Re: [RFC PATCH 3/7] SUNRPC: remove RC4-HMAC-MD5 support from KerberosV

[J. Bruce Fields]

Acked-by: J. Bruce Fields 

On Thu, Jul 02, 2020 at 12:19:43PM +0200, Ard Biesheuvel wrote:
> The RC4-HMAC-MD5 KerberosV algorithm is based on RFC 4757 [0], which
> was specifically issued for interoperability with Windows 2000, but was
> never intended to receive the same level of support. The RFC says
> 
>   The IETF Kerberos community supports publishing this specification as
>   an informational document in order to describe this widely
>   implemented technology.  However, while these encryption types
>   provide the operations necessary to implement the base Kerberos
>   specification [RFC4120], they do not provide all the required
>   operations in the Kerberos cryptography framework [RFC3961].  As a
>   result, it is not generally possible to implement potential
>   extensions to Kerberos using these encryption types.  The Kerberos
>   encryption type negotiation mechanism [RFC4537] provides one approach
>   for using such extensions even when a Kerberos infrastructure uses
>   long-term RC4 keys.  Because this specification does not implement
>   operations required by RFC 3961 and because of security concerns with
>   the use of RC4 and MD4 discussed in Section 8, this specification is
>   not appropriate for publication on the standards track.
> 
>   The RC4-HMAC encryption types are used to ease upgrade of existing
>   Windows NT environments, provide strong cryptography (128-bit key
>   lengths), and provide exportable (meet United States government
>   export restriction requirements) encryption.  This document describes
>   the implementation of those encryption types.
> 
> Furthermore, this RFC was re-classified as 'historic' by RFC 8429 [1] in
> 2018, stating that 'none of the encryption types it specifies should be
> used'
> 
> Note that other outdated algorithms are left in place (some of which are
> guarded by CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES), so this should only
> adversely affect interoperability with Windows NT/2000 systems that have
> not received any updates since 2008 (but are connected to a network
> nonetheless)
> 
> [0] https://tools.ietf.org/html/rfc4757
> [1] https://tools.ietf.org/html/rfc8429
> 
> Signed-off-by: Ard Biesheuvel 
> ---
>  include/linux/sunrpc/gss_krb5.h  |  11 -
>  include/linux/sunrpc/gss_krb5_enctypes.h |   9 +-
>  net/sunrpc/Kconfig   |   1 -
>  net/sunrpc/auth_gss/gss_krb5_crypto.c| 276 
>  net/sunrpc/auth_gss/gss_krb5_mech.c  |  95 ---
>  net/sunrpc/auth_gss/gss_krb5_seal.c  |   1 -
>  net/sunrpc/auth_gss/gss_krb5_seqnum.c|  87 --
>  net/sunrpc/auth_gss/gss_krb5_unseal.c|   1 -
>  net/sunrpc/auth_gss/gss_krb5_wrap.c  |  65 +
>  9 files changed, 16 insertions(+), 530 deletions(-)
> 
> diff --git a/include/linux/sunrpc/gss_krb5.h b/include/linux/sunrpc/gss_krb5.h
> index e8f8ffe7448b..91f43d86879d 100644
> --- a/include/linux/sunrpc/gss_krb5.h
> +++ b/include/linux/sunrpc/gss_krb5.h
> @@ -141,14 +141,12 @@ enum sgn_alg {
>   SGN_ALG_MD2_5 = 0x0001,
>   SGN_ALG_DES_MAC = 0x0002,
>   SGN_ALG_3 = 0x0003, /* not published */
> - SGN_ALG_HMAC_MD5 = 0x0011,  /* microsoft w2k; no support */
>   SGN_ALG_HMAC_SHA1_DES3_KD = 0x0004
>  };
>  enum seal_alg {
>   SEAL_ALG_NONE = 0x,
>   SEAL_ALG_DES = 0x,
>   SEAL_ALG_1 = 0x0001,/* not published */
> - SEAL_ALG_MICROSOFT_RC4 = 0x0010,/* microsoft w2k; no support */
>   SEAL_ALG_DES3KD = 0x0002
>  };
>  
> @@ -316,14 +314,5 @@ gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, 
> u32 len,
>struct xdr_buf *buf, u32 *plainoffset,
>u32 *plainlen);
>  
> -int
> -krb5_rc4_setup_seq_key(struct krb5_ctx *kctx,
> -struct crypto_sync_skcipher *cipher,
> -unsigned char *cksum);
> -
> -int
> -krb5_rc4_setup_enc_key(struct krb5_ctx *kctx,
> -struct crypto_sync_skcipher *cipher,
> -s32 seqnum);
>  void
>  gss_krb5_make_confounder(char *p, u32 conflen);
> diff --git a/include/linux/sunrpc/gss_krb5_enctypes.h 
> b/include/linux/sunrpc/gss_krb5_enctypes.h
> index 981c89cef19d..87eea679d750 100644
> --- a/include/linux/sunrpc/gss_krb5_enctypes.h
> +++ b/include/linux/sunrpc/gss_krb5_enctypes.h
> @@ -13,15 +13,13 @@
>  #ifdef CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES
>  
>  /*
> - * NB: This list includes encryption types that were deprecated
> - * by RFC 8429 (DES3_CBC_SHA1 and ARCFOUR_HMAC).
> + * NB: This list includes DES3_CBC_SHA1, which was deprecated by RFC 8429.
>   *
>   * ENCTYPE_AES256_CTS_HMAC_SHA1_96
>   * ENCTYPE_AES128_CTS_HMAC_SHA1_96
>   * ENCTYPE_DES3_CBC_SHA1
> - * ENCTYPE_ARCFOUR_HMAC
>   */
> -#define KRB5_SUPPORTED_ENCTYPES "18,17,16,23"
> +#define KRB5_SUPPORTED_ENCTYPES "18,17,16"
>  
>  #else/* CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES */
>  
> @@ -32,12 +30,11 @@
>   * ENCTYPE_AES256_CTS_HMAC_SHA1_96
>   * 

