On Thu, 25 Feb 2021 at 11:35, Salvatore Bonaccorso <[email protected]> wrote: > > Hi Ard, > > On Mon, Feb 01, 2021 at 10:21:27PM +0100, Salvatore Bonaccorso wrote: > > Hi Ard, > > > > On Sat, Jan 30, 2021 at 04:41:16PM +0100, Ard Biesheuvel wrote: > > > L.S., > > > > > > This is a request to consider disabling obsolete crypto in 5.10 and > > > later Debian builds of the Linux kernel on any architecture. > > > > > > We are all familiar with the rigid rules when it comes to not breaking > > > userspace by making changes to the kernel, but this rule only takes > > > effect when anybody notices, and so I am proposing disabling some code > > > downstream before removing it entirely. > > > > > > 5.10 introduces a new Kconfig symbol > > > > > > CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE > > > > > > which is enabled by default, but depends on support for the AF_ALG > > > socket API being enabled. In turn, block ciphers that are obsolete and > > > unlikely to be used anywhere have been made to depend on this new > > > symbol. > > > > > > This means that these obsolete block ciphers will disappear entirely > > > when the AF_ALG socket API is omitted, but we can get rid of these > > > block ciphers explicitly too, by not setting the new symbol. I.e., > > > adding > > > > > > # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set > > > > > > to the kernel configs. Note that Fedora have already done so in release > > > 33 [0] > > > > > > The block ciphers in question are RC4, Khazad, SEED, and > > > TEA/XTEA/XETA, none of which are used by the kernel itself, or known > > > to be used via the socket API (although a change was applied to > > > iwd/libell recently to get rid of an occurrence of RC4 - this change > > > has already been pulled into bullseye afaik) > > > > > > Note that this is not a statement on whether these algorithms are > > > secure or not -there is simply no point in carrying and shipping code > > > that nobody uses or audits, but which can be autoloaded and exercised > > > via an unprivileged interface. > > > > FTR (posteriori), we tried that in > > https://salsa.debian.org/kernel-team/linux/-/commit/633e1992f7d915c22b2a2adea87981e7503bb737 > > (and is in the 5.10.12-1 upload to unstable). > > There were two reports which might be in the end related to that > change: > > https://bugs.debian.org/979764 > https://bugs.debian.org/983508 > > We have long that nfs-utils need to be updated, but the version was so > outdated, that progress on updating to a newer version stalled, and > could not be done in time for bulleye. Once bullseye is released I > guess this really needs to be prioritzed in some way. > > Ard, have you any insight in the above, so, should we revert the above > change for bullseye again? >
Hello Salvatore, I think the issue is the patch below. Having something that requires RC4 and MD5 for security is an absolute joke in 2021, so I won't recommend you reverting it. Instead, you should really fix nfs-utils with priority. -- Ard. commit e33d2a7b3041d7f8cd1f0a2a4ca42a5bc112b14e Author: Ard Biesheuvel <[email protected]> Date: Mon Aug 31 18:16:45 2020 +0300 SUNRPC: remove RC4-HMAC-MD5 support from KerberosV The RC4-HMAC-MD5 KerberosV algorithm is based on RFC 4757 [0], which was specifically issued for interoperability with Windows 2000, but was never intended to receive the same level of support. The RFC says The IETF Kerberos community supports publishing this specification as an informational document in order to describe this widely implemented technology. However, while these encryption types provide the operations necessary to implement the base Kerberos specification [RFC4120], they do not provide all the required operations in the Kerberos cryptography framework [RFC3961]. As a result, it is not generally possible to implement potential extensions to Kerberos using these encryption types. The Kerberos encryption type negotiation mechanism [RFC4537] provides one approach for using such extensions even when a Kerberos infrastructure uses long-term RC4 keys. Because this specification does not implement operations required by RFC 3961 and because of security concerns with the use of RC4 and MD4 discussed in Section 8, this specification is not appropriate for publication on the standards track. The RC4-HMAC encryption types are used to ease upgrade of existing Windows NT environments, provide strong cryptography (128-bit key lengths), and provide exportable (meet United States government export restriction requirements) encryption. This document describes the implementation of those encryption types. Furthermore, this RFC was re-classified as 'historic' by RFC 8429 [1] in 2018, stating that 'none of the encryption types it specifies should be used' Note that other outdated algorithms are left in place (some of which are guarded by CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES), so this should only adversely affect interoperability with Windows NT/2000 systems that have not received any updates since 2008 (but are connected to a network nonetheless) [0] https://tools.ietf.org/html/rfc4757 [1] https://tools.ietf.org/html/rfc8429 Signed-off-by: Ard Biesheuvel <[email protected]> Acked-by: J. Bruce Fields <[email protected]> Signed-off-by: Herbert Xu <[email protected]>
