Re: [PATCH] Revert "SUNRPC: Fail faster on bad verifier"

[Russell Cattelan <cattelan@xxxxxxxxxxx>]

On 9/6/23 1:05 PM, Chuck Lever III wrote:
> > On Sep 6, 2023, at 12:18 PM, Trond Myklebust <trondmy@xxxxxxxxxx> wrote:
> >
> > On Wed, 2023-09-06 at 15:20 +0000, Chuck Lever III wrote:
> > > > On Sep 6, 2023, at 10:33 AM, Trond Myklebust <trondmy@xxxxxxxxxx>
> > > > wrote:
> > > >
> > > > On Wed, 2023-09-06 at 13:40 +0000, Chuck Lever III wrote:
> > > > > > On Sep 5, 2023, at 9:03 PM, trondmy@xxxxxxxxxx wrote:
> > > > > >
> > > > > > From: Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx>
> > > > > >
> > > > > > This reverts commit 0701214cd6e66585a999b132eb72ae0489beb724.
> > > > > >
> > > > > > The premise of this commit was incorrect. There are exactly 2
> > > > > > cases
> > > > > > where rpcauth_checkverf() will return an error:
> > > > > >
> > > > > > 1) If there was an XDR decode problem (i.e. garbage data).
> > > > > > 2) If gss_validate() had a problem verifying the RPCSEC_GSS
> > > > > > MIC.
> > > > >
> > > > > There's also the AUTH_TLS probe:
> > > > >
> > > > > https://www.rfc-editor.org/rfc/rfc9289.html#section-4.1-7
> > > > >
> > > > > That was the purpose of 0701214cd6e6.
> > > > >
> > > > > Reverting this commit is likely to cause problems when our
> > > > > TLS-capable client interacts with a server that knows
> > > > > nothing of AUTH_TLS.
> > > >
> > > > The patch completely broke the semantics of the header validation
> > > > code.
> > >
> > > If that were truly the case, it's amazing that the client
> > > has hobbled along for the past 14 months with no-one
> > > noticing the breakage until now.
> > >
> > > Seriously, though, treating a bad verifier as garbage args
> > > is not intuitive. If it's that critical there needs to be
> > > a comment in the code explaining why.
> >
> > It is necessary because of the peculiarities of RPCSEC_GSS and the
> > session semantics it implements.
> > See https://datatracker.ietf.org/doc/html/rfc2203#section-5.3.3.1 and
> > in particular, the paragraph discussing retransmissions by the client.
>
> Retrying is fine.
>
> But the counter in the client is called "garbage_retries".
> That's not what is going on the EACCES case, though the
> behavior is close enough -- it's code re-use (good) without
> appropriate documentation (bad).
>
> The decoder treats EIO and EACCES exactly the same way.
> Again, code reuse (good) without appropriate documentation
> (bad).
>
> I tried to address that in my RFC patch by adding a small
> explanatory comment and by adding an API contract for
> rpcauth_checkverf().
So this has come out of discussion that Trond and I are having as what 
should happen when rpcauth_checkverf fails.

The problem we are running into and fairly easy to repo with iptables 
drop <server ip> ; sleep 60 ;iptables accept <server ip>

Our systems are currently running either ubuntu 18.04 4.15 based or 
ubutunu 22.04 5.15 based both exhibit problem and neither has the change.

The problem happens before xdr_inline_decode and the switch statement
so I don't think the change has any affect on the problem we trying to 
sort out where the gss checksum does not match due to the re-trans due 
to the RPC timeout.

