, + return NULL; + + found_certificates: +-#ifdef HAVE_GNUTLS_SESSION_SET_VERIFY_CERT + if (h->hostname && h->tls_verify_peer) + gnutls_session_set_verify_cert (session, h->hostname, 0); +-#else +- debug (h, "ignoring nbd_set_tls_verify_peer, this requires GnuTLS >= 3.4.6"); +-#endif + + err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret); + if (err < 0) { +-- +2.43.0 + diff --git a/SOURCES/0005-lib-crypto.c-Check-server-certificate-even-when-usin.patch b/SOURCES/0005-lib-crypto.c-Check-server-certificate-even-when-usin.patch new file mode 100644 index 0000000..cf361d0 --- /dev/null +++ b/SOURCES/0005-lib-crypto.c-Check-server-certificate-even-when-usin.patch @@ -0,0 +1,57 @@ +From d8ec4c8ecc5244ed192f58bc3a976c4b2f9cc6d7 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Mon, 24 Jun 2024 10:48:12 +0100 +Subject: [PATCH] lib/crypto.c: Check server certificate even when using system + CA +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The previous code checked the server certificate only when a custom +certificate directory was set (ie. nbd_set_tls_certificates / +?tls-certificates=DIR). In the fallback case where we use the system +CA, we never called gnutls_session_set_verify_cert and so the server +certificate was never checked. + +Move the call to gnutls_session_set_verify_cert later so it is called +on both paths. + +If the server certificate does not match the hostname you will see: + +nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1) + +Reported-by: Jon Szymaniak +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit 87ef41b69929d5d293390ec36b1c10aba2c9a57a) +(cherry picked from commit 7a6739aeca8250515a449bacd23d09bf40587dec) +--- + lib/crypto.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/crypto.c b/lib/crypto.c +index d131f1d0..c542ce6b 100644 +--- a/lib/crypto.c ++++ b/lib/crypto.c +@@ -530,9 +530,6 @@ set_up_certificate_credentials (struct nbd_handle *h, + return NULL; + + found_certificates: +- if (h->hostname && h->tls_verify_peer) +- gnutls_session_set_verify_cert (session, h->hostname, 0); +- + err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret); + if (err < 0) { + set_error (0, "gnutls_credentials_set: %s", gnutls_strerror (err)); +@@ -647,6 +644,9 @@ nbd_internal_crypto_create_session (struct nbd_handle *h, + gnutls_deinit (session); + return NULL; + } ++ ++ if (h->hostname && h->tls_verify_peer) ++ gnutls_session_set_verify_cert (session, h->hostname, 0); + } + + /* Wrap the underlying socket with GnuTLS. */ +-- +2.43.0 + diff --git a/SOURCES/0006-lib-crypto.c-Allow-CA-verification-even-if-h-hostnam.patch b/SOURCES/0006-lib-crypto.c-Allow-CA-verification-even-if-h-hostnam.patch new file mode 100644 index 0000000..edbd49b --- /dev/null +++ b/SOURCES/0006-lib-crypto.c-Allow-CA-verification-even-if-h-hostnam.patch @@ -0,0 +1,76 @@ +From af09b72a486fd870ab72170a0cba4b1d6d37894f Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Mon, 24 Jun 2024 10:31:10 +0100 +Subject: [PATCH] lib/crypto.c: Allow CA verification even if h->hostname is + not set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Calling gnutls_session_set_verify_cert with the hostname parameter set +to NULL is permitted: +https://www.gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fsession_005fset_005fverify_005fcert + +It means that the server's hostname in the