Re: Disable key exchange if ARC4 is not available

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/18/2021 12:10 AM, Ronnie Sahlberg wrote:
Steve,

We depend on ARC4 for generating the encrypted session key in key exchange.
This patch disables the key exchange/encrypted session key for ntlmssp
IF the kernel does not have any ARC4 support.

This allows to build the cifs module even if ARC4 has been removed
though with a weaker type of NTLMSSP support.

It's a good goal but it seems wrong to downgrade the security
so silently. Wouldn't it be a better approach to select ARC4,
and thereby force the build to succeed or fail? Alternatively,
change the #ifndef ARC4 to a positive option named (for example)
DOWNGRADED_NTLMSSP or something equally foreboding?

Tom.



[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux