]> git.proxmox.com Git - mirror_ubuntu-kernels.git/commitdiff
SUNRPC: Replace KRB5_SUPPORTED_ENCTYPES macro
authorChuck Lever <chuck.lever@oracle.com>
Sun, 15 Jan 2023 17:21:45 +0000 (12:21 -0500)
committerChuck Lever <chuck.lever@oracle.com>
Mon, 20 Feb 2023 14:20:39 +0000 (09:20 -0500)
Now that all consumers of the KRB5_SUPPORTED_ENCTYPES macro are
within the SunRPC layer, the macro can be replaced with something
private and more flexible.

Tested-by: Scott Mayhew <smayhew@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
include/linux/sunrpc/gss_krb5_enctypes.h [deleted file]
net/sunrpc/auth_gss/gss_krb5_mech.c

diff --git a/include/linux/sunrpc/gss_krb5_enctypes.h b/include/linux/sunrpc/gss_krb5_enctypes.h
deleted file mode 100644 (file)
index 87eea67..0000000
+++ /dev/null
@@ -1,41 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-/*
- * Define the string that exports the set of kernel-supported
- * Kerberos enctypes. This list is sent via upcall to gssd, and
- * is also exposed via the nfsd /proc API. The consumers generally
- * treat this as an ordered list, where the first item in the list
- * is the most preferred.
- */
-
-#ifndef _LINUX_SUNRPC_GSS_KRB5_ENCTYPES_H
-#define _LINUX_SUNRPC_GSS_KRB5_ENCTYPES_H
-
-#ifdef CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES
-
-/*
- * NB: This list includes DES3_CBC_SHA1, which was deprecated by RFC 8429.
- *
- * ENCTYPE_AES256_CTS_HMAC_SHA1_96
- * ENCTYPE_AES128_CTS_HMAC_SHA1_96
- * ENCTYPE_DES3_CBC_SHA1
- */
-#define KRB5_SUPPORTED_ENCTYPES "18,17,16"
-
-#else  /* CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES */
-
-/*
- * NB: This list includes encryption types that were deprecated
- * by RFC 8429 and RFC 6649.
- *
- * ENCTYPE_AES256_CTS_HMAC_SHA1_96
- * ENCTYPE_AES128_CTS_HMAC_SHA1_96
- * ENCTYPE_DES3_CBC_SHA1
- * ENCTYPE_DES_CBC_MD5
- * ENCTYPE_DES_CBC_CRC
- * ENCTYPE_DES_CBC_MD4
- */
-#define KRB5_SUPPORTED_ENCTYPES "18,17,16,3,1,2"
-
-#endif /* CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES */
-
-#endif /* _LINUX_SUNRPC_GSS_KRB5_ENCTYPES_H */
index e33575216a01e2279cb3d3ce8fc23c3bdc68348f..2553d18fd2881bc970967cadbb3f65a142ba75c1 100644 (file)
@@ -19,7 +19,6 @@
 #include <linux/sunrpc/auth.h>
 #include <linux/sunrpc/gss_krb5.h>
 #include <linux/sunrpc/xdr.h>
-#include <linux/sunrpc/gss_krb5_enctypes.h>
 
 #include "auth_gss_internal.h"
 #include "gss_krb5_internal.h"
@@ -145,6 +144,43 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
        },
 };
 
+/*
+ * The list of advertised enctypes is specified in order of most
+ * preferred to least.
+ */
+static char gss_krb5_enctype_priority_list[64];
+
+static void gss_krb5_prepare_enctype_priority_list(void)
+{
+       static const u32 gss_krb5_enctypes[] = {
+               ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+               ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+               ENCTYPE_DES3_CBC_SHA1,
+#ifndef CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES
+               ENCTYPE_DES_CBC_MD5,
+               ENCTYPE_DES_CBC_CRC,
+               ENCTYPE_DES_CBC_MD4,
+#endif
+       };
+       size_t total, i;
+       char buf[16];
+       char *sep;
+       int n;
+
+       sep = "";
+       gss_krb5_enctype_priority_list[0] = '\0';
+       for (total = 0, i = 0; i < ARRAY_SIZE(gss_krb5_enctypes); i++) {
+               n = sprintf(buf, "%s%u", sep, gss_krb5_enctypes[i]);
+               if (n < 0)
+                       break;
+               if (total + n >= sizeof(gss_krb5_enctype_priority_list))
+                       break;
+               strcat(gss_krb5_enctype_priority_list, buf);
+               sep = ",";
+               total += n;
+       }
+}
+
 static const int num_supported_enctypes =
        ARRAY_SIZE(supported_gss_krb5_enctypes);
 
@@ -761,13 +797,14 @@ static struct gss_api_mech gss_kerberos_mech = {
        .gm_ops         = &gss_kerberos_ops,
        .gm_pf_num      = ARRAY_SIZE(gss_kerberos_pfs),
        .gm_pfs         = gss_kerberos_pfs,
-       .gm_upcall_enctypes = KRB5_SUPPORTED_ENCTYPES,
+       .gm_upcall_enctypes = gss_krb5_enctype_priority_list,
 };
 
 static int __init init_kerberos_module(void)
 {
        int status;
 
+       gss_krb5_prepare_enctype_priority_list();
        status = gss_mech_register(&gss_kerberos_mech);
        if (status)
                printk("Failed to register kerberos gss mechanism!\n");