Re: Disable key exchange if ARC4 is not available

From: ronnie sahlberg <ronniesahlberg@gmail.com>
To: Tom Talpey <tom@talpey.com>
Cc: Steve French <smfrench@gmail.com>,
	Ronnie Sahlberg <lsahlber@redhat.com>,
	linux-cifs <linux-cifs@vger.kernel.org>
Subject: Re: Disable key exchange if ARC4 is not available
Date: Thu, 19 Aug 2021 07:04:39 +1000	[thread overview]
Message-ID: <CAN05THS56vy_8HH7yNv1fMCBoTxBfhM5V0MZo1G3UtHZOm+uNw@mail.gmail.com> (raw)
In-Reply-To: <da151f08-bd19-9bbe-8e4b-9d7a698a9c4d@talpey.com>

On Thu, Aug 19, 2021 at 4:33 AM Tom Talpey <tom@talpey.com> wrote:
>
> On 8/18/2021 12:51 PM, Steve French wrote:
> > On Wed, Aug 18, 2021 at 11:29 AM ronnie sahlberg
> > <ronniesahlberg@gmail.com> wrote:
> >>
> >> On Wed, Aug 18, 2021 at 11:18 PM Tom Talpey <tom@talpey.com> wrote:
> >>>
> >>> On 8/18/2021 12:10 AM, Ronnie Sahlberg wrote:
> >>>> Steve,
> >>>>
> >>>> We depend on ARC4 for generating the encrypted session key in key exchange.
> >>>> This patch disables the key exchange/encrypted session key for ntlmssp
> >>>> IF the kernel does not have any ARC4 support.
> >>>>
> >>>> This allows to build the cifs module even if ARC4 has been removed
> >>>> though with a weaker type of NTLMSSP support.
> >>>
> >>> It's a good goal but it seems wrong to downgrade the security
> >>> so silently. Wouldn't it be a better approach to select ARC4,
> >>> and thereby force the build to succeed or fail? Alternatively,
> >>> change the #ifndef ARC4 to a positive option named (for example)
> >>> DOWNGRADED_NTLMSSP or something equally foreboding?
> >>
> >> Good point.
> >> Maybe we should drop this patch and instead copy ARC4 into fs/cifs
> >> so we have a private version of the code in cifs.ko.
> >> And do the same for md4 and md5.
>
> Copying such code makes me uneasy. It's going to confuse everyone
> who tries to turn off one and misses the other. To say nothing of
> the risk of testing and addressing bugs.
>
> BTW, are we sure that servers even work if the client selects
> something other than ARC4, or whatever?
>

Removing ARC4 does work, at least against windows servers.
But it comes at the cost that we can not do key exchange, which
weakens the authentication.

Thinking about it, removing ARC4 because people want to make the
kernel "more secure"
would come at a cost of making cifs "less secure" :-(

The same situation, removal, exist for MD4 which is a core part of
NTLMSSP and can not be
disabled without full removal of NTLMSSP in its entirety.
For that case it was suggested that we "fork the md4 code and move it
into fs/cifs".

I don't think it is viable to remove NTLMSSP from the cifs module as
this would in reality
break cifs for most users so the only viable option might be that we
have to create a private fork of this.
And if we are already going to fork md4 and copy it into fs/cifs we
can just as well do the same for ARC4.

There are other modules depending on md4 too that can not disable it
without breaking all the users that need it
so I guess they will have to do the same.

I imagine that the kernel will then end up with no single common md4
hash in its cryptographic library
but several identical private copies of the md4 code in different modules.
lol

-- ronnie

> T
>
> > Yes ... and allow a build option where ARC4/MD4 are removed from the
> > build and NTLMSSP disabled,
> > forcing kerberos in the short term, and then we need to get working
> > ASAP on adding some choices in the future,
> > perhaps something similar to
> >
> > https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj852232(v=ws.11)
> >
> > where Windows allows plugging in additional auth mechanisms to SPNEGO
> > (and pick at least one new mechanism beyond
> > KRB5 to support in the kernel client ...)
> >