Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp227350pxb; Wed, 18 Aug 2021 20:53:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzWk3wR+Z8PvKyDRroXo3W0rp0OyUq4+LFLUUPfA68wG3KrVXPzj3cquWYG+1JW/Ufa///r X-Received: by 2002:a92:c80e:: with SMTP id v14mr8802977iln.57.1629345217340; Wed, 18 Aug 2021 20:53:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629345217; cv=none; d=google.com; s=arc-20160816; b=iLuXgSBINQ4DTZsn1cUZeY9tWVHPHArfJSfrCk6JwvXBIeQsCkRpk1/3cuTQNmR09Y 1FSyUoz6b8CEjfW2CPMAxGnmsQyB3dF2UJsUMl8mFKS/Ac5ArGXsACm65+z9JDY+8JCT mypTnpfy49ea2HilSx8BqEfajlIcgmUgNvQOScgLRXU4paXlav7tGAbwhVlWOIZpnl21 Rn2D4sWZ6xQZEXtv1Rs5NaJ9uo4fT0Z1RpPF3kY6sqUjwCxYh2HKW6gv8BDNGqt9P1FF Yd16u+TBht2Zd646euiP4wRhzb/5Ad4xhzgiXvdd0sBz1/rxasmJCs5GwBiZ+r2AX4r5 xJ5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature; bh=bKgCaUEic8Dg9c08X1G5eHnxJn89fD/khBgbO3YyqOk=; b=W68/+PK9Fh7CT9HRixXSJtIO/j/yURCzk0DvjUNn/rTBXfQvaT0DTjRZmGukKuT4av cjymi75hSRAcF9wzXcsy3JlyBHi6qZURlzXdNZibrJCfc7X0UBZkt9DOz6pxp1kZBCV2 z6BJZvY44FfhYPoZUH0kcqIxQDhBQaGTOgg96uwfsiBkuWiNJPXvgUxdFaEZms8ImI2N wvorfnD+LIY419UPtVJRdM0I6eIpPXf/2KGVdjXP9HkRCaasqsorzZVJiUIbk0fsmCVC HLowQm/uz1d/UVmGqNIvm8i492HtkMsfAqEY+7Q10ERc+EBzqBOXKg3NIaoHrLTMfkHN 6n9Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@samba.org header.s=42 header.b=vnSH7dr4; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=samba.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h19si1552723jaj.67.2021.08.18.20.53.25; Wed, 18 Aug 2021 20:53:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@samba.org header.s=42 header.b=vnSH7dr4; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=samba.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236007AbhHSDx6 (ORCPT + 99 others); Wed, 18 Aug 2021 23:53:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37886 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235806AbhHSDx5 (ORCPT ); Wed, 18 Aug 2021 23:53:57 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A7A05C061764; Wed, 18 Aug 2021 20:53:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Date:Cc:To:From:Message-ID; bh=bKgCaUEic8Dg9c08X1G5eHnxJn89fD/khBgbO3YyqOk=; b=vnSH7dr4uMF8ev4i9LVbl1uedS xHSpFKIri1k/7rL5kwAmKGsKLyEa1N0Qh1SvtKY0d04/3Cq4yqP4yYrqx6PAFn2nCLC7v14Y+1zTa wlRHGc61ABHp61HH3uP6YAnpcL1AF4GIjg8M/MKk7YCwZrfC7Wq3jtQwxCz+lSpnIJtmhMK7g9UAT lf25P9tLmNRn6C1XuSwxlTDVFPHST+MKTFfsMIB4L4CLF3zqSRqbQi1DHvOx2RPftfAGbH16mW3xH h/6/55RK892d7GiUQeFYr+LDwpdFhZZ5Ljz7sJ1RwrD/r2O8ZyK7Zs7vD0f/By1yZ8/FKo03NS6l1 7bSV4NpanqSx95K/J8EJM85ohgMwifJrglhZeWwu+BObErwxxlvsBRvTu0/bbvnSV7Xr1Tg8n6pmt 5S1b6NSw7wuZ9AlbO8dL5kAHLQt7SETVKmhkvjCbq0x2tcxNJ7QReJob8j0c+W69uU10yIvxPXXOt +DNbiPyr9ajg/8Wc4Q6FWXz9; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mGZ7G-0020Gg-8A; Thu, 19 Aug 2021 03:53:19 +0000 Message-ID: Subject: Re: Building cifs.ko without any support for insecure crypto? From: Andrew Bartlett To: ronnie sahlberg , Ard Biesheuvel Cc: Eric Biggers , linux-cifs , Steve French , "samba-technical@lists.samba.org" , Linux Crypto Mailing List Date: Thu, 19 Aug 2021 15:53:11 +1200 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.36.5-0ubuntu1 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, 2021-08-19 at 13:43 +1000, ronnie sahlberg via samba-technical wrote: > On Wed, Aug 18, 2021 at 9:44 PM Ard Biesheuvel > wrote: > > On Tue, 17 Aug 2021 at 00:19, Eric Biggers > > wrote: > > > On Sun, Aug 15, 2021 at 08:38:23PM +1000, ronnie sahlberg wrote: > > > > What are the plans here? To just offer the possibility to > > > > disable all > > > > these old crypto and hashes on a local kernel compile? > > > > Or is the plan to