From: "J. Bruce Fields" <bfields@fieldses.org>
To: Volodymyr Khomenko <volodymyr@vastdata.com>
Cc: linux-nfs@vger.kernel.org
Subject: Re: GSSAPI fix for pynfs nfs4.1 client code
Date: Fri, 1 Oct 2021 10:13:06 -0400 [thread overview]
Message-ID: <20211001141306.GD959@fieldses.org> (raw)
In-Reply-To: <CANkgweuuo7VctNLNSGyVE2Unjv_RMdG7+zPYr6_QwSZAQTbPRQ@mail.gmail.com>
On Fri, Oct 01, 2021 at 09:49:50AM +0300, Volodymyr Khomenko wrote:
> > So, I can verify that --security=krb5 works after this patch but not
> > before, good. But why is that? As you say, the server is supposed to
> > ignore the sequence number on context creation requests. And 0 is valid
> > sequence number as far as I know.
>
> By design of RPCGSS we have a 'last seen seq_number' counter on the
> server side per each GSS context
> and we must not accept any packet that was already seen before (we
> also have a bitmask of several last requests for this).
> This 'last seen counter' is unsigned int32 (the same as seq_num) so we
> can't just init it to -1 so next seq_num=0 will be valid.
> The most obvious implementation is to init it last_seen_seq_num to 0
> so the very 1st packet after NFS4 NULL must be 1 to differ from last
> seen seq_number.
Note in theory gssapi mechanisms can require multiple round trips (in
the GSS_PROC_CONTINUE_INIT case), so this wouldn't actually avoid
duplicate sequence numbers.
In any case, the rfc is unambiguous here: "In a creation request, the
seq_num and service fields are undefined and both must be ignored by the
server."
> A better implementation (theoretically) can set this counter to
> 'undefined' state by additional flag, but this is more
> resource-consuming
> (you need to process is_inited flag + last_seen_seq_num instead of
> just one counter).
> If the last seen seq_number is undefined during GSS initialization,
> then strictly speaking we can send ANY seq_num for the very 1st
> request after NFS4 NULL.
Right, again, from RFC 2203, " The seq_num field can start at any value
below MAXSEQ."
It can be implemented without the need for an is_inited flag.
The initial sequence number of 0 really did find an actual bug in the
server, so pynfs is definitely doing its job in this case!
--b.
next prev parent reply other threads:[~2021-10-01 14:13 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-30 15:22 GSSAPI fix for pynfs nfs4.1 client code Volodymyr Khomenko
2021-09-30 21:11 ` J. Bruce Fields
2021-09-30 21:25 ` J. Bruce Fields
2021-10-01 6:27 ` Volodymyr Khomenko
2021-10-01 6:12 ` Volodymyr Khomenko
2021-10-01 6:49 ` Volodymyr Khomenko
2021-10-01 14:13 ` J. Bruce Fields [this message]
2021-10-01 14:38 ` Volodymyr Khomenko
2021-10-01 15:48 ` J. Bruce Fields
2021-10-02 6:12 ` Volodymyr Khomenko
2021-10-02 20:38 ` J. Bruce Fields
2021-10-01 20:55 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211001141306.GD959@fieldses.org \
--to=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
--cc=volodymyr@vastdata.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.