From: Scott Mayhew <smayhew@redhat.com>
To: steved@redhat.com
Cc: =carnil@debian.org, linux-nfs@vger.kernel.org
Subject: [nfs-utils PATCH RFC 2/4] gssd: add enctypes_list_to_string()
Date: Fri, 13 Feb 2026 17:40:10 -0500 [thread overview]
Message-ID: <20260213224012.2608126-3-smayhew@redhat.com> (raw)
In-Reply-To: <20260213224012.2608126-1-smayhew@redhat.com>
Add enctypes_list_to_string() to produce a human-friendly string that
can be used in debug messages. The logic was mostly factored out of
get_allowed_enctypes().
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
utils/gssd/gssd_proc.c | 15 +++++++
utils/gssd/krb5_util.c | 94 +++++++++++++++++++++++++++++-------------
utils/gssd/krb5_util.h | 3 ++
3 files changed, 83 insertions(+), 29 deletions(-)
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index 01331485..e060bee3 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -91,6 +91,7 @@ extern TAILQ_HEAD(active_thread_list_head, upcall_thread_info) active_thread_lis
/* Encryption types supported by the kernel rpcsec_gss code */
int num_krb5_enctypes = 0;
krb5_enctype *krb5_enctypes = NULL;
+char *krb5_enctypes_string = NULL;
/* Args for the cleanup_handler() */
struct cleanup_args {
@@ -121,6 +122,8 @@ parse_enctypes(char *enctypes)
free(krb5_enctypes);
krb5_enctypes = NULL;
num_krb5_enctypes = 0;
+ free(krb5_enctypes_string);
+ krb5_enctypes_string = NULL;
}
/* count the number of commas */
@@ -156,6 +159,18 @@ parse_enctypes(char *enctypes)
if ((cached_types = malloc(strlen(enctypes)+1)))
strcpy(cached_types, enctypes);
+ if (num_krb5_enctypes > 0) {
+ if (enctypes_list_to_string(krb5_enctypes, num_krb5_enctypes,
+ &krb5_enctypes_string) != 0) {
+ printerr(2, "%s: warning: enctypes_list_to_string() failed\n",
+ __func__);
+ goto out;
+ }
+ printerr(2, "kernel supported enctypes: %s\n",
+ krb5_enctypes_string);
+ }
+
+out:
return 0;
}
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 9c1016b3..2b2925fb 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -157,6 +157,7 @@ static pthread_mutex_t ple_lock = PTHREAD_MUTEX_INITIALIZER;
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
krb5_enctype *allowed_enctypes = NULL;
int num_allowed_enctypes = 0;
+char *allowed_enctypes_string = NULL;
#endif
/*==========================*/
@@ -1580,14 +1581,60 @@ out_cred:
return ret;
}
+int
+enctypes_list_to_string(krb5_enctype *enctypes, int num_enctypes,
+ char **enctype_string)
+{
+ char tmp[100], *buf = NULL, *old = NULL;
+ int i, len, ret;
+
+ for (i = 0; i < num_enctypes; i++) {
+ ret = krb5_enctype_to_name(enctypes[i], true, tmp, sizeof(tmp));
+ if (ret == 0) {
+ if (buf == NULL) {
+ len = asprintf(&buf, "%s (%d)", tmp,
+ enctypes[i]);
+ if (len < 0) {
+ ret = ENOMEM;
+ goto out_err;
+ }
+ } else {
+ old = buf;
+ len = asprintf(&buf, "%s, %s (%d)", old, tmp,
+ enctypes[i]);
+ if (len < 0) {
+ ret = ENOMEM;
+ goto out_err;
+ }
+ free(old);
+ old = NULL;
+ }
+ } else {
+ printerr(0, "%s: invalid enctype %d",
+ __func__, enctypes[i]);
+ goto out_err;
+ }
+ }
+ goto out;
+
+out_err:
+ free(buf);
+
+out:
+ if (old != buf)
+ free(old);
+ if (ret == 0)
+ *enctype_string = buf;
+ return ret;
+}
+
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
int
get_allowed_enctypes(void)
{
struct conf_list *allowed_etypes = NULL;
struct conf_list_node *node;
- char *buf = NULL, *old = NULL;
- int len, ret = 0;
+ int ret = 0;
allowed_etypes = conf_get_list("gssd", "allowed-enctypes");
if (allowed_etypes) {
@@ -1606,38 +1653,24 @@ get_allowed_enctypes(void)
__func__, node->field);
goto out_err;
