Linux-NFS Archive on lore.kernel.org
 help / color / Atom feed
From: Chuck Lever <chuck.lever@oracle.com>
To: anna.schumaker@netapp.com
Cc: linux-rdma@vger.kernel.org, linux-nfs@vger.kernel.org
Subject: [PATCH v1 12/23] SUNRPC: Add build option to disable support for insecure enctypes
Date: Mon, 11 Feb 2019 11:24:43 -0500
Message-ID: <20190211162442.2817.45497.stgit@manet.1015granger.net> (raw)
In-Reply-To: <20190211161920.2817.20881.stgit@manet.1015granger.net>

Enable distributions to enforce the rejection of ancient and
insecure Kerberos enctypes in the kernel's RPCSEC_GSS
implementation. These are the single-DES encryption types that
were deprecated in 2012 by RFC 6649.

Enctypes that were deprecated more recently (by RFC 8429) remain
fully supported for now because they are still likely to be widely
used.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Acked-by: Simo Sorce <simo@redhat.com>
---
 include/linux/sunrpc/gss_krb5_enctypes.h |   42 +++++++++++++++++++++++++++++-
 net/sunrpc/Kconfig                       |   16 +++++++++++
 net/sunrpc/auth_gss/gss_krb5_mech.c      |    2 +
 3 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/include/linux/sunrpc/gss_krb5_enctypes.h b/include/linux/sunrpc/gss_krb5_enctypes.h
index ec6234e..981c89c 100644
--- a/include/linux/sunrpc/gss_krb5_enctypes.h
+++ b/include/linux/sunrpc/gss_krb5_enctypes.h
@@ -1,4 +1,44 @@
+/* SPDX-License-Identifier: GPL-2.0 */
 /*
- * Dumb way to share this static piece of information with nfsd
+ * Define the string that exports the set of kernel-supported
+ * Kerberos enctypes. This list is sent via upcall to gssd, and
+ * is also exposed via the nfsd /proc API. The consumers generally
+ * treat this as an ordered list, where the first item in the list
+ * is the most preferred.
+ */
+
+#ifndef _LINUX_SUNRPC_GSS_KRB5_ENCTYPES_H
+#define _LINUX_SUNRPC_GSS_KRB5_ENCTYPES_H
+
+#ifdef CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES
+
+/*
+ * NB: This list includes encryption types that were deprecated
+ * by RFC 8429 (DES3_CBC_SHA1 and ARCFOUR_HMAC).
+ *
+ * ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ * ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ * ENCTYPE_DES3_CBC_SHA1
+ * ENCTYPE_ARCFOUR_HMAC
+ */
+#define KRB5_SUPPORTED_ENCTYPES "18,17,16,23"
+
+#else	/* CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES */
+
+/*
+ * NB: This list includes encryption types that were deprecated
+ * by RFC 8429 and RFC 6649.
+ *
+ * ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ * ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ * ENCTYPE_DES3_CBC_SHA1
+ * ENCTYPE_ARCFOUR_HMAC
+ * ENCTYPE_DES_CBC_MD5
+ * ENCTYPE_DES_CBC_CRC
+ * ENCTYPE_DES_CBC_MD4
  */
 #define KRB5_SUPPORTED_ENCTYPES "18,17,16,23,3,1,2"
+
+#endif	/* CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES */
+
+#endif	/* _LINUX_SUNRPC_GSS_KRB5_ENCTYPES_H */
diff --git a/net/sunrpc/Kconfig b/net/sunrpc/Kconfig
index ac09ca8..83f5617 100644
--- a/net/sunrpc/Kconfig
+++ b/net/sunrpc/Kconfig
@@ -34,6 +34,22 @@ config RPCSEC_GSS_KRB5
 
 	  If unsure, say Y.
 
+config CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES
+	bool "Secure RPC: Disable insecure Kerberos encryption types"
+	depends on RPCSEC_GSS_KRB5
+	default n
+	help
+	  Choose Y here to disable the use of deprecated encryption types
+	  with the Kerberos version 5 GSS-API mechanism (RFC 1964). The
+	  deprecated encryption types include DES-CBC-MD5, DES-CBC-CRC,
+	  and DES-CBC-MD4. These types were deprecated by RFC 6649 because
+	  they were found to be insecure.
+
+	  N is the default because many sites have deployed KDCs and
+	  keytabs that contain only these deprecated encryption types.
+	  Choosing Y prevents the use of known-insecure encryption types
+	  but might result in compatibility problems.
+
 config SUNRPC_DEBUG
 	bool "RPC: Enable dprintk debugging"
 	depends on SUNRPC && SYSCTL
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index eab71fc..be31a58 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -53,6 +53,7 @@
 static struct gss_api_mech gss_kerberos_mech;	/* forward declaration */
 
