From a40cf7530d3104793f9361e69e84ada7960724f2 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Sun, 15 Jan 2023 12:22:43 -0500 Subject: SUNRPC: Add gk5e definitions for RFC 8009 encryption types Fill in entries in the supported_gss_krb5_enctypes array for the encryption types defined in RFC 8009. These new enctypes use the SHA-256 and SHA-384 message digest algorithms (as defined in FIPS-180) instead of the deprecated SHA-1 algorithm, and are thus more secure. Note that NIST has scheduled SHA-1 for deprecation: https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm Thus these new encryption types are placed under a separate CONFIG option to enable distributors to separately introduce support for the AES-SHA2 enctypes and deprecate support for the current set of AES-SHA1 encryption types as their user space allows. As this implementation is still a "beta", the default is to not build it automatically. Tested-by: Scott Mayhew Reviewed-by: Simo Sorce Signed-off-by: Chuck Lever --- net/sunrpc/Kconfig | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'net/sunrpc/Kconfig') diff --git a/net/sunrpc/Kconfig b/net/sunrpc/Kconfig index 82ecb534795a..420b40279986 100644 --- a/net/sunrpc/Kconfig +++ b/net/sunrpc/Kconfig @@ -80,6 +80,20 @@ config RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1 SHA-1 digests. These include aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96. +config RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2 + bool "Enable Kerberos enctypes based on AES and SHA-2" + depends on RPCSEC_GSS_KRB5 + depends on CRYPTO_CBC && CRYPTO_CTS + depends on CRYPTO_HMAC && CRYPTO_SHA256 && CRYPTO_SHA512 + depends on CRYPTO_AES + default n + select RPCSEC_GSS_KRB5_CRYPTOSYSTEM + help + Choose Y to enable the use of Kerberos 5 encryption types + that utilize Advanced Encryption Standard (AES) ciphers and + SHA-2 digests. These include aes128-cts-hmac-sha256-128 and + aes256-cts-hmac-sha384-192. + config SUNRPC_DEBUG bool "RPC: Enable dprintk debugging" depends on SUNRPC && SYSCTL -- cgit v1.2.3