On Wed, Aug 18, 2021 at 11:18 PM Tom Talpey [off-list ref] wrote:

On 8/18/2021 12:10 AM, Ronnie Sahlberg wrote:

quoted

Steve,

We depend on ARC4 for generating the encrypted session key in key exchange.
This patch disables the key exchange/encrypted session key for ntlmssp
IF the kernel does not have any ARC4 support.

This allows to build the cifs module even if ARC4 has been removed
though with a weaker type of NTLMSSP support.

It's a good goal but it seems wrong to downgrade the security
so silently. Wouldn't it be a better approach to select ARC4,
and thereby force the build to succeed or fail? Alternatively,
change the #ifndef ARC4 to a positive option named (for example)
DOWNGRADED_NTLMSSP or something equally foreboding?

Good point.
Maybe we should drop this patch and instead copy ARC4 into fs/cifs
so we have a private version of the code in cifs.ko.
And do the same for md4 and md5.

Tom.