summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChuck Lever <chuck.lever@oracle.com>2026-04-27 16:51:00 +0300
committerChuck Lever <cel@kernel.org>2026-06-09 23:32:59 +0300
commitc331c8eaa20211d99181f1a1cf8d5a83b119dcb6 (patch)
treecb5d016ec4cbce890992f5acf78d6400297392ee
parent979accbc6bcb551b095b678a6f0c41899080ccd1 (diff)
downloadlinux-c331c8eaa20211d99181f1a1cf8d5a83b119dcb6.tar.xz
SUNRPC: Remove per-enctype Kconfig options
The RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1, RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA, and RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2 Kconfig options originally gated both algorithm availability and the advertised enctype list. Now that per-message crypto operations are routed through crypto/krb5, these options control only which enctype numbers appear in the gssd upcall string; the underlying algorithms are always present. Remove the per-enctype Kconfig options and replace the ifdef-gated enctype table with a candidate list looked up in the crypto/krb5 enctype table at module init time. Each enctype is included in the advertised list only if crypto_krb5_find_enctype() finds it in the library's enctype table. When a new enctype is added to crypto/krb5, adding its constant to the candidate array is sufficient to begin advertising it. Assisted-by: Claude:claude-opus-4-6 Reviewed-by: Jeff Layton <jlayton@kernel.org> Acked-by: Anna Schumaker <anna.schumaker@hammerspace.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
-rw-r--r--net/sunrpc/Kconfig38
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_mech.c30
2 files changed, 14 insertions, 54 deletions
diff --git a/net/sunrpc/Kconfig b/net/sunrpc/Kconfig
index 1c2e1fe9d365..305c55cdbd45 100644
--- a/net/sunrpc/Kconfig
+++ b/net/sunrpc/Kconfig
@@ -35,44 +35,6 @@ config RPCSEC_GSS_KRB5
If unsure, say Y.
-config RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1
- bool "Enable Kerberos enctypes based on AES and SHA-1"
- depends on RPCSEC_GSS_KRB5
- depends on CRYPTO_CBC && CRYPTO_CTS
- depends on CRYPTO_HMAC && CRYPTO_SHA1
- depends on CRYPTO_AES
- default y
- help
- Choose Y to enable the use of Kerberos 5 encryption types
- that utilize Advanced Encryption Standard (AES) ciphers and
- SHA-1 digests. These include aes128-cts-hmac-sha1-96 and
- aes256-cts-hmac-sha1-96.
-
-config RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA
- bool "Enable Kerberos encryption types based on Camellia and CMAC"
- depends on RPCSEC_GSS_KRB5
- depends on CRYPTO_CBC && CRYPTO_CTS && CRYPTO_CAMELLIA
- depends on CRYPTO_CMAC
- default n
- help
- Choose Y to enable the use of Kerberos 5 encryption types
- that utilize Camellia ciphers (RFC 3713) and CMAC digests
- (NIST Special Publication 800-38B). These include
- camellia128-cts-cmac and camellia256-cts-cmac.
-
-config RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2
- bool "Enable Kerberos enctypes based on AES and SHA-2"
- depends on RPCSEC_GSS_KRB5
- depends on CRYPTO_CBC && CRYPTO_CTS
- depends on CRYPTO_HMAC && CRYPTO_SHA256 && CRYPTO_SHA512
- depends on CRYPTO_AES
- default n
- help
- Choose Y to enable the use of Kerberos 5 encryption types
- that utilize Advanced Encryption Standard (AES) ciphers and
- SHA-2 digests. These include aes128-cts-hmac-sha256-128 and
- aes256-cts-hmac-sha384-192.
-
config SUNRPC_DEBUG
bool "RPC: Enable dprintk debugging"
depends on SUNRPC && SYSCTL
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 5a52fd84f946..996e452b9b3c 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -28,27 +28,23 @@
static struct gss_api_mech gss_kerberos_mech;
/*
- * The list of advertised enctypes is specified in order of most
- * preferred to least.
+ * Candidate enctypes in order of most preferred to least.
+ * Each is probed against crypto/krb5 at module init; only
+ * enctypes that crypto/krb5 supports are advertised.
*/
+static const u32 gss_krb5_enctypes[] = {
+ ENCTYPE_AES256_CTS_HMAC_SHA384_192,
+ ENCTYPE_AES128_CTS_HMAC_SHA256_128,
+ ENCTYPE_CAMELLIA256_CTS_CMAC,
+ ENCTYPE_CAMELLIA128_CTS_CMAC,
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+};
+
static char gss_krb5_enctype_priority_list[64];
static void gss_krb5_prepare_enctype_priority_list(void)
{
- static const u32 gss_krb5_enctypes[] = {
-#if defined(CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2)
- ENCTYPE_AES256_CTS_HMAC_SHA384_192,
- ENCTYPE_AES128_CTS_HMAC_SHA256_128,
-#endif
-#if defined(CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA)
- ENCTYPE_CAMELLIA256_CTS_CMAC,
- ENCTYPE_CAMELLIA128_CTS_CMAC,
-#endif
-#if defined(CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1)
- ENCTYPE_AES256_CTS_HMAC_SHA1_96,
- ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-#endif
- };
size_t total, i;
char buf[16];
char *sep;
@@ -57,6 +53,8 @@ static void gss_krb5_prepare_enctype_priority_list(void)
sep = "";
gss_krb5_enctype_priority_list[0] = '\0';
for (total = 0, i = 0; i < ARRAY_SIZE(gss_krb5_enctypes); i++) {
+ if (!crypto_krb5_find_enctype(gss_krb5_enctypes[i]))
+ continue;
n = sprintf(buf, "%s%u", sep, gss_krb5_enctypes[i]);
if (n < 0)
break;