just outright remove it from the kernel > > > > sources? > > > > > > > > If the first, I think that could possible be done for cifs. I > > > > think a > > > > lot of the security minded larger enterprises already may be > > > > disabling > > > > both SMB1 and also NTLM on serverside, so they would be fine. > > > > > > > > For the latter, I think it would be a no-go since aside from > > > > krb5 > > > > there are just no other viable authentication mechs for smb. > > > > > > Removing the code would be best, but allowing it to be compiled > > > out would be the > > > next best thing. > > > > > > > TL;DR > > > > If NTLMSSP authentication is disabled, there are no other > > > > options to > > > > map a share than using KRB5 > > > > and setting up the krb5 infrastructure. And thus smaller sites > > > > will > > > > not be able to use CIFS :-( > > > > So while I think it is feasible to add support to cifs.ko to > > > > conditionally disable features depending in a kernel compile > > > > (no SMB1 > > > > if des/rc4 is missing, no NTLM if rc4/md4/md5 is missing) I > > > > don't > > > > think it is feasible to disable these by default. > > > > I will work on making it possible to build cifs.ko with limied > > > > functionality when these algorithms are disabled though. > > > > > > FWIW, the way this came up is that the Compatibility Test Suite > > > for Android 11 > > > verifies that CONFIG_CRYPTO_MD4 isn't set. The reason that test > > > got added is > > > because for a short time, CONFIG_CRYPTO_MD4 had accidentally been > > > enabled in the > > > recommended kernel config for Android. Since "obviously" no one > > > would be using > > > a completely broken crypto algorithm from 31 years ago, when > > > fixing that bug we > > > decided to go a bit further and just forbid it from the kernel > > > config. > > > > > > I guess we'll have to remove that test for now (assuming that > > > CONFIG_CIFS is to > > > be allowed at all on an Android device, and that the people who > > > want to use it > > > don't want to use kerberos which is probably the case). > > > > > > It is beyond ridiculous that this is even an issue though, given > > > that MD4 has > > > been severely compromised for over 25 years. > > > > > > One thing which we should seriously consider doing is removing > > > md4 from the > > > crypto API and moving it into fs/cifs/. It isn't a valid crypto > > > algorithm, so > > > anyone who wants to use it should have to maintain it themselves. > > > > > > > +1 to moving the md4 code into fs/cifs, so that the CIFS > > maintainers > > can own it and phase it out on their own schedule, and prevent its > > inadvertent use in other places. > > Ok, let me summarize the status and what I think we will need to do > in cifs. > > DES > --- > Removal of DES is not controversial since this only affects SMB1. > SMB2 has been around since 2006 and it is starting to become viable > to at least > disable the SMB1 protocol by default today. > There are still servers that only support SMB1 but they are becoming > rare. > I think also Microsoft Windows default to disable (but not remove) > SMB1 by default > on some configurations today. > > I am proposing that we remove the hard dependency to DES and instead > make it a soft dependency to "do not build SMB1 if DES is missing". NTLMSSP is also used over SMB1 (and presumably in cifs.ko), allowing NTLMv2. This means you would only need DES with 'bare' NTLM, which means you are talking to a very, very old server, eg NT4 or Win9X, or are running old crypto for giggles. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions