lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAMuHMdX-LN-uhecx_ZJ9DokNJQ-0maGiLij_u9LVhNk9TODFVA@mail.gmail.com>
Date: Thu, 16 Oct 2025 16:36:23 +0200
From: Geert Uytterhoeven <geert@...ux-m68k.org>
To: Jeff Layton <jlayton@...nel.org>
Cc: Chuck Lever <cel@...nel.org>, Eric Biggers <ebiggers@...nel.org>, 
	Trond Myklebust <trondmy@...nel.org>, Linus Torvalds <torvalds@...ux-foundation.org>, 
	linux-kernel@...r.kernel.org, linux-nfs@...r.kernel.org
Subject: Re: [GIT PULL] NFSD changes for v6.18

Hi Jeff,

On Thu, 16 Oct 2025 at 16:31, Jeff Layton <jlayton@...nel.org> wrote:
> On Mon, 2025-10-13 at 15:37 -0400, Chuck Lever wrote:
> > On 10/13/25 3:21 PM, Eric Biggers wrote:
> > > On Mon, Oct 13, 2025 at 12:15:52PM +0200, Geert Uytterhoeven wrote:
> > > > Hi Chuck, Eric,
> > > >
> > > > On Wed, 8 Oct 2025 at 00:05, Chuck Lever <cel@...nel.org> wrote:
> > > > > Eric Biggers (4):
> > > > >       SUNRPC: Make RPCSEC_GSS_KRB5 select CRYPTO instead of depending on it
> > > >
> > > > This is now commit d8e97cc476e33037 ("SUNRPC: Make RPCSEC_GSS_KRB5
> > > > select CRYPTO instead of depending on it") in v6.18-rc1.
> > > > As RPCSEC_GSS_KRB5 defaults to "y", CRYPTO is now auto-enabled in
> > > > defconfigs that didn't enable it before.
> > >
> > > Now the config is:
> > >
> > >     config RPCSEC_GSS_KRB5
> > >         tristate "Secure RPC: Kerberos V mechanism"
> > >         depends on SUNRPC
> > >         default y
> > >         select SUNRPC_GSS
> > >         select CRYPTO
> > >         select CRYPTO_SKCIPHER
> > >         select CRYPTO_HASH
> > >
> > > Perhaps the 'default y' should be removed?
> > >
> > > Chuck, do you know why it's there?
> > The "default y" was added by 2010 commit df486a25900f ("NFS: Fix the
> > selection of security flavours in Kconfig"), then modified again by
> > commit e3b2854faabd ("SUNRPC: Fix the SUNRPC Kerberos V RPCSEC_GSS
> > module dependencies") in 2011.
> >
> > Copying Trond, the author of both of those patches.
>
> Looking at this a bit closer, maybe a patch like this is what we want?
> This should make it so that we only enable RPCSEC_GSS_KRB5 if CRYPTO is
> already enabled:
>
> diff --git a/net/sunrpc/Kconfig b/net/sunrpc/Kconfig
> index 984e0cf9bf8a..d433626c7917 100644
> --- a/net/sunrpc/Kconfig
> +++ b/net/sunrpc/Kconfig
> @@ -19,9 +19,8 @@ config SUNRPC_SWAP
>  config RPCSEC_GSS_KRB5
>         tristate "Secure RPC: Kerberos V mechanism"
>         depends on SUNRPC
> -       default y
> +       default y if CRYPTO

This merely controls the default, the user can still override it.
Implementing your suggestion above would mean re-adding "depends on
CRYPTO", i.e. reverting commit d8e97cc476e33037.

>         select SUNRPC_GSS
> -       select CRYPTO
>         select CRYPTO_SKCIPHER
>         select CRYPTO_HASH
>         help

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@...ux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