certificate will not be +verified but we can at least check that the certificate was signed by +the CA. This allows the CA to be checked even for connections over +Unix domain sockets. + +Example: + + $ rm -f /tmp/sock + $ nbdkit -U /tmp/sock -f --tls=require --tls-certificates=$HOME/d/nbdkit/tests/pki memory 1G & + +Before this change: + + $ nbdinfo 'nbds+unix://?socket=/tmp/sock' + protocol: newstyle-fixed with TLS, using structured packets + export="": + export-size: 1073741824 (1G) + content: data + uri: nbds+unix:///?socket=/tmp/sock + [etc] + +(works because it never called gnutls_session_set_verify_cert). + +After this change: + + $ nbdinfo 'nbds+unix://?socket=/tmp/sock' + nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1) + +(fails because system CA does not know about nbdkit's certificate +which is signed by the CA from the nbdkit/tests/pki directory) + + $ nbdinfo 'nbds+unix://?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki' + protocol: newstyle-fixed with TLS, using structured packets + export="": + export-size: 1073741824 (1G) + content: data + uri: nbds+unix:///?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki + [etc] + +(works because we supplied the correct CA) + +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit 6ed47a27d14f6f11946bb096d94e5bf21d97083d) +(cherry picked from commit 3a427e6d7a83f89299ab6fdaeeffbd9074610ecc) +--- + lib/crypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/crypto.c b/lib/crypto.c +index c542ce6b..437e24ec 100644 +--- a/lib/crypto.c ++++ b/lib/crypto.c +@@ -645,7 +645,7 @@ nbd_internal_crypto_create_session (struct nbd_handle *h, + return NULL; + } + +- if (h->hostname && h->tls_verify_peer) ++ if (h->tls_verify_peer) + gnutls_session_set_verify_cert (session, h->hostname, 0); + } + +-- +2.43.0 + diff --git a/SOURCES/0007-interop-Pass-DCERTS-and-DPSK-as-strings.patch b/SOURCES/0007-interop-Pass-DCERTS-and-DPSK-as-strings.patch new file mode 100644 index 0000000..ae71bcc --- /dev/null +++ b/SOURCES/0007-interop-Pass-DCERTS-and-DPSK-as-strings.patch @@ -0,0 +1,145 @@ +From 764fc45a258c08177d01b6b6b6a0e431ee29089a Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Mon, 24 Jun 2024 11:49:07 +0100 +Subject: [PATCH] interop: Pass -DCERTS and -DPSK as strings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Rather than implicitly defining the certificates dir or PSK file in +interop.c, pass the actual paths from the Makefile. + +This also allows -DCERTS=NULL which is interpreted as not calling +nbd_set_tls_certificates at all. This makes the test added in a +subsequent commit possible. + +No real change here, just refactoring the tests. + +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit 69ab18442994c68f749e2b84b91d41031ebbb088) +(cherry picked from commit 33d7f3aa8e3cf8c826a534107529e1d409c0c004) +--- + interop/Makefile.am | 18 +++++++++--------- + interop/interop.c | 11 ++++++----- + 2 files changed, 15 insertions(+), 14 deletions(-) + +diff --git a/interop/Makefile.am b/interop/Makefile.am +index ac12d84a..4cdc55e9 100644 +--- a/interop/Makefile.am ++++ b/interop/Makefile.am +@@ -100,7 +100,7 @@ interop_nbd_server_tls_CPPFLAGS = \ + -DSERVER=\"$(NBD_SERVER)\" \ + -DSERVER_PARAMS='"-d", "-C", "nbd-server-tls.conf", "0", TMPFILE' \ + -DEXPORT_NAME='""' \ +- -DCERTS=1 \ ++ -DCERTS='"../tests/pki"' \ + -DTLS_MODE=LIBNBD_TLS_REQUIRE \ + $(NULL) + interop_nbd_server_tls_LDADD = \ +@@ -186,7 +186,7 @@ interop_qemu_nbd_tls_certs_CPPFLAGS = \ + -DSERVER=\"$(QEMU_NBD)\" \ + -DSERVER_PARAMS='"--object", "tls-creds-x509,id=tls0,endpoint=server,dir=$(abs_top_builddir)/tests/pki", "--tls-creds", "tls0", "-f", "raw", "-x", "/", TMPFILE' \ + -DEXPORT_NAME='"/"' \ +- -DCERTS=1 \ ++ -DCERTS='"../tests/pki"' \ + -DTLS_MODE=LIBNBD_TLS_REQUIRE \ + $(NULL) + interop_qemu_nbd_tls_certs_LDADD = \ +@@ -208,7 +208,7 @@ interop_qemu_nbd_tls_psk_CPPFLAGS = \ + -DSERVER=\"$(QEMU_NBD)\" \ + -DSERVER_PARAMS='"--object", "tls-creds-psk,id=tls0,endpoint=server,dir=$(abs_top_builddir)/tests", "--tls-creds", "tls0", "-f", "raw", "-x", "/", TMPFILE' \ + -DEXPORT_NAME='"/"' \ +- -DPSK=1 \ ++ -DPSK='"../tests/keys.psk"' \ + -DTLS_MODE=LIBNBD_TLS_REQUIRE \ + $(NULL) + interop_qemu_nbd_tls_psk_LDADD = \ +@@ -323,7 +323,7 @@ interop_nbdkit_tls_certs_CPPFLAGS = \ + -DNEEDS_TMPFILE=1 \ + -DSERVER=\"$(NBDKIT)\" \ + -DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki", "-s", "--exit-with-parent", "file", TMPFILE' \ +- -DCERTS=1 \ ++ -DCERTS='"../tests/pki"' \ + -DTLS_MODE=LIBNBD_TLS_REQUIRE \ + $(NULL) + interop_nbdkit_tls_certs_LDADD = \ +@@ -342,7 +342,7 @@ interop_nbdkit_tls_certs_allow_enabled_CPPFLAGS = \ + -DNEEDS_TMPFILE=1 \ + -DSERVER=\"$(NBDKIT)\" \ + -DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki", "-s", "--exit-with-parent", "file", TMPFILE' \ +- -DCERTS=1 \ ++ -DCERTS='"../tests/pki"' \ + -DTLS_MODE=LIBNBD_TLS_ALLOW \ + $(NULL) + interop_nbdkit_tls_certs_allow_enabled_LDADD = \ +@@ -361,7 +361,7 @@ interop_nbdkit_tls_certs_allow_fallback_CPPFLAGS = \ + -DNEEDS_TMPFILE=1 \ + -DSERVER=\"$(NBDKIT)\" \ + -DSERVER_PARAMS='"--tls=off", "-s", "--exit-with-parent", "file", TMPFILE' \ +- -DCERTS=1 \ ++ -DCERTS='"../tests/pki"' \ + -DTLS_MODE=LIBNBD_TLS_ALLOW \ + -DTLS_FALLBACK=1 \ + $(NULL) +@@ -381,7 +381,7 @@ interop_nbdkit_tls_psk_CPPFLAGS = \ + -DNEEDS_TMPFILE=1 \ + -DSERVER=\"$(NBDKIT)\" \ + -DSERVER_PARAMS='"--tls=require", "--tls-psk=../tests/keys.psk", "-s", "--exit-with-parent", "file", TMPFILE' \ +- -DPSK=1 \ ++ -DPSK='"../tests/keys.psk"' \ + -DTLS_MODE=LIBNBD_TLS_REQUIRE \ + $(NULL) + interop_nbdkit_tls_psk_LDADD = \ +@@ -400,7 +400,7 @@ interop_nbdkit_tls_psk_allow_enabled_CPPFLAGS = \ + -DNEEDS_TMPFILE=1 \ + -DSERVER=\"$(NBDKIT)\" \ + -DSERVER_PARAMS='"--tls=require", "--tls-psk=../tests/keys.psk", "-s", "--exit-with-parent", "file", TMPFILE' \ +- -DPSK=1 \ ++ -DPSK='"../tests/keys.psk"' \ + -DTLS_MODE=LIBNBD_TLS_ALLOW \ + $(NULL) + interop_nbdkit_tls_psk_allow_enabled_LDADD = \ +@@ -419,7 +419,7 @@ interop_nbdkit_tls_psk_allow_fallback_CPPFLAGS = \ + -DNEEDS_TMPFILE=1 \ + -DSERVER=\"$(NBDKIT)\" \ + -DSERVER_PARAMS='"--tls=off", "-s", "--exit-with-parent", "file", TMPFILE' \ +- -DPSK=1 \ ++ -DPSK='"../tests/keys.psk"' \ + -DTLS_MODE=LIBNBD_TLS_ALLOW \ + -DTLS_FALLBACK=1 \ + $(NULL) +diff --git a/interop/interop.c b/interop/interop.c +index 20e101d4..d4d6671e 100644 +--- a/interop/interop.c ++++ b/interop/interop.c +@@ -41,7 +41,7 @@ + + #define SIZE (1024*1024) + +-#if CERTS || PSK ++#if defined(CERTS) || defined(PSK) + #define TLS 1 + #ifndef TLS_MODE + #error "TLS_MODE must be defined when using CERTS || PSK" +@@ -149,13 +149,14 @@ main (int argc, char *argv[]) + } + #endif + +-#if CERTS +- if (nbd_set_tls_certificates (nbd, "../tests/pki") == -1) { ++#if defined(CERTS) ++ const char *certs = CERTS; ++ if (certs && nbd_set_tls_certificates (nbd, certs) == -1) { + fprintf (stderr, "%s\n", nbd_get_error ()); + exit (EXIT_FAILURE); + } +-#elif PSK +- if (nbd_set_tls_psk_file (nbd, "../tests/keys.psk") == -1) { ++#elif defined(PSK) ++ if (nbd_set_tls_psk_file (nbd, PSK) == -1) { + fprintf (stderr, "%s\n", nbd_get_error ()); + exit (EXIT_FAILURE); + } +-- +2.43.0 + diff --git a/SOURCES/0008-interop-Add-DEXPECT_FAIL-1-where-we-expect-the-test-.patch b/SOURCES/0008-interop-Add-DEXPECT_FAIL-1-where-we-expect-the-test-.patch new file mode 100644 index 0000000..3d40ef9 --- /dev/null +++ b/SOURCES/0008-interop-Add-DEXPECT_FAIL-1-where-we-expect-the-test-.patch @@ -0,0 +1,53 @@ +From fcb7d28e4dd2ab438c6070e7e5b1aae54cc75f28 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Mon, 24 Jun 2024 13:54:48 +0100 +Subject: [PATCH] interop: Add -DEXPECT_FAIL=1 where we expect the test to fail +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit c7a8df4f78f2c1901f5c532f262dadd6cce84750) +(cherry picked from commit 175ee89f4a64c52cdb1412a2a72fc8c52fecaf93) +--- + interop/interop.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/interop/interop.c b/interop/interop.c +index d4d6671e..469327ee 100644 +--- a/interop/interop.c ++++ b/interop/interop.c +@@ -78,6 +78,7 @@ main (int argc, char *argv[]) + int64_t actual_size; + char buf[512]; + size_t i; ++ int r; + + /* Check requirements or skip the test. */ + #ifdef REQUIRES +@@ -174,10 +175,21 @@ main (int argc, char *argv[]) + #else + #define NBD_CONNECT nbd_connect_command + #endif +- if (NBD_CONNECT (nbd, args) == -1) { ++ r = NBD_CONNECT (nbd, args); ++#if EXPECT_FAIL ++ if (r != -1) { ++ fprintf (stderr, "%s: expected connection to fail but it did not\n", ++ argv[0]); ++ exit (EXIT_FAILURE); ++ } ++ exit (EXIT_SUCCESS); ++ /*NOTREACHED*/ ++#else ++ if (r == -1) { + fprintf (stderr, "%s\n", nbd_get_error ()); + exit (EXIT_FAILURE); + } ++#endif + + #if TLS + if (TLS_MODE == LIBNBD_TLS_REQUIRE) { +-- +2.43.0 + diff --git a/SOURCES/0009-interop-Test-interop-with-a-bad-system-CA.patch b/SOURCES/0009-interop-Test-interop-with-a-bad-system-CA.patch new file mode 100644 index 0000000..c4e62cb --- /dev/null +++ b/SOURCES/0009-interop-Test-interop-with-a-bad-system-CA.patch @@ -0,0 +1,84 @@ +From c20ac23a9a3673cca863974ec53f9129392fd447 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Mon, 24 Jun 2024 11:39:01 +0100 +Subject: [PATCH] interop: Test interop with a bad system CA +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is expected to fail now. + +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit 1c7db8f3337632f0395dac9b13cf03b100cf1a4a) +(cherry picked from commit cb3519eeefa788b8fef466bf9394eefa9d6a6c18) +--- + .gitignore | 1 + + interop/Makefile.am | 26 ++++++++++++++++++++++++++ + 2 files changed, 27 insertions(+) + +diff --git a/.gitignore b/.gitignore +index 0b1cf764..597043e1 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -113,6 +113,7 @@ Makefile.in + /interop/interop-nbdkit-tls-certs + /interop/interop-nbdkit-tls-certs-allow-enabled + /interop/interop-nbdkit-tls-certs-allow-fallback ++/interop/interop-nbdkit-tls-certs-bad-CA + /interop/interop-nbdkit-tls-psk + /interop/interop-nbdkit-tls-psk-allow-enabled + /interop/interop-nbdkit-tls-psk-allow-fallback +diff --git a/interop/Makefile.am b/interop/Makefile.am +index 4cdc55e9..bc974b99 100644 +--- a/interop/Makefile.am ++++ b/interop/Makefile.am +@@ -281,6 +281,7 @@ check_PROGRAMS += \ + interop-nbdkit-tls-certs \ + interop-nbdkit-tls-certs-allow-enabled \ + interop-nbdkit-tls-certs-allow-fallback \ ++ interop-nbdkit-tls-certs-bad-CA \ + interop-nbdkit-tls-psk \ + interop-nbdkit-tls-psk-allow-enabled \ + interop-nbdkit-tls-psk-allow-fallback \ +@@ -292,6 +293,7 @@ TESTS += \ + interop-nbdkit-tls-certs \ + interop-nbdkit-tls-certs-allow-enabled \ + interop-nbdkit-tls-certs-allow-fallback \ ++ interop-nbdkit-tls-certs-bad-CA \ + interop-nbdkit-tls-psk \ + interop-nbdkit-tls-psk-allow-enabled \ + interop-nbdkit-tls-psk-allow-fallback \ +@@ -370,6 +372,30 @@ interop_nbdkit_tls_certs_allow_fallback_LDADD = \ + $(GNUTLS_LIBS) \ + $(NULL) + ++# In this test, nbdkit offers a server certificate signed by our CA in ++# the tests/pki directory, but we deliberately tell libnbd to test ++# against the system CA (-DCERTS=NULL). This is expected to fail the ++# connection with the error: ++# libnbd: debug: nbd1: nbd_connect_command: handle dead: nbd_connect_command: gnutls_handshake: Error in the certificate verification. (15/1) ++interop_nbdkit_tls_certs_bad_CA_SOURCES = \ ++ interop.c \ ++ requires.c \ ++ ../tests/requires.h \ ++ $(NULL) ++interop_nbdkit_tls_certs_bad_CA_CPPFLAGS = \ ++ $(AM_CPPFLAGS) \ ++ -DREQUIRES=' requires ("test -d ../tests/pki"); ' \ ++ -DSERVER=\"$(NBDKIT)\" \ ++ -DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki", "-s", "--exit-with-parent", "null"' \ ++ -DCERTS=NULL \ ++ -DTLS_MODE=LIBNBD_TLS_REQUIRE \ ++ -DEXPECT_FAIL=1 \ ++ $(NULL) ++interop_nbdkit_tls_certs_bad_CA_LDADD = \ ++ $(top_builddir)/lib/libnbd.la \ ++ $(GNUTLS_LIBS) \ ++ $(NULL) ++ + interop_nbdkit_tls_psk_SOURCES = \ + interop.c \ + requires.c \ +-- +2.43.0 + diff --git a/SOURCES/0010-lib-uri.c-Allow-tls-verify-peer-to-be-overridden-in-.patch b/SOURCES/0010-lib-uri.c-Allow-tls-verify-peer-to-be-overridden-in-.patch new file mode 100644 index 0000000..2a12ed1 --- /dev/null +++ b/SOURCES/0010-lib-uri.c-Allow-tls-verify-peer-to-be-overridden-in-.patch @@ -0,0 +1,89 @@ +From a2541de206b3560fdfadf5dfada2cac1b69c09a1 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Tue, 25 Jun 2024 11:12:56 +0100 +Subject: [PATCH] lib/uri.c: Allow tls-verify-peer to be overridden in URIs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Older versions of libnbd didn't always check the server certificate. +Since some clients might be depending on this, allow +?tls-verify-peer=false in URIs to skip this check. + +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit 75641c6b30155abce272f60cf3518a65654aa401) +(cherry picked from commit b12466821fc534fb68d5b8e695832ee03496e0af) +--- + generator/API.ml | 5 +++++ + lib/uri.c | 32 ++++++++++++++++++++++++++++++++ + 2 files changed, 37 insertions(+) + +diff --git a/generator/API.ml b/generator/API.ml +index c4547615..f2752f25 100644 +--- a/generator/API.ml ++++ b/generator/API.ml +@@ -1994,6 +1994,11 @@ Note this is not allowed by default - see next section. + Set the PSK file. See L. Note + this is not allowed by default - see next section. + ++=item B ++ ++Do not verify the server certificate. See L. ++The default is C. ++ + =back + + =head2 Disable URI features +diff --git a/lib/uri.c b/lib/uri.c +index 0c8e87cf..969e88be 100644 +--- a/lib/uri.c ++++ b/lib/uri.c +@@ -150,6 +150,31 @@ parse_uri_queries (const char *query_raw, uri_query_list *list) + return -1; + } + ++/* Similar to nbdkit_parse_bool */ ++int ++parse_bool (const char *param, const char *value) ++{ ++ if (!strcmp (value, "1") || ++ !strcasecmp (value, "true") || ++ !strcasecmp (value, "t") || ++ !strcasecmp (value, "yes") || ++ !strcasecmp (value, "y") || ++ !strcasecmp (value, "on")) ++ return 1; ++ ++ if (!strcmp (value, "0") || ++ !strcasecmp (value, "false") || ++ !strcasecmp (value, "f") || ++ !strcasecmp (value, "no") || ++ !strcasecmp (value, "n") || ++ !strcasecmp (value, "off")) ++ return 0; ++ ++ set_error (EINVAL, "could not parse %s parameter, expecting %s=true|false", ++ param, param); ++ return -1; ++} ++ + int + nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) + { +@@ -298,6 +323,13 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) + if (nbd_unlocked_set_tls_psk_file (h, queries.ptr[i].value) == -1) + goto cleanup; + } ++ else if (strcasecmp (queries.ptr[i].name, "tls-verify-peer") == 0) { ++ int v = parse_bool ("tls-verify-peer", queries.ptr[i].value); ++ if (v == -1) ++ goto cleanup; ++ if (nbd_unlocked_set_tls_verify_peer (h, v) == -1) ++ goto cleanup; ++ } + } + + /* Username. */ +-- +2.43.0 + diff --git a/SOURCES/0011-docs-security-Add-link-to-TLS-server-certificate-che.patch b/SOURCES/0011-docs-security-Add-link-to-TLS-server-certificate-che.patch new file mode 100644 index 0000000..6bf487d --- /dev/null +++ b/SOURCES/0011-docs-security-Add-link-to-TLS-server-certificate-che.patch @@ -0,0 +1,31 @@ +From dfa2a23c7638e325694101fe81b5330ceede68f9 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Tue, 25 Jun 2024 17:53:47 +0100 +Subject: [PATCH] docs: security: Add link to TLS server certificate checking + announcement + +(cherry picked from commit 9c723aa660c6ee7d224afbfc16eb7450d21fb9cf) +(cherry picked from commit 820f45a58fda50dc7d5e126c55403e33824cffe4) +--- + docs/libnbd-security.pod | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod +index 216efa43..c9960d8c 100644 +--- a/docs/libnbd-security.pod ++++ b/docs/libnbd-security.pod +@@ -45,6 +45,11 @@ negative size result from nbd_get_size(3) + See the full announcement here: + L + ++=head2 multiple flaws in TLS server certificate checking ++ ++See the full announcement here: ++L ++ + =head1 SEE ALSO + + L. +-- +2.43.0 + diff --git a/SOURCES/0012-docs-libnbd-security.pod-Assign-CVE-2024-7383.patch b/SOURCES/0012-docs-libnbd-security.pod-Assign-CVE-2024-7383.patch new file mode 100644 index 0000000..7d1e858 --- /dev/null +++ b/SOURCES/0012-docs-libnbd-security.pod-Assign-CVE-2024-7383.patch @@ -0,0 +1,32 @@ +From 8334404ee0883dcfa90697b6fdae541ed4751b79 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Thu, 1 Aug 2024 15:17:29 +0100 +Subject: [PATCH] docs/libnbd-security.pod: Assign CVE-2024-7383 + +CVE-2024-7383 was assigned to the (already published & fixed) flaws +found in libnbd certificate checking. + +Reported-by: Jon Szymaniak +Thanks: Mauro Matteo Cascella +(cherry picked from commit 81a22ac6697ccdeb13509aba3072609251d1378b) +--- + docs/libnbd-security.pod | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod +index c9960d8c..ece0cf5a 100644 +--- a/docs/libnbd-security.pod ++++ b/docs/libnbd-security.pod +@@ -45,7 +45,8 @@ negative size result from nbd_get_size(3) + See the full announcement here: + L + +-=head2 multiple flaws in TLS server certificate checking ++=head2 CVE-2024-7383 ++multiple flaws in TLS server certificate checking + + See the full announcement here: + L +-- +2.43.0 + diff --git a/SOURCES/1000-Update-doc-template-for-tls-verify-peer.patch b/SOURCES/1000-Update-doc-template-for-tls-verify-peer.patch new file mode 100644 index 0000000..6673f7e --- /dev/null +++ b/SOURCES/1000-Update-doc-template-for-tls-verify-peer.patch @@ -0,0 +1,39 @@ +From 9acc05f757ff7518104c8f232b49230f0503ffa1 Mon Sep 17 00:00:00 2001 +From: Alex Burmashev +Date: Thu, 19 Sep 2024 09:16:31 +0000 +Subject: [PATCH] Update doc template for tls-verify-peer + +Without this change, docs on i686 are not generated correctly. + +Signed-off-by: Alex Burmashev +--- + docs/nbd_connect_uri.pod | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/docs/nbd_connect_uri.pod b/docs/nbd_connect_uri.pod +index 5d7ecdb..9e49e24 100644 +--- a/docs/nbd_connect_uri.pod ++++ b/docs/nbd_connect_uri.pod +@@ -119,6 +119,11 @@ Note this is not allowed by default - see next section. + Set the PSK file. See L. Note + this is not allowed by default - see next section. + ++=item B ++ ++Do not verify the server certificate. See L. ++The default is C. ++ + =back + + =head2 Disable URI features +@@ -227,6 +232,7 @@ L, + L, + L, + L, ++L, + L, + L, + L, +-- +2.43.5 + diff --git a/SOURCES/copy-patches.sh b/SOURCES/copy-patches.sh old mode 100755 new mode 100644 diff --git a/SPECS/libnbd.spec b/SPECS/libnbd.spec index b523ea2..b52c1ce 100644 --- a/SPECS/libnbd.spec +++ b/SPECS/libnbd.spec @@ -9,7 +9,7 @@ Name: libnbd Version: 1.18.1 -Release: 3%{?dist} +Release: 4.0.1%{?dist} Summary: NBD client library in userspace License: LGPL-2.0-or-later AND BSD-3-Clause @@ -32,6 +32,18 @@ Source3: copy-patches.sh Patch0001: 0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch Patch0002: 0002-docs-Fix-incorrect-xref-in-libnbd-release-notes-for-.patch Patch0003: 0003-tests-Check-behavior-of-nbd_set_strict_mode-STRICT_A.patch +Patch0004: 0004-build-Move-to-minimum-gnutls-3.5.18.patch +Patch0005: 0005-lib-crypto.c-Check-server-certificate-even-when-usin.patch +Patch0006: 0006-lib-crypto.c-Allow-CA-verification-even-if-h-hostnam.patch +Patch0007: 0007-interop-Pass-DCERTS-and-DPSK-as-strings.patch +Patch0008: 0008-interop-Add-DEXPECT_FAIL-1-where-we-expect-the-test-.patch +Patch0009: 0009-interop-Test-interop-with-a-bad-system-CA.patch +Patch0010: 0010-lib-uri.c-Allow-tls-verify-peer-to-be-overridden-in-.patch +Patch0011: 0011-docs-security-Add-link-to-TLS-server-certificate-che.patch +Patch0012: 0012-docs-libnbd-security.pod-Assign-CVE-2024-7383.patch + +# Oracle patches +Patch1000: 1000-Update-doc-template-for-tls-verify-peer.patch %if 0%{patches_touch_autotools} BuildRequires: autoconf, automake, libtool @@ -383,6 +395,13 @@ make %{?_smp_mflags} check || { %changelog +* Thu Sep 19 2024 Alex Burmashev - 1.18.1-4.0.1 +- Add new content to nbd_connect_uri.pod + +* Tue Aug 27 2024 Richard W.M. Jones - 1.18.1-4 +- Fix CVE-2024-7383 NBD server improper certificate validation + resolves: RHEL-52730 + * Mon Nov 13 2023 Eric Blake - 1.18.1-3 - Backport unit test of recent libnbd API addition resolves: RHEL-16292