[RFC PATCH 3/7] SUNRPC: remove RC4-HMAC-MD5 support from KerberosV

[Ard Biesheuvel]

The RC4-HMAC-MD5 KerberosV algorithm is based on RFC 4757 [0], which
was specifically issued for interoperability with Windows 2000, but was
never intended to receive the same level of support. The RFC says

  The IETF Kerberos community supports publishing this specification as
  an informational document in order to describe this widely
  implemented technology.  However, while these encryption types
  provide the operations necessary to implement the base Kerberos
  specification [RFC4120], they do not provide all the required
  operations in the Kerberos cryptography framework [RFC3961].  As a
  result, it is not generally possible to implement potential
  extensions to Kerberos using these encryption types.  The Kerberos
  encryption type negotiation mechanism [RFC4537] provides one approach
  for using such extensions even when a Kerberos infrastructure uses
  long-term RC4 keys.  Because this specification does not implement
  operations required by RFC 3961 and because of security concerns with
  the use of RC4 and MD4 discussed in Section 8, this specification is
  not appropriate for publication on the standards track.

  The RC4-HMAC encryption types are used to ease upgrade of existing
  Windows NT environments, provide strong cryptography (128-bit key
  lengths), and provide exportable (meet United States government
  export restriction requirements) encryption.  This document describes
  the implementation of those encryption types.

Furthermore, this RFC was re-classified as 'historic' by RFC 8429 [1] in
2018, stating that 'none of the encryption types it specifies should be
used'

Note that other outdated algorithms are left in place (some of which are
guarded by CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES), so this should only
adversely affect interoperability with Windows NT/2000 systems that have
not received any updates since 2008 (but are connected to a network
nonetheless)

