diff options
| author | Chuck Lever <chuck.lever@oracle.com> | 2026-04-27 09:51:00 -0400 |
|---|---|---|
| committer | Chuck Lever <chuck.lever@oracle.com> | 2026-05-28 11:31:26 -0400 |
| commit | 15963be1bad441f3f3e91cd07ed33b6f6923064e (patch) | |
| tree | 7e435f7226294391e8e2b59f8b7e96754dc04369 /net | |
| parent | 10c13173c509dacc1a95b66df990eb930c8bdb75 (diff) | |
| download | linux-next-history-15963be1bad441f3f3e91cd07ed33b6f6923064e.tar.gz | |
SUNRPC: Remove per-enctype Kconfig options
The RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1,
RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA, and
RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2 Kconfig options
originally gated both algorithm availability and the
advertised enctype list. Now that per-message crypto
operations are routed through crypto/krb5, these options
control only which enctype numbers appear in the gssd
upcall string; the underlying algorithms are always
present.
Remove the per-enctype Kconfig options and replace the
ifdef-gated enctype table with a candidate list looked
up in the crypto/krb5 enctype table at module init
time. Each enctype is included in the advertised list
only if crypto_krb5_find_enctype() finds it in the
library's enctype table. When a new enctype is added
to crypto/krb5, adding its constant to the candidate
array is sufficient to begin advertising it.
Assisted-by: Claude:claude-opus-4-6
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Acked-by: Anna Schumaker <anna.schumaker@hammerspace.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Diffstat (limited to 'net')
| -rw-r--r-- | net/sunrpc/Kconfig | 38 | ||||
| -rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_mech.c | 30 |
2 files changed, 14 insertions, 54 deletions
diff --git a/net/sunrpc/Kconfig b/net/sunrpc/Kconfig index 1c2e1fe9d3659..305c55cdbd45f 100644 --- a/net/sunrpc/Kconfig +++ b/net/sunrpc/Kconfig @@ -35,44 +35,6 @@ config RPCSEC_GSS_KRB5 If unsure, say Y. -config RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1 - bool "Enable Kerberos enctypes based on AES and SHA-1" - depends on RPCSEC_GSS_KRB5 - depends on CRYPTO_CBC && CRYPTO_CTS - depends on CRYPTO_HMAC && CRYPTO_SHA1 - depends on CRYPTO_AES - default y - help - Choose Y to enable the use of Kerberos 5 encryption types - that utilize Advanced Encryption Standard (AES) ciphers and - SHA-1 digests. These include aes128-cts-hmac-sha1-96 and - aes256-cts-hmac-sha1-96. - -config RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA - bool "Enable Kerberos encryption types based on Camellia and CMAC" - depends on RPCSEC_GSS_KRB5 - depends on CRYPTO_CBC && CRYPTO_CTS && CRYPTO_CAMELLIA - depends on CRYPTO_CMAC - default n - help - Choose Y to enable the use of Kerberos 5 encryption types - that utilize Camellia ciphers (RFC 3713) and CMAC digests - (NIST Special Publication 800-38B). These include - camellia128-cts-cmac and camellia256-cts-cmac. - -config RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2 - bool "Enable Kerberos enctypes based on AES and SHA-2" - depends on RPCSEC_GSS_KRB5 - depends on CRYPTO_CBC && CRYPTO_CTS - depends on CRYPTO_HMAC && CRYPTO_SHA256 && CRYPTO_SHA512 - depends on CRYPTO_AES - default n - help - Choose Y to enable the use of Kerberos 5 encryption types - that utilize Advanced Encryption Standard (AES) ciphers and - SHA-2 digests. These include aes128-cts-hmac-sha256-128 and - aes256-cts-hmac-sha384-192. - config SUNRPC_DEBUG bool "RPC: Enable dprintk debugging" depends on SUNRPC && SYSCTL diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c index 5a52fd84f9463..996e452b9b3ce 100644 --- a/net/sunrpc/auth_gss/gss_krb5_mech.c +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c @@ -28,27 +28,23 @@ static struct gss_api_mech gss_kerberos_mech; /* - * The list of advertised enctypes is specified in order of most - * preferred to least. + * Candidate enctypes in order of most preferred to least. + * Each is probed against crypto/krb5 at module init; only + * enctypes that crypto/krb5 supports are advertised. */ +static const u32 gss_krb5_enctypes[] = { + ENCTYPE_AES256_CTS_HMAC_SHA384_192, + ENCTYPE_AES128_CTS_HMAC_SHA256_128, + ENCTYPE_CAMELLIA256_CTS_CMAC, + ENCTYPE_CAMELLIA128_CTS_CMAC, + ENCTYPE_AES256_CTS_HMAC_SHA1_96, + ENCTYPE_AES128_CTS_HMAC_SHA1_96, +}; + static char gss_krb5_enctype_priority_list[64]; static void gss_krb5_prepare_enctype_priority_list(void) { - static const u32 gss_krb5_enctypes[] = { -#if defined(CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2) - ENCTYPE_AES256_CTS_HMAC_SHA384_192, - ENCTYPE_AES128_CTS_HMAC_SHA256_128, -#endif -#if defined(CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA) - ENCTYPE_CAMELLIA256_CTS_CMAC, - ENCTYPE_CAMELLIA128_CTS_CMAC, -#endif -#if defined(CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1) - ENCTYPE_AES256_CTS_HMAC_SHA1_96, - ENCTYPE_AES128_CTS_HMAC_SHA1_96, -#endif - }; size_t total, i; char buf[16]; char *sep; @@ -57,6 +53,8 @@ static void gss_krb5_prepare_enctype_priority_list(void) sep = ""; gss_krb5_enctype_priority_list[0] = '\0'; for (total = 0, i = 0; i < ARRAY_SIZE(gss_krb5_enctypes); i++) { + if (!crypto_krb5_find_enctype(gss_krb5_enctypes[i])) + continue; n = sprintf(buf, "%s%u", sep, gss_krb5_enctypes[i]); if (n < 0) break; |