SUNRPC: Remove per-enctype Kconfig options

The RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1,
RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA, and
RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2 Kconfig options
originally gated both algorithm availability and the
advertised enctype list. Now that per-message crypto
operations are routed through crypto/krb5, these options
control only which enctype numbers appear in the gssd
upcall string; the underlying algorithms are always
present.

Remove the per-enctype Kconfig options and replace the
ifdef-gated enctype table with a candidate list looked
up in the crypto/krb5 enctype table at module init
time. Each enctype is included in the advertised list
only if crypto_krb5_find_enctype() finds it in the
library's enctype table. When a new enctype is added
to crypto/krb5, adding its constant to the candidate
array is sufficient to begin advertising it.

Assisted-by: Claude:claude-opus-4-6
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Acked-by: Anna Schumaker <anna.schumaker@hammerspace.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

diff --git a/net/sunrpc/Kconfig b/net/sunrpc/Kconfig
index 1c2e1fe9d36592d2b5f08432711e9b527612ac5e..305c55cdbd45fed6a04540f9e0e11390e59e5926 100644 (file)
--- a/net/sunrpc/Kconfig
+++ b/net/sunrpc/Kconfig
@@ -35,44 +35,6 @@ config RPCSEC_GSS_KRB5
 
          If unsure, say Y.
 
-config RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1
-       bool "Enable Kerberos enctypes based on AES and SHA-1"
-       depends on RPCSEC_GSS_KRB5
-       depends on CRYPTO_CBC && CRYPTO_CTS
-       depends on CRYPTO_HMAC && CRYPTO_SHA1
-       depends on CRYPTO_AES
-       default y
-       help
-         Choose Y to enable the use of Kerberos 5 encryption types
-         that utilize Advanced Encryption Standard (AES) ciphers and
-         SHA-1 digests. These include aes128-cts-hmac-sha1-96 and
-         aes256-cts-hmac-sha1-96.
-
-config RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA
-       bool "Enable Kerberos encryption types based on Camellia and CMAC"
-       depends on RPCSEC_GSS_KRB5
-       depends on CRYPTO_CBC && CRYPTO_CTS && CRYPTO_CAMELLIA
-       depends on CRYPTO_CMAC
-       default n
-       help
-         Choose Y to enable the use of Kerberos 5 encryption types
-         that utilize Camellia ciphers (RFC 3713) and CMAC digests
-         (NIST Special Publication 800-38B). These include
-         camellia128-cts-cmac and camellia256-cts-cmac.
-
-config RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2
-       bool "Enable Kerberos enctypes based on AES and SHA-2"
-       depends on RPCSEC_GSS_KRB5
-       depends on CRYPTO_CBC && CRYPTO_CTS
-       depends on CRYPTO_HMAC && CRYPTO_SHA256 && CRYPTO_SHA512
-       depends on CRYPTO_AES
-       default n
-       help
-         Choose Y to enable the use of Kerberos 5 encryption types
-         that utilize Advanced Encryption Standard (AES) ciphers and
-         SHA-2 digests. These include aes128-cts-hmac-sha256-128 and
-         aes256-cts-hmac-sha384-192.
-
 config SUNRPC_DEBUG
        bool "RPC: Enable dprintk debugging"
        depends on SUNRPC && SYSCTL

diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 5a52fd84f94631fdb92dd467738c5380e37535b4..996e452b9b3ceb97afde1fd1b42eb371de5c1e2d 100644 (file)
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -28,27 +28,23 @@
 static struct gss_api_mech gss_kerberos_mech;
 
 /*
- * The list of advertised enctypes is specified in order of most
- * preferred to least.
+ * Candidate enctypes in order of most preferred to least.
+ * Each is probed against crypto/krb5 at module init; only
+ * enctypes that crypto/krb5 supports are advertised.
  */
+static const u32 gss_krb5_enctypes[] = {
+       ENCTYPE_AES256_CTS_HMAC_SHA384_192,
+       ENCTYPE_AES128_CTS_HMAC_SHA256_128,
+       ENCTYPE_CAMELLIA256_CTS_CMAC,
+       ENCTYPE_CAMELLIA128_CTS_CMAC,
+       ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+       ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+};
+
 static char gss_krb5_enctype_priority_list[64];
 
 static void gss_krb5_prepare_enctype_priority_list(void)
 {
-       static const u32 gss_krb5_enctypes[] = {
-#if defined(CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2)
-               ENCTYPE_AES256_CTS_HMAC_SHA384_192,
-               ENCTYPE_AES128_CTS_HMAC_SHA256_128,
-#endif
-#if defined(CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA)
-               ENCTYPE_CAMELLIA256_CTS_CMAC,
-               ENCTYPE_CAMELLIA128_CTS_CMAC,
-#endif
-#if defined(CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1)
-               ENCTYPE_AES256_CTS_HMAC_SHA1_96,
-               ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-#endif
-       };
        size_t total, i;
        char buf[16];
        char *sep;
@@ -57,6 +53,8 @@ static void gss_krb5_prepare_enctype_priority_list(void)
        sep = "";
        gss_krb5_enctype_priority_list[0] = '\0';
        for (total = 0, i = 0; i < ARRAY_SIZE(gss_krb5_enctypes); i++) {
+               if (!crypto_krb5_find_enctype(gss_krb5_enctypes[i]))
+                       continue;
                n = sprintf(buf, "%s%u", sep, gss_krb5_enctypes[i]);
                if (n < 0)
                        break;