 static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
+#ifndef CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES
 	/*
 	 * DES (All DES enctypes are mapped to the same gss functionality)
 	 */
@@ -74,6 +75,7 @@
 	  .cksumlength = 8,
 	  .keyed_cksum = 0,
 	},
+#endif	/* CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES */
 	/*
 	 * RC4-HMAC
 	 */


  parent reply index

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-11 16:23 [PATCH v1 00/23] NFS client patches for v5.1 (complete) Chuck Lever
2019-02-11 16:23 ` [PATCH v1 01/23] xprtrdma: Fix sparse warnings Chuck Lever
2019-02-11 16:23 ` [PATCH v1 02/23] xprtrdma: Check inline size before providing a Write chunk Chuck Lever
2019-02-11 16:23 ` [PATCH v1 03/23] xprtrdma: Reduce the doorbell rate (Receive) Chuck Lever
2019-02-11 16:24 ` [PATCH v1 04/23] SUNRPC: Display symbolic flag names in RPC trace events Chuck Lever
2019-02-11 16:24 ` [PATCH v1 05/23] SUNRPC: Add xdr_stream::rqst field Chuck Lever
2019-02-11 16:24 ` [PATCH v1 06/23] SUNRPC: Add XDR overflow trace event Chuck Lever
2019-02-11 16:24 ` [PATCH v1 07/23] SUNRPC: Add trace event that reports reply page vector alignment Chuck Lever
2019-02-11 16:24 ` [PATCH v1 08/23] NFS: Remove print_overflow_msg() Chuck Lever
2019-02-11 16:24 ` [PATCH v1 09/23] NFS: Add trace events to report non-zero NFS status codes Chuck Lever
2019-02-11 16:24 ` [PATCH v1 10/23] SUNRPC: Remove some dprintk() call sites from auth functions Chuck Lever
2019-02-11 16:24 ` [PATCH v1 11/23] SUNRPC: Remove rpc_xprt::tsh_size Chuck Lever
2019-02-11 16:24 ` Chuck Lever [this message]
2019-02-11 16:24 ` [PATCH v1 13/23] SUNRPC: Use struct xdr_stream when constructing RPC Call header Chuck Lever
2019-02-11 16:24 ` [PATCH v1 14/23] SUNRPC: Clean up rpc_verify_header() Chuck Lever
2019-02-11 16:24 ` [PATCH v1 15/23] SUNRPC: Use struct xdr_stream when decoding RPC Reply header Chuck Lever
2019-02-11 16:25 ` [PATCH v1 16/23] SUNRPC: Introduce trace points in rpc_auth_gss.ko Chuck Lever
2019-02-11 16:25 ` [PATCH v1 17/23] SUNRPC: Remove xdr_buf_trim() Chuck Lever
2019-02-11 16:25 ` [PATCH v1 18/23] SUNRPC: Add SPDX IDs to some net/sunrpc/auth_gss/ files Chuck Lever
2019-02-11 16:25 ` [PATCH v1 19/23] SUNRPC: Introduce rpc_prepare_reply_pages() Chuck Lever
2019-02-11 16:25 ` [PATCH v1 20/23] NFS: Account for XDR pad of buf->pages Chuck Lever
2019-04-05 17:36   ` Olga Kornievskaia
2019-04-05 17:51     ` Chuck Lever
2019-04-05 19:17       ` Olga Kornievskaia
2019-04-05 19:23         ` Chuck Lever
2019-04-05 19:27           ` Olga Kornievskaia
2019-04-05 19:42             ` Chuck Lever
2019-04-08 14:36               ` Olga Kornievskaia
2019-04-08 14:43                 ` Chuck Lever
2019-04-08 15:21                   ` Olga Kornievskaia
2019-04-08 15:26                     ` Olga Kornievskaia
2019-04-08 15:50                       ` Olga Kornievskaia
2019-04-08 16:02                         ` Olga Kornievskaia
2019-04-08 16:29                         ` Chuck Lever
2019-02-11 16:25 ` [PATCH v1 21/23] SUNRPC: Make AUTH_SYS and AUTH_NULL set au_verfsize Chuck Lever
2019-02-11 16:25 ` [PATCH v1 22/23] SUNRPC: Add rpc_auth::au_ralign field Chuck Lever
2019-02-11 16:25 ` [PATCH v1 23/23] SUNRPC: Use au_rslack when computing reply buffer size Chuck Lever

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190211162442.2817.45497.stgit@manet.1015granger.net \
    --to=chuck.lever@oracle.com \
    --cc=anna.schumaker@netapp.com \
    --cc=linux-nfs@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-NFS Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-nfs/0 linux-nfs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-nfs linux-nfs/ https://lore.kernel.org/linux-nfs \
		linux-nfs@vger.kernel.org
	public-inbox-index linux-nfs

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-nfs


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git