P.S., the bug you point to seems to be a general encryption one. But it does not seem to be affecting normal DH (if I turn off sigver in dCache I can use the 4.10 client). ________________________________________________ Albert L. Rossi Application Developer & Systems Analyst III Scientific Computing Division, Data Movement Development FCC 229A Mail Station 369 (FCC 2W) Fermi National Accelerator Laboratory Batavia, IL 60510 (630) 840-3023 ________________________________ From: Albert Rossi <[log in to unmask]> Sent: Monday, August 19, 2019 11:54:52 AM To: Michal Kamil Simon <[log in to unmask]>; xrootd-dev <[log in to unmask]> Subject: Re: signed hash 4.9.1 4.10.0 Hi Michal, OK, I see that now there are extra 32 bytes included in the signature. With 4.9.1, dCache sees something like this: 19 Aug 2019 11:46:20 [xrootd-net-0] [door:Xrootd0-fndcatemp1@xrootd0-fndcatemp1Domain:AAWQexRQ3DA] compareHashes received a36c3fc283cd0ba703bf87a8606c8557fad83d0783f8c117781ad4ec8084238b generated a36c3fc283cd0ba703bf87a8606c8557fad83d0783f8c117781ad4ec8084238b With 4.10.0, instead, there is the 32-byte: 10101010101010101010101010101010 19 Aug 2019 11:46:31 [xrootd-net-1] [door:Xrootd0-fndcatemp1@xrootd0-fndcatemp1Domain:AAWQexT+7rA] compareHashes, different lengths: received de7a8af3e690059f5550ede93ec3ede4723afd2a4fe2ce3656e3820e0d5d9c3e10101010101010101010101010101010 generated de7a8af3e690059f5550ede93ec3ede4723afd2a4fe2ce3656e3820e0d5d9c3e Why is that now there? The specification (http://xrootd.org/doc/dev49/XRdv400.htm#_Toc532936621) 4.26.1 Signing a request still states that the hash + data sequence should be (for SHA-2 / SHA256): * 1. an unsigned 64-bit sequence number, * 2. the request header, and * 3. the request payload, * in that exact order. How is this extra 32 bytes to be handled? Thanks, Al ________________________________________________ Albert L. Rossi Application Developer & Systems Analyst III Scientific Computing Division, Data Movement Development FCC 229A Mail Station 369 (FCC 2W) Fermi National Accelerator Laboratory Batavia, IL 60510 (630) 840-3023 ________________________________ From: Michal Kamil Simon <[log in to unmask]> Sent: Friday, August 16, 2019 11:17:58 AM To: Albert Rossi <[log in to unmask]>; xrootd-dev <[log in to unmask]> Subject: RE: signed hash 4.9.1 4.10.0 Hi Albert, There was a bug in calculating the size of signature that has been fixed right before releasing 4.10.0: https://github.com/xrootd/xrootd/commit/8bfbae668752f7931c5b88a86105906198817402<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xrootd_xrootd_commit_8bfbae668752f7931c5b88a86105906198817402&d=DwMFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=anGIMCD4TLOdczBifR-vKtzb-z6fUg9objsMzr_QfYE&s=-Pr6gkLQPQv-qJEXY30NZd4xDcVfR3rB1zW08vqyQag&e=> Cheers, Michal ________________________________ From: [log in to unmask] [[log in to unmask]] on behalf of Albert Rossi [[log in to unmask]] Sent: 16 August 2019 16:33 To: xrootd-dev Subject: signed hash 4.9.1 4.10.0 Hello, I am testing the 4.10 client against the current implementation of dCache, and have found the following (xrdcp491 and xrdcp410 are small bash wrappers that point to different xrootd installations and ensure the LD_LIBRARY_PATH is correct. [arossi@otfrid ~]$ xrdcp491 /etc/fstab root://fndcatemp1.fnal.gov:1094//pnfs/fs/usr/test/arossi/volatile/fstabwith491-test [574B/574B][100%][==================================================][574B/s] [arossi@otfrid ~]$ xrdcp410 /etc/fstab root://fndcatemp1.fnal.gov:1094//pnfs/fs/usr/test/arossi/volatile/fstabwith410-test [0B/0B][100%][==================================================][0B/s] Run: [ERROR] Server responded with an error: [4003] signed hash verification: received hash length does not match generated hash. Has the signed hash implementation in the client changed between 4.9 and 4.10? Thanks, Al ________________________________________________ Albert L. Rossi Application Developer & Systems Analyst III Scientific Computing Division, Data Movement Development FCC 229A Mail Station 369 (FCC 2W) Fermi National Accelerator Laboratory Batavia, IL 60510 (630) 840-3023 ________________________________ Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1<https://urldefense.proofpoint.com/v2/url?u=https-3A__listserv.slac.stanford.edu_cgi-2Dbin_wa-3FSUBED1-3DXROOTD-2DDEV-26A-3D1&d=DwMFAw&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=anGIMCD4TLOdczBifR-vKtzb-z6fUg9objsMzr_QfYE&s=xf1sO14sb5dxZawUYHsFKDtSoqXCJHoqyr69e485Yvk&e=> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1