3 files changed, 59 insertions, 1 deletions
diff --git a/include/linux/sunrpc/gss_krb5_enctypes.h b/include/linux/sunrpc/gss_krb5_enctypes.h
index ec6234eee89c..981c89cef19d 100644
--- a/include/linux/sunrpc/gss_krb5_enctypes.h
+++ b/include/linux/sunrpc/gss_krb5_enctypes.h
@@ -1,4 +1,44 @@
+/* SPDX-License-Identifier: GPL-2.0 */
 /*
- * Dumb way to share this static piece of information with nfsd
+ * Define the string that exports the set of kernel-supported
+ * Kerberos enctypes. This list is sent via upcall to gssd, and
+ * is also exposed via the nfsd /proc API. The consumers generally
+ * treat this as an ordered list, where the first item in the list
+ * is the most preferred.
+ */
+#ifndef _LINUX_SUNRPC_GSS_KRB5_ENCTYPES_H
+#define _LINUX_SUNRPC_GSS_KRB5_ENCTYPES_H
+#ifdef CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES
+/*
+ * NB: This list includes encryption types that were deprecated
+ * by RFC 8429 (DES3_CBC_SHA1 and ARCFOUR_HMAC).
+ *
+ * ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ * ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ * ENCTYPE_DES3_CBC_SHA1
+ * ENCTYPE_ARCFOUR_HMAC
+ */
+#define KRB5_SUPPORTED_ENCTYPES "18,17,16,23"
+#else   /* CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES */
+/*
+ * NB: This list includes encryption types that were deprecated
+ * by RFC 8429 and RFC 6649.
+ *
+ * ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ * ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ * ENCTYPE_DES3_CBC_SHA1
+ * ENCTYPE_ARCFOUR_HMAC
+ * ENCTYPE_DES_CBC_MD5
+ * ENCTYPE_DES_CBC_CRC
+ * ENCTYPE_DES_CBC_MD4
 */
 #define KRB5_SUPPORTED_ENCTYPES "18,17,16,23,3,1,2"
+#endif  /* CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES */
+#endif  /* _LINUX_SUNRPC_GSS_KRB5_ENCTYPES_H */
diff --git a/net/sunrpc/Kconfig b/net/sunrpc/Kconfig
index ac09ca803296..83f5617bae07 100644
--- a/net/sunrpc/Kconfig
+++ b/net/sunrpc/Kconfig
@@ -34,6 +34,22 @@ config RPCSEC_GSS_KRB5
          If unsure, say Y.
+config CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES
+        bool "Secure RPC: Disable insecure Kerberos encryption types"
+        depends on RPCSEC_GSS_KRB5
+        default n
+        help
+          Choose Y here to disable the use of deprecated encryption types
+          with the Kerberos version 5 GSS-API mechanism (RFC 1964). The
+          deprecated encryption types include DES-CBC-MD5, DES-CBC-CRC,
+          and DES-CBC-MD4. These types were deprecated by RFC 6649 because
+          they were found to be insecure.
+          N is the default because many sites have deployed KDCs and
+          keytabs that contain only these deprecated encryption types.
+          Choosing Y prevents the use of known-insecure encryption types
+          but might result in compatibility problems.
 config SUNRPC_DEBUG
        bool "RPC: Enable dprintk debugging"
        depends on SUNRPC && SYSCTL
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index eab71fc7af3e..be31a58d54e0 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -53,6 +53,7 @@
 static struct gss_api_mech gss_kerberos_mech;   /* forward declaration */
 static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
+#ifndef CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES
        /*
         * DES (All DES enctypes are mapped to the same gss functionality)
         */
@@ -74,6 +75,7 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
          .cksumlength = 8,
          .keyed_cksum = 0,
        },
+#endif  /* CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES */
        /*
         * RC4-HMAC
         */