--Russell

> > > > There is no discussion about whether or not it needs to be
> > > > reverted.
> > >
> > > The patch description is wrong, though, to exclude AUTH_TLS.
> > >
> > > The reverting patch description claims to be an exhaustive
> > > list of all the cases, but it doesn't mention the AUTH_TLS
> > > case at all.
> > >
> > >
> > > > If the TLS code needs special treatment, then a separate patch is
> > > > needed to fix tls_validate() to return something that can be caught
> > > > by
> > > > rpc_decode_header and interpreted differently to the EIO and EACCES
> > > > error codes currently being returned by RPCSEC_GSS, AUTH_SYS and
> > > > others.
> > >
> > > That could have been brought up when 0701214cd6e6 was first
> > > posted for review. Interesting that the decoder currently
> > > does not distinguish between EIO and EACCES.
> > >
> > > Thanks for the suggestion, I'll have a look.
> >
> > Now that I look at it, I think your approach to satisfying RFC9289 is
> > not correct.
>
> I'm not following what aspect of the implementation is problematic.
> I'm going to assume you mean the implementation of opportunism.
>
>
> > Since this is a transport level issue, why should we not just mark the
> > xprt for disconnection, and then retry? It is entirely possible that
> > some load balancer/floating IP has just moved the connection to some
> > node that was not expecting to do TLS.
>
> Depending on the security policy chosen by the client's administrator,
> that could either be a security problem or a "don't care" situation.
>
> If the administrator wants the client to _require_ TLS, then
> connecting to a load balancer where TLS suddenly becomes unavailable
> after a reconnect is a hard error. This prevents STRIPTLS attacks.
> That's good security.
>
> If the administrator wants to allow operation to continue even if TLS
> is not available, then the client can recover by not using TLS. That's
> rather terrible security, but can be desirable to improve backward
> compatibility.
>
>
> > The only case where that should
> > not be assumed is the case where the error happens right at the very
> > beginning of the mount, when disconnecting should normally suffice to
> > trigger the RPC_TASK_SOFTCONN code anyway.
>
> If TLS goes away after a reconnect, that's a problem. Whether
> further operation should stop depends on the administrator's
> chosen security policy.
>
> The security policies are NFS-level settings (eg, mount options).
> RPC just indicates to NFS whether the traffic is protected or not.
>
> When NFS asks RPC to ensure the communication channel is protected,
> that means every reconnect is protected. Communication with that
> security policy cannot happen without protection.
>
> Trust me, the security community will have it no other way.
>
> If you need opportunism in this case, then I can add back the
> "xprtsec=auto" mount option, which you asked me to remove a while
> back.
>
>
> > > > > > In the second case, there are again 2 subcases:
> > > > > >
> > > > > > a) The GSS context expires, in which case gss_validate() will
> > > > > > force
> > > > > > a
> > > > > >    new context negotiation on retry by invalidating the cred.
> > > > > > b) The sequence number check failed because an RPC call timed
> > > > > > out,
> > > > > > and
> > > > > >    the client retransmitted the request using a new sequence
> > > > > > number,
> > > > > >    as required by RFC2203.
> > > > > >
> > > > > > In neither subcase is this a fatal error.
> > > > > >
> > > > > > Reported-by: Russell Cattelan <cattelan@xxxxxxxxxxx>
> > > > > > Fixes: 0701214cd6e6 ("SUNRPC: Fail faster on bad verifier")
> > > > > > Cc: stable@xxxxxxxxxxxxxxx
> > > > > > Signed-off-by: Trond Myklebust
> > > > > > <trond.myklebust@xxxxxxxxxxxxxxx>
> > > > > > ---
> > > > > > net/sunrpc/clnt.c | 2 +-
> > > > > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > > > > >
> > > > > > diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
> > > > > > index 12c46e129db8..5a7de7e55548 100644
> > > > > > --- a/net/sunrpc/clnt.c
> > > > > > +++ b/net/sunrpc/clnt.c
> > > > > > @@ -2724,7 +2724,7 @@ rpc_decode_header(struct rpc_task *task,
> > > > > > struct xdr_stream *xdr)
> > > > > >
> > > > > > out_verifier:
> > > > > > trace_rpc_bad_verifier(task);
> > > > > > - goto out_err;
> > > > > > + goto out_garbage;
> > > > > >
> > > > > > out_msg_denied:
> > > > > > error = -EACCES;
> > > > > > --
> > > > > > 2.41.0
> > > > >
> > > > > --
> > > > > Chuck Lever
> > > >
> > > > --
> > > > Trond Myklebust
> > > > Linux NFS client maintainer, Hammerspace
> > > > trond.myklebust@xxxxxxxxxxxxxxx
> > >
> > >
> > > --
> > > Chuck Lever
>
>
> --
> Chuck Lever