[0] https://tools.ietf.org/html/rfc4757
[1] https://tools.ietf.org/html/rfc8429

Signed-off-by: Ard Biesheuvel 
---
 include/linux/sunrpc/gss_krb5.h  |  11 -
 include/linux/sunrpc/gss_krb5_enctypes.h |   9 +-
 net/sunrpc/Kconfig   |   1 -
 net/sunrpc/auth_gss/gss_krb5_crypto.c| 276 
 net/sunrpc/auth_gss/gss_krb5_mech.c  |  95 ---
 net/sunrpc/auth_gss/gss_krb5_seal.c  |   1 -
 net/sunrpc/auth_gss/gss_krb5_seqnum.c|  87 --
 net/sunrpc/auth_gss/gss_krb5_unseal.c|   1 -
 net/sunrpc/auth_gss/gss_krb5_wrap.c  |  65 +
 9 files changed, 16 insertions(+), 530 deletions(-)

diff --git a/include/linux/sunrpc/gss_krb5.h b/include/linux/sunrpc/gss_krb5.h
index e8f8ffe7448b..91f43d86879d 100644
--- a/include/linux/sunrpc/gss_krb5.h
+++ b/include/linux/sunrpc/gss_krb5.h
@@ -141,14 +141,12 @@ enum sgn_alg {
SGN_ALG_MD2_5 = 0x0001,
SGN_ALG_DES_MAC = 0x0002,
SGN_ALG_3 = 0x0003, /* not published */
-   SGN_ALG_HMAC_MD5 = 0x0011,  /* microsoft w2k; no support */
SGN_ALG_HMAC_SHA1_DES3_KD = 0x0004
 };
 enum seal_alg {
SEAL_ALG_NONE = 0x,
SEAL_ALG_DES = 0x,
SEAL_ALG_1 = 0x0001,/* not published */
-   SEAL_ALG_MICROSOFT_RC4 = 0x0010,/* microsoft w2k; no support */
SEAL_ALG_DES3KD = 0x0002
 };
 
@@ -316,14 +314,5 @@ gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, 
u32 len,
 struct xdr_buf *buf, u32 *plainoffset,
 u32 *plainlen);
 
-int
-krb5_rc4_setup_seq_key(struct krb5_ctx *kctx,
-  struct crypto_sync_skcipher *cipher,
-  unsigned char *cksum);
-
-int
-krb5_rc4_setup_enc_key(struct krb5_ctx *kctx,
-  struct crypto_sync_skcipher *cipher,
-  s32 seqnum);
 void
 gss_krb5_make_confounder(char *p, u32 conflen);
diff --git a/include/linux/sunrpc/gss_krb5_enctypes.h 
b/include/linux/sunrpc/gss_krb5_enctypes.h
index 981c89cef19d..87eea679d750 100644
--- a/include/linux/sunrpc/gss_krb5_enctypes.h
+++ b/include/linux/sunrpc/gss_krb5_enctypes.h
@@ -13,15 +13,13 @@
 #ifdef CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES
 
 /*
- * NB: This list includes encryption types that were deprecated
- * by RFC 8429 (DES3_CBC_SHA1 and ARCFOUR_HMAC).
+ * NB: This list includes DES3_CBC_SHA1, which was deprecated by RFC 8429.
  *
  * ENCTYPE_AES256_CTS_HMAC_SHA1_96
  * ENCTYPE_AES128_CTS_HMAC_SHA1_96
  * ENCTYPE_DES3_CBC_SHA1
- * ENCTYPE_ARCFOUR_HMAC
  */
-#define KRB5_SUPPORTED_ENCTYPES "18,17,16,23"
+#define KRB5_SUPPORTED_ENCTYPES "18,17,16"
 
 #else  /* CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES */
 
@@ -32,12 +30,11 @@
  * ENCTYPE_AES256_CTS_HMAC_SHA1_96
  * ENCTYPE_AES128_CTS_HMAC_SHA1_96
  * ENCTYPE_DES3_CBC_SHA1
- * ENCTYPE_ARCFOUR_HMAC
  * ENCTYPE_DES_CBC_MD5
  * ENCTYPE_DES_CBC_CRC
  * ENCTYPE_DES_CBC_MD4
  */
-#define KRB5_SUPPORTED_ENCTYPES "18,17,16,23,3,1,2"
+#define KRB5_SUPPORTED_ENCTYPES "18,17,16,3,1,2"
 
 #endif /*