Create a new ticket for tracking fixes to GSS/SK, since
LU-3289 (the main feature implementation tracker) has been closed since the SSK feature is landed for 2.9.0 already.
Several fixes are needed for skpi:
1. The original SK patches failed to account for out of order
handling of RPCs and bulk pages during encryption. As a result
clients would be out of sync with the IV used for decryption.
This patches moves the encryption to a format similar to RFC3686
to handle these RPCs and bulk pages.
2. A header was added to the SK mode RPCs to allow versioning and
send the unencrypted IV used for an RPC. The versioning will allow
for future protocol changes.
3. Several changes to fix or improve security of the implementation
based on a security review from Matthew Wood at Intel:
- Derive a unique key for integrity modes instead of using the
shared secret key (ska, ski, and skpi modes). This helps prevent
- Use PBKDF2 instead of HMAC to derive keys for integrity and
- Have the server side pass a random value (like the client) and
incorporate this value into the key binding information.
4. Store generated prime into the client key file to avoid generating
a new prime for every connection, which takes too long.
5. Increase the default key size to 2048 bits, after #4 is done.
Since #1 and #2 are network protocol changes, this is a blocker for the 2.9.0 release.