}
- if (get_verbosity() > 1) {
- if (buf == NULL) {
- len = asprintf(&buf, "%s(%d)", node->field,
- allowed_enctypes[num_allowed_enctypes]);
- if (len < 0) {
- ret = ENOMEM;
- goto out_err;
- }
- } else {
- old = buf;
- len = asprintf(&buf, "%s,%s(%d)", old, node->field,
- allowed_enctypes[num_allowed_enctypes]);
- if (len < 0) {
- ret = ENOMEM;
- goto out_err;
- }
- free(old);
- old = NULL;
- }
- }
num_allowed_enctypes++;
}
- printerr(2, "%s: allowed_enctypes = %s", __func__, buf);
+ }
+ if (num_allowed_enctypes > 0) {
+ if (enctypes_list_to_string(allowed_enctypes, num_allowed_enctypes,
+ &allowed_enctypes_string) != 0) {
+ printerr(2, "%s: warning: enctypes_list_to_string() failed\n",
+ __func__);
+ goto out;
+ }
+ printerr(2, "%s: config allowed enctypes: %s\n", __func__,
+ allowed_enctypes_string);
}
goto out;
out_err:
num_allowed_enctypes = 0;
free(allowed_enctypes);
out:
- free(buf);
- if (old != buf)
- free(old);
if (allowed_etypes)
conf_free_list(allowed_etypes);
return ret;
@@ -1662,8 +1695,10 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec)
u_int maj_stat, min_stat;
extern int num_krb5_enctypes;
extern krb5_enctype *krb5_enctypes;
+ extern char *krb5_enctypes_string;
extern int num_allowed_enctypes;
extern krb5_enctype *allowed_enctypes;
+ extern char *allowed_enctypes_string;
int num_set_enctypes;
krb5_enctype *set_enctypes;
int err = -1;
@@ -1675,12 +1710,13 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec)
}
if (allowed_enctypes) {
- printerr(2, "%s: using allowed enctypes from config\n",
- __func__);
+ printerr(2, "%s: using allowed enctypes from config: %s\n",
+ __func__, allowed_enctypes_string);
num_set_enctypes = num_allowed_enctypes;
set_enctypes = allowed_enctypes;
} else if (krb5_enctypes) {
- printerr(2, "%s: using enctypes from the kernel\n", __func__);
+ printerr(2, "%s: using enctypes from the kernel: %s\n",
+ __func__, krb5_enctypes_string);
num_set_enctypes = num_krb5_enctypes;
set_enctypes = krb5_enctypes;
} else {
diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h
index af5f30be..a8e17ea2 100644
--- a/utils/gssd/krb5_util.h
+++ b/utils/gssd/krb5_util.h
@@ -24,6 +24,9 @@ void gssd_k5_get_default_realm(char **def_realm);
int gssd_acquire_user_cred(gss_cred_id_t *gss_cred);
int gssd_k5_remove_bad_service_cred(char *srvname);
+int enctypes_list_to_string(krb5_enctype *enctypes, int num_enctypes,
+ char **enctype_string);
+
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
int limit_krb5_enctypes(struct rpc_gss_sec *sec);
int get_allowed_enctypes(void);
--
2.52.0
next prev parent reply other threads:[~2026-02-13 22:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-13 22:40 [nfs-utils PATCH RFC 0/4] Rework the handling of encryption types in rpc.gssd Scott Mayhew
2026-02-13 22:40 ` [nfs-utils PATCH RFC 1/4] gssd: remove the limit-to-legacy-enctypes option Scott Mayhew
2026-02-13 22:40 ` Scott Mayhew [this message]
2026-02-13 22:40 ` [nfs-utils PATCH RFC 3/4] gssd: get the permitted enctypes from the krb5 library on startup Scott Mayhew
2026-02-13 22:40 ` [nfs-utils PATCH RFC 4/4] gssd: add a helper to determine the set of encryption types to pass to limit_krb5_enctypes() Scott Mayhew
2026-02-28 17:14 ` [nfs-utils PATCH RFC 0/4] Rework the handling of encryption types in rpc.gssd Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260213224012.2608126-3-smayhew@redhat.com \
--to=smayhew@redhat.com \
--cc==carnil@debian.org \
--cc=linux-nfs@vger.kernel.org \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox