From: Scott Mayhew <smayhew@redhat.com>
To: steved@redhat.com
Cc: =carnil@debian.org, linux-nfs@vger.kernel.org
Subject: [nfs-utils PATCH RFC 3/4] gssd: get the permitted enctypes from the krb5 library on startup
Date: Fri, 13 Feb 2026 17:40:11 -0500 [thread overview]
Message-ID: <20260213224012.2608126-4-smayhew@redhat.com> (raw)
In-Reply-To: <20260213224012.2608126-1-smayhew@redhat.com>
This will allow us to cross-reference the list of encryption types
sent in the upcall from the kernel as well as the list of encryption
types enabled via the allowed-enctypes option from nfs.conf with
the list permitted by the krb5 library.
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
utils/gssd/gssd.c | 3 +++
utils/gssd/krb5_util.c | 55 ++++++++++++++++++++++++++++++++++++++++++
utils/gssd/krb5_util.h | 1 +
3 files changed, 59 insertions(+)
diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c
index 8a894b2e..1c901991 100644
--- a/utils/gssd/gssd.c
+++ b/utils/gssd/gssd.c
@@ -1222,6 +1222,9 @@ main(int argc, char *argv[])
daemon_init(fg);
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+ rc = get_krb5_library_permitted_enctypes();
+ if (rc)
+ exit(EXIT_FAILURE);
rc = get_allowed_enctypes();
if (rc)
exit(EXIT_FAILURE);
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 2b2925fb..bc07f852 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -155,9 +155,15 @@ static struct gssd_k5_kt_princ *gssd_k5_kt_princ_list = NULL;
static pthread_mutex_t ple_lock = PTHREAD_MUTEX_INITIALIZER;
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+/* Encryption types specified in nfs.conf */
krb5_enctype *allowed_enctypes = NULL;
int num_allowed_enctypes = 0;
char *allowed_enctypes_string = NULL;
+
+/* Encryption types permitted by the krb5 library */
+int num_lib_enctypes = 0;
+krb5_enctype *lib_enctypes = NULL;
+char *lib_enctypes_string = NULL;
#endif
/*==========================*/
@@ -1676,6 +1682,55 @@ out:
return ret;
}
+int
+get_krb5_library_permitted_enctypes(void)
+{
+ krb5_error_code code = 0;
+ krb5_context context;
+ char *k5err = NULL;
+ int ret = 0;
+
+ code = krb5_init_context(&context);
+ if (code) {
+ k5err = gssd_k5_err_msg(NULL, code);
+ printerr(2, "ERROR: %s: %s while initializing krb5 context\n",
+ __func__, k5err);
+ ret = code;
+ goto out;
+ }
+
+ code = krb5_get_permitted_enctypes(context, &lib_enctypes);
+ if (code) {
+ k5err = gssd_k5_err_msg(context, code);
+ printerr(2, "ERROR: %s: %s while getting permitted enctypes\n",
+ __func__, k5err);
+ ret = code;
+ goto out_free_context;
+ }
+
+ if (lib_enctypes != NULL)
+ while (lib_enctypes[num_lib_enctypes] != 0)
+ num_lib_enctypes++;
+
+ if (num_lib_enctypes > 0) {
+ if (enctypes_list_to_string(lib_enctypes, num_lib_enctypes,
+ &lib_enctypes_string) != 0) {
+ printerr(2, "%s: warning: enctypes_list_to_string() failed\n",
+ __func__);
+ goto out_free_context;
+ }
+ printerr(2, "krb5 library permitted enctypes: %s\n",
+ lib_enctypes_string);
+ }
+
+out_free_context:
+ krb5_free_context(context);
+
+out:
+ free(k5err);
+ return ret;
+}
+
/*
* this routine obtains a credentials handle via gss_acquire_cred()
* then calls gss_krb5_set_allowable_enctypes() to limit the encryption
diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h
index a8e17ea2..e9d08567 100644
--- a/utils/gssd/krb5_util.h
+++ b/utils/gssd/krb5_util.h
@@ -30,6 +30,7 @@ int enctypes_list_to_string(krb5_enctype *enctypes, int num_enctypes,
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
int limit_krb5_enctypes(struct rpc_gss_sec *sec);
int get_allowed_enctypes(void);
+int get_krb5_library_permitted_enctypes(void);
#endif
/*
--
2.52.0
next prev parent reply other threads:[~2026-02-13 22:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-13 22:40 [nfs-utils PATCH RFC 0/4] Rework the handling of encryption types in rpc.gssd Scott Mayhew
2026-02-13 22:40 ` [nfs-utils PATCH RFC 1/4] gssd: remove the limit-to-legacy-enctypes option Scott Mayhew
2026-02-13 22:40 ` [nfs-utils PATCH RFC 2/4] gssd: add enctypes_list_to_string() Scott Mayhew
2026-02-13 22:40 ` Scott Mayhew [this message]
2026-02-13 22:40 ` [nfs-utils PATCH RFC 4/4] gssd: add a helper to determine the set of encryption types to pass to limit_krb5_enctypes() Scott Mayhew
2026-02-28 17:14 ` [nfs-utils PATCH RFC 0/4] Rework the handling of encryption types in rpc.gssd Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260213224012.2608126-4-smayhew@redhat.com \
--to=smayhew@redhat.com \
--cc==carnil@debian.org \
--cc=linux-nfs@vger.kernel.org \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox