On 8/18/2021 12:10 AM, Ronnie Sahlberg wrote:
Steve, We depend on ARC4 for generating the encrypted session key in key exchange. This patch disables the key exchange/encrypted session key for ntlmssp IF the kernel does not have any ARC4 support. This allows to build the cifs module even if ARC4 has been removed though with a weaker type of NTLMSSP support.
It's a good goal but it seems wrong to downgrade the security so silently. Wouldn't it be a better approach to select ARC4, and thereby force the build to succeed or fail? Alternatively, change the #ifndef ARC4 to a positive option named (for example) DOWNGRADED_NTLMSSP or something equally foreboding? Tom.
