• Ard Biesheuvel's avatar
    SUNRPC: remove RC4-HMAC-MD5 support from KerberosV · e33d2a7b
    Ard Biesheuvel authored
    The RC4-HMAC-MD5 KerberosV algorithm is based on RFC 4757 [0], which
    was specifically issued for interoperability with Windows 2000, but was
    never intended to receive the same level of support. The RFC says
    
      The IETF Kerberos community supports publishing this specification as
      an informational document in order to describe this widely
      implemented technology.  However, while these encryption types
      provide the operations necessary to implement the base Kerberos
      specification [RFC4120], they do not provide all the required
      operations in the Kerberos cryptography framework [RFC3961].  As a
      result, it is not generally possible to implement potential
      extensions to Kerberos using these encryption types.  The Kerberos
      encryption type negotiation mechanism [RFC4537] provides one approach
      for using such extensions even when a Kerberos infrastructure uses
      long-term RC4 keys.  Because this specification does not implement
      operations required by RFC 3961 and because of security concerns with
      the use of RC4 and MD4 discussed in Section 8, this specification is
      not appropriate for publication on the standards track.
    
      The RC4-HMAC encryption types are used to ease upgrade of existing
      Windows NT environments, provide strong cryptography (128-bit key
      lengths), and provide exportable (meet United States government
      export restriction requirements) encryption.  This document describes
      the implementation of those encryption types.
    
    Furthermore, this RFC was re-classified as 'historic' by RFC 8429 [1] in
    2018, stating that 'none of the encryption types it specifies should be
    used'
    
    Note that other outdated algorithms are left in place (some of which are
    guarded by CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES), so this should only
    adversely affect interoperability with Windows NT/2000 systems that have
    not received any updates since 2008 (but are connected to a network
    nonetheless)
    
    [0] https://tools.ietf.org/html/rfc4757
    [1] https://tools.ietf.org/html/rfc8429Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
    Acked-by: default avatarJ. Bruce Fields <bfields@redhat.com>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    e33d2a7b
gss_krb5_mech.c 16.9 KB