[v1,1/9] SUNRPC: Remove RPCSEC_GSS_KRB5_ENCTYPES_DES

Message ID	168806103993.507650.17272925711898578977.stgit@morisot.1015granger.net (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-nfs-owner@vger.kernel.org> Subject: [PATCH v1 1/9] SUNRPC: Remove RPCSEC_GSS_KRB5_ENCTYPES_DES From: Chuck Lever <cel@kernel.org> To: linux-nfs@vger.kernel.org Cc: Chuck Lever <chuck.lever@oracle.com>, dhowells@redhat.com, simo@redhat.com, smayhew@redhat.com Date: Thu, 29 Jun 2023 13:50:39 -0400 Message-ID: <168806103993.507650.17272925711898578977.stgit@morisot.1015granger.net> In-Reply-To: <168806089210.507650.17584608037244782863.stgit@morisot.1015granger.net> References: <168806089210.507650.17584608037244782863.stgit@morisot.1015granger.net> User-Agent: StGit/1.5 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Precedence: bulk
Series	Remove support for DES-based Kerberos enctypes \| expand [v1,0/9] Remove support for DES-based Kerberos enctypes [v1,1/9] SUNRPC: Remove RPCSEC_GSS_KRB5_ENCTYPES_DES [v1,2/9] SUNRPC: Remove Kunit tests for the DES3 encryption type [v1,3/9] SUNRPC: Remove DES and DES3 enctypes from the supported enctypes list [v1,4/9] SUNRPC: Remove code behind CONFIG_RPCSEC_GSS_KRB5_SIMPLIFIED [v1,5/9] SUNRPC: Remove krb5_derive_key_v1() [v1,6/9] SUNRPC: Remove gss_import_v1_context() [v1,7/9] SUNRPC: Remove CONFIG_RPCSEC_GSS_KRB5_CRYPTOSYSTEM [v1,8/9] SUNRPC: Remove the ->import_ctx method [v1,9/9] SUNRPC: Remove net/sunrpc/auth_gss/gss_krb5_seqnum.c

Message ID

168806103993.507650.17272925711898578977.stgit@morisot.1015granger.net (mailing list archive)

State

New, archived

Headers

Subject: [PATCH v1 1/9] SUNRPC: Remove RPCSEC_GSS_KRB5_ENCTYPES_DES
From: Chuck Lever <cel@kernel.org>
To: linux-nfs@vger.kernel.org
Cc: Chuck Lever <chuck.lever@oracle.com>, dhowells@redhat.com,
        simo@redhat.com, smayhew@redhat.com
Date: Thu, 29 Jun 2023 13:50:39 -0400
Message-ID: 
 <168806103993.507650.17272925711898578977.stgit@morisot.1015granger.net>
In-Reply-To: 
 <168806089210.507650.17584608037244782863.stgit@morisot.1015granger.net>
References: 
 <168806089210.507650.17584608037244782863.stgit@morisot.1015granger.net>
User-Agent: StGit/1.5
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Precedence: bulk

Series

Remove support for DES-based Kerberos enctypes | expand

Commit Message

Chuck Lever June 29, 2023, 5:50 p.m. UTC

From: Chuck Lever <chuck.lever@oracle.com>

Make it impossible to enable support for the DES or DES3 Kerberos
encryption types in SunRPC. These enctypes were deprecated by RFCs
6649 and 8429 because they are known to be insecure.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 net/sunrpc/.kunitconfig |    1 -
 net/sunrpc/Kconfig      |   28 ----------------------------
 2 files changed, 29 deletions(-)

diff --git a/net/sunrpc/.kunitconfig b/net/sunrpc/.kunitconfig
index a55a00fa649b..eb02b906c295 100644
--- a/net/sunrpc/.kunitconfig
+++ b/net/sunrpc/.kunitconfig
@@ -23,7 +23,6 @@  CONFIG_NFS_FS=y
 CONFIG_SUNRPC=y
 CONFIG_SUNRPC_GSS=y
 CONFIG_RPCSEC_GSS_KRB5=y
-CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_DES=y
 CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1=y
 CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA=y
 CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2=y
diff --git a/net/sunrpc/Kconfig b/net/sunrpc/Kconfig
index 4afc5fd71d44..68c95cfd8afa 100644
--- a/net/sunrpc/Kconfig
+++ b/net/sunrpc/Kconfig
@@ -34,38 +34,10 @@  config RPCSEC_GSS_KRB5
 
 	  If unsure, say Y.
 
-config RPCSEC_GSS_KRB5_SIMPLIFIED
-	bool
-	depends on RPCSEC_GSS_KRB5
-
 config RPCSEC_GSS_KRB5_CRYPTOSYSTEM
 	bool
 	depends on RPCSEC_GSS_KRB5
 
-config RPCSEC_GSS_KRB5_ENCTYPES_DES
-	bool "Enable Kerberos enctypes based on DES (deprecated)"
-	depends on RPCSEC_GSS_KRB5
-	depends on CRYPTO_CBC && CRYPTO_CTS && CRYPTO_ECB
-	depends on CRYPTO_HMAC && CRYPTO_MD5 && CRYPTO_SHA1
-	depends on CRYPTO_DES
-	default n
-	select RPCSEC_GSS_KRB5_SIMPLIFIED
-	help
-	  Choose Y to enable the use of deprecated Kerberos 5
-	  encryption types that utilize Data Encryption Standard
-	  (DES) based ciphers. These include des-cbc-md5,
-	  des-cbc-crc, and des-cbc-md4, which were deprecated by
-	  RFC 6649, and des3-cbc-sha1, which was deprecated by RFC
-	  8429.
-
-	  These encryption types are known to be insecure, therefore
-	  the default setting of this option is N. Support for these
-	  encryption types is available only for compatibility with
-	  legacy NFS client and server implementations.
-
-	  Removal of support is planned for a subsequent kernel
-	  release.
-
 config RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1
 	bool "Enable Kerberos enctypes based on AES and SHA-1"
 	depends on RPCSEC_GSS_KRB5

[v1,1/9] SUNRPC: Remove RPCSEC_GSS_KRB5_ENCTYPES_DES

Commit Message

Patch