diff --git a/include/linux/sunrpc/gss_krb5_enctypes.h b/include/linux/sunrpc/gss_krb5_enctypes.h index ec6234eee89c..981c89cef19d 100644 --- a/include/linux/sunrpc/gss_krb5_enctypes.h +++ b/include/linux/sunrpc/gss_krb5_enctypes.h
@@ -1,4 +1,44 @@
		1	/* SPDX-License-Identifier: GPL-2.0 */
1	/*	2	/*
2	* Dumb way to share this static piece of information with nfsd	3	* Define the string that exports the set of kernel-supported
		4	* Kerberos enctypes. This list is sent via upcall to gssd, and
		5	* is also exposed via the nfsd /proc API. The consumers generally
		6	* treat this as an ordered list, where the first item in the list
		7	* is the most preferred.
		8	*/
		9
		10	#ifndef _LINUX_SUNRPC_GSS_KRB5_ENCTYPES_H
		11	#define _LINUX_SUNRPC_GSS_KRB5_ENCTYPES_H
		12
		13	#ifdef CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES
		14
		15	/*
		16	* NB: This list includes encryption types that were deprecated
		17	* by RFC 8429 (DES3_CBC_SHA1 and ARCFOUR_HMAC).
		18	*
		19	* ENCTYPE_AES256_CTS_HMAC_SHA1_96
		20	* ENCTYPE_AES128_CTS_HMAC_SHA1_96
		21	* ENCTYPE_DES3_CBC_SHA1
		22	* ENCTYPE_ARCFOUR_HMAC
		23	*/
		24	#define KRB5_SUPPORTED_ENCTYPES "18,17,16,23"
		25
		26	#else /* CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES */
		27
		28	/*
		29	* NB: This list includes encryption types that were deprecated
		30	* by RFC 8429 and RFC 6649.
		31	*
		32	* ENCTYPE_AES256_CTS_HMAC_SHA1_96
		33	* ENCTYPE_AES128_CTS_HMAC_SHA1_96
		34	* ENCTYPE_DES3_CBC_SHA1
		35	* ENCTYPE_ARCFOUR_HMAC
		36	* ENCTYPE_DES_CBC_MD5
		37	* ENCTYPE_DES_CBC_CRC
		38	* ENCTYPE_DES_CBC_MD4
3	*/	39	*/
4	#define KRB5_SUPPORTED_ENCTYPES "18,17,16,23,3,1,2"	40	#define KRB5_SUPPORTED_ENCTYPES "18,17,16,23,3,1,2"
		41
		42	#endif /* CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES */
		43
		44	#endif /* _LINUX_SUNRPC_GSS_KRB5_ENCTYPES_H */


diff --git a/net/sunrpc/Kconfig b/net/sunrpc/Kconfig index ac09ca803296..83f5617bae07 100644 --- a/net/sunrpc/Kconfig +++ b/net/sunrpc/Kconfig
@@ -34,6 +34,22 @@ config RPCSEC_GSS_KRB5
34		34
35	If unsure, say Y.	35	If unsure, say Y.
36		36
		37	config CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES
		38	bool "Secure RPC: Disable insecure Kerberos encryption types"
		39	depends on RPCSEC_GSS_KRB5
		40	default n
		41	help
		42	Choose Y here to disable the use of deprecated encryption types
		43	with the Kerberos version 5 GSS-API mechanism (RFC 1964). The
		44	deprecated encryption types include DES-CBC-MD5, DES-CBC-CRC,
		45	and DES-CBC-MD4. These types were deprecated by RFC 6649 because
		46	they were found to be insecure.
		47
		48	N is the default because many sites have deployed KDCs and
		49	keytabs that contain only these deprecated encryption types.
		50	Choosing Y prevents the use of known-insecure encryption types
		51	but might result in compatibility problems.
		52
37	config SUNRPC_DEBUG	53	config SUNRPC_DEBUG
38	bool "RPC: Enable dprintk debugging"	54	bool "RPC: Enable dprintk debugging"
39	depends on SUNRPC && SYSCTL	55	depends on SUNRPC && SYSCTL


diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c index eab71fc7af3e..be31a58d54e0 100644 --- a/net/sunrpc/auth_gss/gss_krb5_mech.c +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -53,6 +53,7 @@
53	static struct gss_api_mech gss_kerberos_mech; /* forward declaration */	53	static struct gss_api_mech gss_kerberos_mech; /* forward declaration */
54		54
55	static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {	55	static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
		56	#ifndef CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES
56	/*	57	/*
57	* DES (All DES enctypes are mapped to the same gss functionality)	58	* DES (All DES enctypes are mapped to the same gss functionality)
58	*/	59	*/
@@ -74,6 +75,7 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
74	.cksumlength = 8,	75	.cksumlength = 8,
75	.keyed_cksum = 0,	76	.keyed_cksum = 0,
76	},	77	},
		78	#endif /* CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES */
77	/*	79	/*
78	* RC4-HMAC	80	* RC4-HMAC
79	*/	81	*/