Re: [PATCH v2 00/41] RPCSEC GSS krb5 enhancements

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> On Jan 18, 2023, at 11:02 AM, Simo Sorce <simo@xxxxxxxxxx> wrote:
> 
> On Sun, 2023-01-15 at 12:20 -0500, Chuck Lever wrote:
>> The purpose of this series is to improve/harden the security
>> provided by the Linux kernel's RPCSEC GSS Kerberos 5 mechanism.
>> There are lots of clean-ups in this series, but the pertinent
>> feature is the addition of a clean deprecation path for the DES-
>> and SHA1-based encryption types in accordance with Internet BCPs.
>> 
>> This series disables DES-based enctypes by default, provides a
>> mechanism for disabling SHA1-based enctypes, and introduces two
>> modern enctypes that do not use deprecated crypto algorithms.
>> 
>> Not only does that improve security for Kerberos 5 users, but it
>> also prepares SunRPC for eventually switching to a shared common
>> kernel Kerberos 5 implementation, which surely will not implement
>> any deprecated encryption types (in particular, DES-based ones).
>> 
>> Today, MIT supports both of the newly-introduced enctypes, but
>> Heimdal does not appear to. Thus distributions can enable and
>> disable kernel enctype support to match the set of enctypes
>> supported in their user space Kerberos libraries.
>> 
>> Scott has been kicking the tires -- we've found no regressions with
>> the current SHA1-based enctypes, while the new ones are disabled by
>> default until we have an opportunity for interop testing. The KUnit
>> tests for the new enctypes pass and this implementation successfully
>> interoperates with itself using these enctypes. Therefore I believe
>> it to be safe to merge.
>> 
>> When this series gets merged, the Linux NFS community should select
>> and announce a date-certain for removal of SunRPC's DES-based
>> enctype code.
>> 
>> ---
>> 
>> Changes since v1:
>> - Addressed Simo's NAK on "SUNRPC: Improve Kerberos confounder generation"
>> - Added Cc: linux-kselftest@ for review of the KUnit-related patches
>> 
>> 
>> Chuck Lever (41):
>>      SUNRPC: Add header ifdefs to linux/sunrpc/gss_krb5.h
>>      SUNRPC: Remove .blocksize field from struct gss_krb5_enctype
>>      SUNRPC: Remove .conflen field from struct gss_krb5_enctype
>>      SUNRPC: Improve Kerberos confounder generation
>>      SUNRPC: Obscure Kerberos session key
>>      SUNRPC: Refactor set-up for aux_cipher
>>      SUNRPC: Obscure Kerberos encryption keys
>>      SUNRPC: Obscure Kerberos signing keys
>>      SUNRPC: Obscure Kerberos integrity keys
>>      SUNRPC: Refactor the GSS-API Per Message calls in the Kerberos mechanism
>>      SUNRPC: Remove another switch on ctx->enctype
>>      SUNRPC: Add /proc/net/rpc/gss_krb5_enctypes file
>>      NFSD: Replace /proc/fs/nfsd/supported_krb5_enctypes with a symlink
>>      SUNRPC: Replace KRB5_SUPPORTED_ENCTYPES macro
>>      SUNRPC: Enable rpcsec_gss_krb5.ko to be built without CRYPTO_DES
>>      SUNRPC: Remove ->encrypt and ->decrypt methods from struct gss_krb5_enctype
>>      SUNRPC: Rename .encrypt_v2 and .decrypt_v2 methods
>>      SUNRPC: Hoist KDF into struct gss_krb5_enctype
>>      SUNRPC: Clean up cipher set up for v1 encryption types
>>      SUNRPC: Parametrize the key length passed to context_v2_alloc_cipher()
>>      SUNRPC: Add new subkey length fields
>>      SUNRPC: Refactor CBC with CTS into helpers
>>      SUNRPC: Add gk5e definitions for RFC 8009 encryption types
>>      SUNRPC: Add KDF-HMAC-SHA2
>>      SUNRPC: Add RFC 8009 encryption and decryption functions
>>      SUNRPC: Advertise support for RFC 8009 encryption types
>>      SUNRPC: Support the Camellia enctypes
>>      SUNRPC: Add KDF_FEEDBACK_CMAC
>>      SUNRPC: Advertise support for the Camellia encryption types
>>      SUNRPC: Move remaining internal definitions to gss_krb5_internal.h
>>      SUNRPC: Add KUnit tests for rpcsec_krb5.ko
>>      SUNRPC: Export get_gss_krb5_enctype()
>>      SUNRPC: Add KUnit tests RFC 3961 Key Derivation
>>      SUNRPC: Add Kunit tests for RFC 3962-defined encryption/decryption
>>      SUNRPC: Add KDF KUnit tests for the RFC 6803 encryption types
>>      SUNRPC: Add checksum KUnit tests for the RFC 6803 encryption types
>>      SUNRPC: Add encryption KUnit tests for the RFC 6803 encryption types
>>      SUNRPC: Add KDF-HMAC-SHA2 Kunit tests
>>      SUNRPC: Add RFC 8009 checksum KUnit tests
>>      SUNRPC: Add RFC 8009 encryption KUnit tests
>>      SUNRPC: Add encryption self-tests
>> 
>> 
>> fs/nfsd/nfsctl.c                         |   74 +-
>> include/linux/sunrpc/gss_krb5.h          |  196 +--
>> include/linux/sunrpc/gss_krb5_enctypes.h |   41 -
>> net/sunrpc/.kunitconfig                  |   30 +
>> net/sunrpc/Kconfig                       |   96 +-
>> net/sunrpc/auth_gss/Makefile             |    2 +
>> net/sunrpc/auth_gss/auth_gss.c           |   17 +
>> net/sunrpc/auth_gss/gss_krb5_crypto.c    |  656 +++++--
>> net/sunrpc/auth_gss/gss_krb5_internal.h  |  232 +++
>> net/sunrpc/auth_gss/gss_krb5_keys.c      |  416 ++++-
>> net/sunrpc/auth_gss/gss_krb5_mech.c      |  730 +++++---
>> net/sunrpc/auth_gss/gss_krb5_seal.c      |  122 +-
>> net/sunrpc/auth_gss/gss_krb5_seqnum.c    |    2 +
>> net/sunrpc/auth_gss/gss_krb5_test.c      | 2040 ++++++++++++++++++++++
>> net/sunrpc/auth_gss/gss_krb5_unseal.c    |   63 +-
>> net/sunrpc/auth_gss/gss_krb5_wrap.c      |  124 +-
>> net/sunrpc/auth_gss/svcauth_gss.c        |   65 +
>> 17 files changed, 4001 insertions(+), 905 deletions(-)
>> delete mode 100644 include/linux/sunrpc/gss_krb5_enctypes.h
>> create mode 100644 net/sunrpc/.kunitconfig
>> create mode 100644 net/sunrpc/auth_gss/gss_krb5_internal.h
>> create mode 100644 net/sunrpc/auth_gss/gss_krb5_test.c
>> 
>> --
>> Chuck Lever
> 
> I reviewed the whole patchset (except the Camellia related commits):
> Reviewed-by: Simo Sorce <simo@xxxxxxxxxx>

Thank you!

I've applied this series to nfsd-next. Comments and testing are
still welcome.


--
Chuck Lever







[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux