lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <96e2c0717722be57011f4670b1a6b19bb5f4ef48.camel@kernel.org>
Date: Thu, 16 Oct 2025 10:31:14 -0400
From: Jeff Layton <jlayton@...nel.org>
To: Chuck Lever <cel@...nel.org>, Eric Biggers <ebiggers@...nel.org>, Geert
 Uytterhoeven <geert@...ux-m68k.org>, Trond Myklebust <trondmy@...nel.org>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>, 
	linux-kernel@...r.kernel.org, linux-nfs@...r.kernel.org
Subject: Re: [GIT PULL] NFSD changes for v6.18

On Mon, 2025-10-13 at 15:37 -0400, Chuck Lever wrote:
> On 10/13/25 3:21 PM, Eric Biggers wrote:
> > On Mon, Oct 13, 2025 at 12:15:52PM +0200, Geert Uytterhoeven wrote:
> > > Hi Chuck, Eric,
> > > 
> > > On Wed, 8 Oct 2025 at 00:05, Chuck Lever <cel@...nel.org> wrote:
> > > > Eric Biggers (4):
> > > >       SUNRPC: Make RPCSEC_GSS_KRB5 select CRYPTO instead of depending on it
> > > 
> > > This is now commit d8e97cc476e33037 ("SUNRPC: Make RPCSEC_GSS_KRB5
> > > select CRYPTO instead of depending on it") in v6.18-rc1.
> > > As RPCSEC_GSS_KRB5 defaults to "y", CRYPTO is now auto-enabled in
> > > defconfigs that didn't enable it before.
> > > 
> > > Gr{oetje,eeting}s,
> > > 
> > 
> > Now the config is:
> > 
> >     config RPCSEC_GSS_KRB5
> >         tristate "Secure RPC: Kerberos V mechanism"
> >         depends on SUNRPC
> >         default y
> >         select SUNRPC_GSS
> >         select CRYPTO
> >         select CRYPTO_SKCIPHER
> >         select CRYPTO_HASH
> > 
> > Perhaps the 'default y' should be removed?
> > 
> > Chuck, do you know why it's there?
> The "default y" was added by 2010 commit df486a25900f ("NFS: Fix the
> selection of security flavours in Kconfig"), then modified again by
> commit e3b2854faabd ("SUNRPC: Fix the SUNRPC Kerberos V RPCSEC_GSS
> module dependencies") in 2011.
> 
> Copying Trond, the author of both of those patches.
> 

Looking at this a bit closer, maybe a patch like this is what we want?
This should make it so that we only enable RPCSEC_GSS_KRB5 if CRYPTO is
already enabled:

diff --git a/net/sunrpc/Kconfig b/net/sunrpc/Kconfig
index 984e0cf9bf8a..d433626c7917 100644
--- a/net/sunrpc/Kconfig
+++ b/net/sunrpc/Kconfig
@@ -19,9 +19,8 @@ config SUNRPC_SWAP
 config RPCSEC_GSS_KRB5
        tristate "Secure RPC: Kerberos V mechanism"
        depends on SUNRPC
-       default y
+       default y if CRYPTO
        select SUNRPC_GSS
-       select CRYPTO
        select CRYPTO_SKCIPHER
        select CRYPTO_HASH
        help



-- 
Jeff Layton <jlayton@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