https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 https://jira.whamcloud.com/browse/LU-8590 Lustre <p>Create a new ticket for tracking fixes to GSS/SK, since <a href="https://jira.whamcloud.com/browse/LU-3289" title="IU Shared Secret Key authentication and encryption" class="issue-link" data-issue-key="LU-3289"><del>LU-3289</del></a> (the main feature implementation tracker) has been closed since the SSK feature is landed for 2.9.0 already.</p> <p>Several fixes are needed for skpi:</p> <p>1. The original SK patches failed to account for out of order<br/> handling of RPCs and bulk pages during encryption. As a result<br/> clients would be out of sync with the IV used for decryption.<br/> This patches moves the encryption to a format similar to RFC3686<br/> to handle these RPCs and bulk pages.</p> <p>2. A header was added to the SK mode RPCs to allow versioning and<br/> send the unencrypted IV used for an RPC. The versioning will allow<br/> for future protocol changes.</p> <p>3. Several changes to fix or improve security of the implementation<br/> based on a security review from Matthew Wood at Intel:</p> <ul class="alternate" type="square"> <li>Derive a unique key for integrity modes instead of using the<br/> shared secret key (ska, ski, and skpi modes). This helps prevent<br/> replays.</li> <li>Use PBKDF2 instead of HMAC to derive keys for integrity and<br/> encryption.</li> <li>Have the server side pass a random value (like the client) and<br/> incorporate this value into the key binding information.</li> </ul> <p>4. Store generated prime into the client key file to avoid generating<br/> a new prime for every connection, which takes too long.</p> <p>5. Increase the default key size to 2048 bits, after #4 is done.</p> <p>Since #1 and #2 are network protocol changes, this is a blocker for the 2.9.0 release.</p> LU-8590

Fix issues with SK privacy and integrity mode

Bug Blocker Resolved Fixed Jeremy Filizetti Andreas Dilger Wed, 7 Sep 2016 19:40:40 +0000 Fri, 7 Jul 2017 21:32:15 +0000 Wed, 26 Oct 2016 23:26:00 +0000 Lustre 2.9.0 Lustre 2.9.0 Lustre 2.10.0 0 4 <p>Items #1-3 are addressed by patch<br/> <a href="http://review.whamcloud.com/21922" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/21922</a></p> <p>Andreas Dilger (andreas.dilger@intel.com) uploaded a new patch: <a href="http://review.whamcloud.com/22987" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/22987</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-8590" title="Fix issues with SK privacy and integrity mode" class="issue-link" data-issue-key="LU-8590"><del>LU-8590</del></a> ssk: increase default keylen to 2048 bits<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: 5bb5749cc3ad301b6d21174cd1b97583b7c08e50</p> <p>Oleg Drokin (oleg.drokin@intel.com) merged in patch <a href="http://review.whamcloud.com/23322/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/23322/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-8590" title="Fix issues with SK privacy and integrity mode" class="issue-link" data-issue-key="LU-8590"><del>LU-8590</del></a> gss: Move DH parameter generation out of upcall<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: 2de43286f95281648881033062abf9503bd60541</p> <p>Landed for 2.9</p> <p>Andreas Dilger (andreas.dilger@intel.com) uploaded a new patch: <a href="http://review.whamcloud.com/23691" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/23691</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-8590" title="Fix issues with SK privacy and integrity mode" class="issue-link" data-issue-key="LU-8590"><del>LU-8590</del></a> gss: fix minor issues in lgss_sk usage<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: a4a607f40012a6c7365b26f59a1b97a1a095bfd6</p> <p>Andreas Dilger (andreas.dilger@intel.com) uploaded a new patch: <a href="http://review.whamcloud.com/23722" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/23722</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-8590" title="Fix issues with SK privacy and integrity mode" class="issue-link" data-issue-key="LU-8590"><del>LU-8590</del></a> utils: remove duplicate code in lgss_sk<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: 265b5ee8af385086a6ba9b729c02573b26b7647b</p> <p>Oleg Drokin (oleg.drokin@intel.com) merged in patch <a href="http://review.whamcloud.com/23691/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/23691/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-8590" title="Fix issues with SK privacy and integrity mode" class="issue-link" data-issue-key="LU-8590"><del>LU-8590</del></a> utils: fix minor issues in lgss_sk usage<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: 075f98e585a27b846ebd26f1d70a77eefb0f8c5f</p> <p>Oleg Drokin (oleg.drokin@intel.com) merged in patch <a href="https://review.whamcloud.com/23722/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/23722/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-8590" title="Fix issues with SK privacy and integrity mode" class="issue-link" data-issue-key="LU-8590"><del>LU-8590</del></a> utils: remove duplicate code in lgss_sk<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: a598df837b946711407ec93eed08f144dae6d35a</p> Related LU-3289 Development Rank 1|hzynof: Rank (Obsolete) 9223372036854775807 Severity