• Chuck Lever's avatar
    SUNRPC: Enable rpcsec_gss_krb5.ko to be built without CRYPTO_DES · dfe9a123
    Chuck Lever authored
    Because the DES block cipher has been deprecated by Internet
    standard, highly secure configurations might require that DES
    support be blacklisted or not installed. NFS Kerberos should still
    be able to work correctly with only the AES-based enctypes in that
    situation.
    
    Also note that MIT Kerberos has begun a deprecation process for DES
    encryption types. Their README for 1.19.3 states:
    
    > Beginning with the krb5-1.19 release, a warning will be issued
    > if initial credentials are acquired using the des3-cbc-sha1
    > encryption type.  In future releases, this encryption type will
    > be disabled by default and eventually removed.
    >
    > Beginning with the krb5-1.18 release, single-DES encryption
    > types have been removed.
    
    Aside from the CONFIG option name change, there are two important
    policy changes:
    
    1. The 'insecure enctype' group is now disabled by default.
       Distributors have to take action to enable support for deprecated
       enctypes. Implementation of these enctypes will be removed in a
       future kernel release.
    
    2. des3-cbc-sha1 is now considered part of the 'insecure enctype'
       group, having been deprecated by RFC 8429, and is thus disabled
       by default
    
    After this patch is applied, SunRPC support can be built with
    Kerberos 5 support but without CRYPTO_DES enabled in the kernel.
    And, when these enctypes are disabled, the Linux kernel's SunRPC
    RPCSEC GSS implementation fully complies with BCP 179 / RFC 6649
    and BCP 218 / RFC 8429.
    Tested-by: default avatarScott Mayhew <smayhew@redhat.com>
    Reviewed-by: default avatarSimo Sorce <simo@redhat.com>
    Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
    dfe9a123
gss_krb5_seal.c 6.01 KB