From: ronnie sahlberg <ronniesahlberg@gmail.com>
To: Tom Talpey <tom@talpey.com>
Cc: Ronnie Sahlberg <lsahlber@redhat.com>,
linux-cifs <linux-cifs@vger.kernel.org>,
Steve French <smfrench@gmail.com>
Subject: Re: Disable key exchange if ARC4 is not available
Date: Thu, 19 Aug 2021 02:29:13 +1000 [thread overview]
Message-ID: <CAN05THR_Y+uoER=iNiwoiZ0yPcJ2T-LvRqOew59G53SafUMg3g@mail.gmail.com> (raw)
In-Reply-To: <815daf08-7569-59ce-0318-dfe2b16e1d96@talpey.com>
On Wed, Aug 18, 2021 at 11:18 PM Tom Talpey <tom@talpey.com> wrote:
>
> On 8/18/2021 12:10 AM, Ronnie Sahlberg wrote:
> > Steve,
> >
> > We depend on ARC4 for generating the encrypted session key in key exchange.
> > This patch disables the key exchange/encrypted session key for ntlmssp
> > IF the kernel does not have any ARC4 support.
> >
> > This allows to build the cifs module even if ARC4 has been removed
> > though with a weaker type of NTLMSSP support.
>
> It's a good goal but it seems wrong to downgrade the security
> so silently. Wouldn't it be a better approach to select ARC4,
> and thereby force the build to succeed or fail? Alternatively,
> change the #ifndef ARC4 to a positive option named (for example)
> DOWNGRADED_NTLMSSP or something equally foreboding?
Good point.
Maybe we should drop this patch and instead copy ARC4 into fs/cifs
so we have a private version of the code in cifs.ko.
And do the same for md4 and md5.
>
> Tom.
next prev parent reply other threads:[~2021-08-18 16:29 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-18 4:10 Disable key exchange if ARC4 is not available Ronnie Sahlberg
2021-08-18 4:10 ` [PATCH] cifs: disable ntlmssp " Ronnie Sahlberg
2021-08-18 13:18 ` Disable " Tom Talpey
2021-08-18 16:27 ` ronnie sahlberg
2021-08-18 16:29 ` ronnie sahlberg [this message]
2021-08-18 16:51 ` Steve French
2021-08-18 18:33 ` Tom Talpey
2021-08-18 21:04 ` ronnie sahlberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAN05THR_Y+uoER=iNiwoiZ0yPcJ2T-LvRqOew59G53SafUMg3g@mail.gmail.com' \
--to=ronniesahlberg@gmail.com \
--cc=linux-cifs@vger.kernel.org \
--cc=lsahlber@redhat.com \
--cc=smfrench@gmail.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).