The rpcsec_gss_krb5 module carries its own Kerberos 5 crypto imple-
mentation: key derivation, CBC-CTS encryption, HMAC checksumming,
and the encrypt-then-MAC construction from RFC 8009. Keeping
cryptographic code inside an RPC module means it receives review
only from the SUNRPC maintainers, who lack deep crypto expertise.
Vulnerabilities and algorithmic errors can persist unnoticed.

Replacing the private SunRPC Kerberos implementation eliminates
this duplicated audit surface. A single implementation of Kerberos
5 key derivation and authenticated encryption is easier to verify
than two independent copies. New encryption types and hardware
offload added to crypto/krb5 will automatically become available
to SunRPC Kerberos consumers.

The crypto/krb5 library handles enctype differences internally, so
a single encrypt function and a single decrypt function serve all
enctypes, eliminating the per-enctype dispatch table that previously
existed in struct gss_krb5_enctype.

RFC 4121 Section 4.2.4 requires MIC checksums to cover the message
body followed by the GSS token header. The crypto/krb5 get_mic/
verify_mic API hashes optional metadata before the scatterlist
data, which is the wrong order for the GSS header. The header is
therefore placed at the end of the scatterlist rather than passed
as the metadata parameter, and a dedicated gss_krb5_mic_build_sg()
helper constructs this three-section layout (checksum area, message
body, token header) with proper sg_mark_end() termination.

This implementation was available during the Spring 2026 NFS bake-
a-thon, and received testing there.

---
Chuck Lever (18):
      SUNRPC: Add Kconfig dependency on CRYPTO_KRB5
      SUNRPC: Add crypto/krb5 enctype lookup to krb5_ctx
      SUNRPC: Add helpers to convert xdr_buf byte ranges to scatterlists
      SUNRPC: Add errno-to-GSS status conversion helper
      SUNRPC: Prepare crypto/krb5 encryption and checksum handles
      SUNRPC: Switch wrap token encryption to crypto/krb5
      SUNRPC: Switch wrap token decryption to crypto/krb5
      SUNRPC: Switch Camellia decrypt to crypto/krb5
      SUNRPC: Switch MIC token generation to crypto/krb5
      SUNRPC: Switch MIC token verification to crypto/krb5
      SUNRPC: Remove get_mic/verify_mic function pointers from enctype table
      SUNRPC: Remove wrap/unwrap function pointers from enctype table
      SUNRPC: Remove encrypt/decrypt function pointers from enctype table
      SUNRPC: Remove legacy skcipher/ahash handles from krb5_ctx
      SUNRPC: Remove dead code from rpcsec_gss_krb5
      SUNRPC: Remove per-enctype Kconfig options
      SUNRPC: Remove redundant crypto Kconfig dependencies
      SUNRPC: Remove dead rpcsec_gss_krb5 definitions

 include/linux/sunrpc/gss_krb5.h         |  105 --
 include/linux/sunrpc/xdr.h              |   16 +-
 net/sunrpc/.kunitconfig                 |   29 -
 net/sunrpc/Kconfig                      |   56 +-
 net/sunrpc/auth_gss/Makefile            |    4 +-
 net/sunrpc/auth_gss/gss_krb5_crypto.c   | 1014 ++++-------------
 net/sunrpc/auth_gss/gss_krb5_internal.h |  155 +--
 net/sunrpc/auth_gss/gss_krb5_keys.c     |  546 ---------
 net/sunrpc/auth_gss/gss_krb5_mech.c     |  441 ++------
 net/sunrpc/auth_gss/gss_krb5_seal.c     |   47 +-
 net/sunrpc/auth_gss/gss_krb5_test.c     | 1868 -------------------------------
 net/sunrpc/auth_gss/gss_krb5_unseal.c   |   36 +-
 net/sunrpc/auth_gss/gss_krb5_wrap.c     |   13 +-
 net/sunrpc/xdr.c                        |  266 +++--
 14 files changed, 573 insertions(+), 4023 deletions(-)
---
base-commit: f3a96328282e8d41ba9f478d24ac122e4cbd2989
change-id: 20260316-crypto-krb5-api-b9ee22636698

