linux-cifs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Tom Talpey <tom@talpey.com>
To: Ronnie Sahlberg <lsahlber@redhat.com>,
	linux-cifs <linux-cifs@vger.kernel.org>
Cc: Steve French <smfrench@gmail.com>
Subject: Re: Disable key exchange if ARC4 is not available
Date: Wed, 18 Aug 2021 09:18:02 -0400	[thread overview]
Message-ID: <815daf08-7569-59ce-0318-dfe2b16e1d96@talpey.com> (raw)
In-Reply-To: <20210818041021.1210797-1-lsahlber@redhat.com>

On 8/18/2021 12:10 AM, Ronnie Sahlberg wrote:
> Steve,
> 
> We depend on ARC4 for generating the encrypted session key in key exchange.
> This patch disables the key exchange/encrypted session key for ntlmssp
> IF the kernel does not have any ARC4 support.
> 
> This allows to build the cifs module even if ARC4 has been removed
> though with a weaker type of NTLMSSP support.

It's a good goal but it seems wrong to downgrade the security
so silently. Wouldn't it be a better approach to select ARC4,
and thereby force the build to succeed or fail? Alternatively,
change the #ifndef ARC4 to a positive option named (for example)
DOWNGRADED_NTLMSSP or something equally foreboding?

Tom.

  parent reply	other threads:[~2021-08-18 13:18 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-18  4:10 Ronnie Sahlberg
2021-08-18  4:10 ` [PATCH] cifs: disable ntlmssp " Ronnie Sahlberg
2021-08-18 13:18 ` Tom Talpey [this message]
2021-08-18 16:27   ` Disable " ronnie sahlberg
2021-08-18 16:29   ` ronnie sahlberg
2021-08-18 16:51     ` Steve French
2021-08-18 18:33       ` Tom Talpey
2021-08-18 21:04         ` ronnie sahlberg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=815daf08-7569-59ce-0318-dfe2b16e1d96@talpey.com \
    --to=tom@talpey.com \
    --cc=linux-cifs@vger.kernel.org \
    --cc=lsahlber@redhat.com \
    --cc=smfrench@gmail.com \
    --subject='Re: Disable key exchange if ARC4 is not available' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).