diff options
| author | Chuck Lever <chuck.lever@oracle.com> | 2019-02-11 11:24:43 -0500 |
|---|---|---|
| committer | Anna Schumaker <Anna.Schumaker@Netapp.com> | 2019-02-13 13:33:12 -0500 |
| commit | fe9a270519c72bccb3af524db7ea6c7b67700d50 (patch) | |
| tree | c3a0026af4b4f69ed5880fd508c3e776870f92ab | |
| parent | 067fb11b12af1448f7bbcacca41e470cb775e9fa (diff) | |
SUNRPC: Add build option to disable support for insecure enctypes
Enable distributions to enforce the rejection of ancient and
insecure Kerberos enctypes in the kernel's RPCSEC_GSS
implementation. These are the single-DES encryption types that
were deprecated in 2012 by RFC 6649.
Enctypes that were deprecated more recently (by RFC 8429) remain
fully supported for now because they are still likely to be widely
used.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Acked-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
| -rw-r--r-- | include/linux/sunrpc/gss_krb5_enctypes.h | 42 | ||||
| -rw-r--r-- | net/sunrpc/Kconfig | 16 | ||||
| -rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_mech.c | 2 |
3 files changed, 59 insertions, 1 deletions
diff --git a/include/linux/sunrpc/gss_krb5_enctypes.h b/include/linux/sunrpc/gss_krb5_enctypes.h index ec6234eee89c..981c89cef19d 100644 --- a/include/linux/sunrpc/gss_krb5_enctypes.h +++ b/include/linux/sunrpc/gss_krb5_enctypes.h | |||
| @@ -1,4 +1,44 @@ | |||
| 1 | /* SPDX-License-Identifier: GPL-2.0 */ | ||
| 1 | /* | 2 | /* |
| 2 | * Dumb way to share this static piece of information with nfsd | 3 | * Define the string that exports the set of kernel-supported |
| 4 | * Kerberos enctypes. This list is sent via upcall to gssd, and | ||
| 5 | * is also exposed via the nfsd /proc API. The consumers generally | ||
| 6 | * treat this as an ordered list, where the first item in the list | ||
| 7 | * is the most preferred. | ||
| 8 | */ | ||
| 9 | |||
| 10 | #ifndef _LINUX_SUNRPC_GSS_KRB5_ENCTYPES_H | ||
| 11 | #define _LINUX_SUNRPC_GSS_KRB5_ENCTYPES_H | ||
| 12 | |||
| 13 | #ifdef CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES | ||
| 14 | |||
| 15 | /* | ||
| 16 | * NB: This list includes encryption types that were deprecated | ||
| 17 | * by RFC 8429 (DES3_CBC_SHA1 and ARCFOUR_HMAC). | ||
| 18 | * | ||
| 19 | * ENCTYPE_AES256_CTS_HMAC_SHA1_96 | ||
| 20 | * ENCTYPE_AES128_CTS_HMAC_SHA1_96 | ||
| 21 | * ENCTYPE_DES3_CBC_SHA1 | ||
| 22 | * ENCTYPE_ARCFOUR_HMAC | ||
| 23 | */ | ||
| 24 | #define KRB5_SUPPORTED_ENCTYPES "18,17,16,23" | ||
| 25 | |||
| 26 | #else /* CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES */ | ||
| 27 | |||
| 28 | /* | ||
| 29 | * NB: This list includes encryption types that were deprecated | ||
| 30 | * by RFC 8429 and RFC 6649. | ||
| 31 | * | ||
| 32 | * ENCTYPE_AES256_CTS_HMAC_SHA1_96 | ||
| 33 | * ENCTYPE_AES128_CTS_HMAC_SHA1_96 | ||
| 34 | * ENCTYPE_DES3_CBC_SHA1 | ||
| 35 | * ENCTYPE_ARCFOUR_HMAC | ||
| 36 | * ENCTYPE_DES_CBC_MD5 | ||
| 37 | * ENCTYPE_DES_CBC_CRC | ||
| 38 | * ENCTYPE_DES_CBC_MD4 | ||
| 3 | */ | 39 | */ |
| 4 | #define KRB5_SUPPORTED_ENCTYPES "18,17,16,23,3,1,2" | 40 | #define KRB5_SUPPORTED_ENCTYPES "18,17,16,23,3,1,2" |
| 41 | |||
| 42 | #endif /* CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES */ | ||
| 43 | |||
| 44 | #endif /* _LINUX_SUNRPC_GSS_KRB5_ENCTYPES_H */ | ||
diff --git a/net/sunrpc/Kconfig b/net/sunrpc/Kconfig index ac09ca803296..83f5617bae07 100644 --- a/net/sunrpc/Kconfig +++ b/net/sunrpc/Kconfig | |||
| @@ -34,6 +34,22 @@ config RPCSEC_GSS_KRB5 | |||
| 34 | 34 | ||
| 35 | If unsure, say Y. | 35 | If unsure, say Y. |
| 36 | 36 | ||
| 37 | config CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES | ||
| 38 | bool "Secure RPC: Disable insecure Kerberos encryption types" | ||
| 39 | depends on RPCSEC_GSS_KRB5 | ||
| 40 | default n | ||
| 41 | help | ||
| 42 | Choose Y here to disable the use of deprecated encryption types | ||
| 43 | with the Kerberos version 5 GSS-API mechanism (RFC 1964). The | ||
| 44 | deprecated encryption types include DES-CBC-MD5, DES-CBC-CRC, | ||
| 45 | and DES-CBC-MD4. These types were deprecated by RFC 6649 because | ||
| 46 | they were found to be insecure. | ||
| 47 | |||
| 48 | N is the default because many sites have deployed KDCs and | ||
| 49 | keytabs that contain only these deprecated encryption types. | ||
| 50 | Choosing Y prevents the use of known-insecure encryption types | ||
| 51 | but might result in compatibility problems. | ||
| 52 | |||
| 37 | config SUNRPC_DEBUG | 53 | config SUNRPC_DEBUG |
| 38 | bool "RPC: Enable dprintk debugging" | 54 | bool "RPC: Enable dprintk debugging" |
| 39 | depends on SUNRPC && SYSCTL | 55 | depends on SUNRPC && SYSCTL |
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c index eab71fc7af3e..be31a58d54e0 100644 --- a/net/sunrpc/auth_gss/gss_krb5_mech.c +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c | |||
| @@ -53,6 +53,7 @@ | |||
| 53 | static struct gss_api_mech gss_kerberos_mech; /* forward declaration */ | 53 | static struct gss_api_mech gss_kerberos_mech; /* forward declaration */ |
| 54 | 54 | ||
| 55 | static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = { | 55 | static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = { |
| 56 | #ifndef CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES | ||
| 56 | /* | 57 | /* |
| 57 | * DES (All DES enctypes are mapped to the same gss functionality) | 58 | * DES (All DES enctypes are mapped to the same gss functionality) |
| 58 | */ | 59 | */ |
| @@ -74,6 +75,7 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = { | |||
| 74 | .cksumlength = 8, | 75 | .cksumlength = 8, |
| 75 | .keyed_cksum = 0, | 76 | .keyed_cksum = 0, |
| 76 | }, | 77 | }, |
| 78 | #endif /* CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES */ | ||
| 77 | /* | 79 | /* |
| 78 | * RC4-HMAC | 80 | * RC4-HMAC |
| 79 | */ | 81 | */ |