From: Jian Yu <yujian@whamcloud.com>
Date: Fri, 6 Nov 2020 06:31:28 +0000 (-0800)
Subject: LU-14116 autoconf: check if DES3 enctype is supported
X-Git-Tag: 2.13.57~90
X-Git-Url: https://git.whamcloud.com/?a=commitdiff_plain;h=4fdeb8719841412c5431177ad3225a19949d5d1d;p=fs%2Flustre-release.git

LU-14116 autoconf: check if DES3 enctype is supported

krb5 releases 1.18 and later completely remove support for
all DES3 enctypes (des3-cbc-raw, des3-hmac-sha1, des3-cbc-sha1-kd).

This patch adds HAVE_DES3_SUPPORT to check if DES3 enctype
is supported.

Change-Id: Ibb51ec7961e8c775ea92dec6119f4de01e2d9b1d
Signed-off-by: Jian Yu <yujian@whamcloud.com>
Reviewed-on: https://review.whamcloud.com/40554
Tested-by: jenkins <devops@whamcloud.com>
Reviewed-by: Sebastien Buisson <sbuisson@ddn.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
---

diff --git a/lustre/autoconf/kerberos5.m4 b/lustre/autoconf/kerberos5.m4
index c88da67..fa1da10 100644
--- a/lustre/autoconf/kerberos5.m4
+++ b/lustre/autoconf/kerberos5.m4
@@ -134,6 +134,17 @@ krb5int_derive_key and krb5_derive_key functions!
 ])
     ])
 
+	dnl Version 1.18 removed support for all DES3 enctypes (des3-cbc-raw,
+	dnl des3-hmac-sha1, des3-cbc-sha1-kd).
+	AC_MSG_CHECKING([for DES3 enctype support by krb5])
+	if test $K5VERS -lt 1180; then
+		AC_DEFINE(HAVE_DES3_SUPPORT, 1,
+			  [DES3 enctype is supported by krb5])
+		AC_MSG_RESULT([yes])
+	else
+		AC_MSG_RESULT([no])
+	fi
+
     dnl If they specified a directory and it didn't work, give them a warning
     if test "x$krb5_with" != "x" -a "$krb5_with" != "$KRBDIR"; then
       AC_MSG_WARN([
diff --git a/lustre/ptlrpc/gss/gss_krb5_mech.c b/lustre/ptlrpc/gss/gss_krb5_mech.c
index d675c70..6ce908a 100644
--- a/lustre/ptlrpc/gss/gss_krb5_mech.c
+++ b/lustre/ptlrpc/gss/gss_krb5_mech.c
@@ -95,6 +95,7 @@ static struct krb5_enctype enctypes[] = {
 		.ke_hash_size	= 16,
 		.ke_conf_size	= 8,
 	},
+#ifdef HAVE_DES3_SUPPORT
 	[ENCTYPE_DES3_CBC_RAW] = {		/* des3-hmac-sha1 */
 		.ke_dispname	= "des3-hmac-sha1",
 		.ke_enc_name	= "cbc(des3_ede)",
@@ -103,6 +104,7 @@ static struct krb5_enctype enctypes[] = {
 		.ke_conf_size	= 8,
 		.ke_hash_hmac	= 1,
 	},
+#endif
 	[ENCTYPE_AES128_CTS_HMAC_SHA1_96] = {	/* aes128-cts */
 		.ke_dispname	= "aes128-cts-hmac-sha1-96",
 		.ke_enc_name	= "cbc(aes)",
diff --git a/lustre/utils/gss/context_lucid.c b/lustre/utils/gss/context_lucid.c
index a24eda1..ed33a4f 100644
--- a/lustre/utils/gss/context_lucid.c
+++ b/lustre/utils/gss/context_lucid.c
@@ -197,7 +197,9 @@ enum seal_alg {
  * structures located in libk5crypto
  */
 extern void *krb5int_enc_arcfour;
+#ifdef HAVE_DES3_SUPPORT
 extern void *krb5int_enc_des3;
+#endif
 extern void *krb5int_enc_aes128;
 extern void *krb5int_enc_aes256;
 
@@ -276,6 +278,7 @@ derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
 	 * values and structures located in libk5crypto
 	 */
 	switch (in->type) {
+#ifdef HAVE_DES3_SUPPORT
 	case ENCTYPE_DES3_CBC_SHA1:
 #ifdef HAVE_KRB5
 	case ENCTYPE_DES3_CBC_RAW:
@@ -285,6 +288,7 @@ derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
 		enc = &krb5int_enc_des3;
 #endif
 		break;
+#endif
 	case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
 		keylength = 16;
 #ifdef HAVE_KRB5
diff --git a/lustre/utils/gss/context_mit.c b/lustre/utils/gss/context_mit.c
index 3edd60f..f6d0d24 100644
--- a/lustre/utils/gss/context_mit.c
+++ b/lustre/utils/gss/context_mit.c
@@ -177,8 +177,10 @@ enum seal_alg {
 #define KEY_USAGE_SEED_CHECKSUM		0x99
 #define K5CLENGTH 5
 
+#ifdef HAVE_DES3_SUPPORT
 extern void krb5_enc_des3;
 extern void krb5int_enc_des3;
+#endif
 extern void krb5int_enc_arcfour;
 extern void krb5int_enc_aes128;
 extern void krb5int_enc_aes256;
@@ -209,7 +211,7 @@ derive_key(const krb5_keyblock *in, krb5_keyblock *out, int usage, char extra)
 	void *enc;
 
 	switch (in->enctype) {
-#ifdef ENCTYPE_DES3_CBC_RAW
+#if defined ENCTYPE_DES3_CBC_RAW && defined HAVE_DES3_SUPPORT
 	case ENCTYPE_DES3_CBC_RAW:
 		keylength = 24;
 /* Extra hack, the structure was renamed as rc4 was added... */