https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 https://jira.whamcloud.com/browse/LU-11414 Lustre <p>Feature 'read on open for DoM files' breaks GSS integrity check.</p> <p>Indeed, when ski or krb5i flavors are selected, GSS integrity mechanism signs requests on client side before they are sent, and then checks signature on server side upon receiving.<br/> So it is not possible to alter the request content once signature is calculated.</p> <p>However, with the patch implementing 'read on open for DoM files' (<a href="https://review.whamcloud.com/23011" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/23011</a>), the value of request-&gt;rq_reqmsg-&gt;lm_repsize is changed after the request has been wrapped. And this field is included in request-&gt;rq_reqbuf on which the signature is calculated.<br/> So the signature calculated on the received request on server side does not match the signature calculated on client side.</p> <p>Consequence is that it is not possible to use Kerberos or Shared Key with integrity protection flavors (and possible full encryption flavors as well).</p> LU-11414

'read on open' breaks GSS integrity check

Bug Critical Resolved Fixed Mikhail Pershin Sebastien Buisson DoM2 gss Fri, 21 Sep 2018 17:21:22 +0000 Sat, 6 Oct 2018 13:33:06 +0000 Sat, 6 Oct 2018 13:33:06 +0000 Lustre 2.12.0 Lustre 2.12.0 0 6 <p>Hi Mike,</p> <p>Can you please take a look at this?</p> <p>Thanks.</p> <p>Joe</p> <p>Sebastien, what is the simple way to check that problem? </p> <p>Hi Mike,</p> <p>You can try to run sanity-gss test_1 with SHARED_KEYS=true. Even the fact that preparation before test_1 succeeds would be a good sign.<br/> But it may fail for an unrelated reason. I can test a patch for you if you want.</p> <p>Thanks,<br/> Sebastien.</p> <p>Mike Pershin (mpershin@whamcloud.com) uploaded a new patch: <a href="https://review.whamcloud.com/33223" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/33223</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-11414" title="&#39;read on open&#39; breaks GSS integrity check" class="issue-link" data-issue-key="LU-11414"><del>LU-11414</del></a> ptlrpc: don't change buffer when signature is ready<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: 7b6683cc5608d7698bf2869601fb13e66b80ca4a</p> <p>Sebastien, I think this patch should restore GSS functionality. I would appreciate help with testing it, thanks.</p> <p>Mike, just tested patch at <a href="https://review.whamcloud.com/33223" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/33223</a> , it fixes GSS regression, thanks.</p> <p>Oleg Drokin (green@whamcloud.com) merged in patch <a href="https://review.whamcloud.com/33223/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/33223/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-11414" title="&#39;read on open&#39; breaks GSS integrity check" class="issue-link" data-issue-key="LU-11414"><del>LU-11414</del></a> ptlrpc: don't change buffer when signature is ready<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: cf503e047c7fe58c3f75c912b3ce8da93f79bf0e</p> <p>Landed for 2.12</p> Development Rank 1|i002v3: Rank (Obsolete) 9223372036854775807 Severity