Best regards,
--  
Chuck Lever

On Mon, 2026-04-27 at 09:50 -0400, Chuck Lever wrote:
> The rpcsec_gss_krb5 module carries its own Kerberos 5 crypto imple-
> mentation: key derivation, CBC-CTS encryption, HMAC checksumming,
> and the encrypt-then-MAC construction from RFC 8009. Keeping
> cryptographic code inside an RPC module means it receives review
> only from the SUNRPC maintainers, who lack deep crypto expertise.
> Vulnerabilities and algorithmic errors can persist unnoticed.
> 
> Replacing the private SunRPC Kerberos implementation eliminates
> this duplicated audit surface. A single implementation of Kerberos
> 5 key derivation and authenticated encryption is easier to verify
> than two independent copies. New encryption types and hardware
> offload added to crypto/krb5 will automatically become available
> to SunRPC Kerberos consumers.
> 
> The crypto/krb5 library handles enctype differences internally, so
> a single encrypt function and a single decrypt function serve all
> enctypes, eliminating the per-enctype dispatch table that previously
> existed in struct gss_krb5_enctype.
> 
> RFC 4121 Section 4.2.4 requires MIC checksums to cover the message
> body followed by the GSS token header. The crypto/krb5 get_mic/
> verify_mic API hashes optional metadata before the scatterlist
> data, which is the wrong order for the GSS header. The header is
> therefore placed at the end of the scatterlist rather than passed
> as the metadata parameter, and a dedicated gss_krb5_mic_build_sg()
> helper constructs this three-section layout (checksum area, message
> body, token header) with proper sg_mark_end() termination.
> 
> This implementation was available during the Spring 2026 NFS bake-
> a-thon, and received testing there.
> 
> ---
> Chuck Lever (18):
>       SUNRPC: Add Kconfig dependency on CRYPTO_KRB5
>       SUNRPC: Add crypto/krb5 enctype lookup to krb5_ctx
>       SUNRPC: Add helpers to convert xdr_buf byte ranges to scatterlists
>       SUNRPC: Add errno-to-GSS status conversion helper
>       SUNRPC: Prepare crypto/krb5 encryption and checksum handles
>       SUNRPC: Switch wrap token encryption to crypto/krb5
>       SUNRPC: Switch wrap token decryption to crypto/krb5
>       SUNRPC: Switch Camellia decrypt to crypto/krb5
>       SUNRPC: Switch MIC token generation to crypto/krb5
>       SUNRPC: Switch MIC token verification to crypto/krb5
>       SUNRPC: Remove get_mic/verify_mic function pointers from enctype table
>       SUNRPC: Remove wrap/unwrap function pointers from enctype table
>       SUNRPC: Remove encrypt/decrypt function pointers from enctype table
>       SUNRPC: Remove legacy skcipher/ahash handles from krb5_ctx
>       SUNRPC: Remove dead code from rpcsec_gss_krb5
>       SUNRPC: Remove per-enctype Kconfig options
>       SUNRPC: Remove redundant crypto Kconfig dependencies
>       SUNRPC: Remove dead rpcsec_gss_krb5 definitions
> 
>  include/linux/sunrpc/gss_krb5.h         |  105 --
>  include/linux/sunrpc/xdr.h              |   16 +-
>  net/sunrpc/.kunitconfig                 |   29 -
>  net/sunrpc/Kconfig                      |   56 +-
>  net/sunrpc/auth_gss/Makefile            |    4 +-
>  net/sunrpc/auth_gss/gss_krb5_crypto.c   | 1014 ++++-------------
>  net/sunrpc/auth_gss/gss_krb5_internal.h |  155 +--
>  net/sunrpc/auth_gss/gss_krb5_keys.c     |  546 ---------
>  net/sunrpc/auth_gss/gss_krb5_mech.c     |  441 ++------
>  net/sunrpc/auth_gss/gss_krb5_seal.c     |   47 +-
>  net/sunrpc/auth_gss/gss_krb5_test.c     | 1868 -------------------------------
>  net/sunrpc/auth_gss/gss_krb5_unseal.c   |   36 +-
>  net/sunrpc/auth_gss/gss_krb5_wrap.c     |   13 +-
>  net/sunrpc/xdr.c                        |  266 +++--
>  14 files changed, 573 insertions(+), 4023 deletions(-)
> ---
> base-commit: f3a96328282e8d41ba9f478d24ac122e4cbd2989
> change-id: 20260316-crypto-krb5-api-b9ee22636698
> 
> Best regards,
> --  
> Chuck Lever

Love that diffstat. Nice work! 

One comment in general: Do you need to add Assisted-by: tags to any of
this? You can add this to the set:

Reviewed-by: Jeff Layton <jlayton@kernel.org>

On Wed, Apr 29, 2026, at 2:39 AM, Jeff Layton wrote:
> On Mon, 2026-04-27 at 09:50 -0400, Chuck Lever wrote:
>> The rpcsec_gss_krb5 module carries its own Kerberos 5 crypto imple-
>> mentation: key derivation, CBC-CTS encryption, HMAC checksumming,
>> and the encrypt-then-MAC construction from RFC 8009. Keeping
>> cryptographic code inside an RPC module means it receives review
>> only from the SUNRPC maintainers, who lack deep crypto expertise.
>> Vulnerabilities and algorithmic errors can persist unnoticed.
>> 
>> Replacing the private SunRPC Kerberos implementation eliminates
>> this duplicated audit surface. A single implementation of Kerberos
>> 5 key derivation and authenticated encryption is easier to verify
>> than two independent copies. New encryption types and hardware
>> offload added to crypto/krb5 will automatically become available
>> to SunRPC Kerberos consumers.
>> 
>> The crypto/krb5 library handles enctype differences internally, so
>> a single encrypt function and a single decrypt function serve all
>> enctypes, eliminating the per-enctype dispatch table that previously
>> existed in struct gss_krb5_enctype.
>> 
>> RFC 4121 Section 4.2.4 requires MIC checksums to cover the message
>> body followed by the GSS token header. The crypto/krb5 get_mic/
>> verify_mic API hashes optional metadata before the scatterlist
>> data, which is the wrong order for the GSS header. The header is
>> therefore placed at the end of the scatterlist rather than passed
>> as the metadata parameter, and a dedicated gss_krb5_mic_build_sg()
>> helper constructs this three-section layout (checksum area, message
>> body, token header) with proper sg_mark_end() termination.
>> 
>> This implementation was available during the Spring 2026 NFS bake-
>> a-thon, and received testing there.

>
> Love that diffstat. Nice work! 
>
> One comment in general: Do you need to add Assisted-by: tags to any of
> this? You can add this to the set:
>
> Reviewed-by: Jeff Layton <jlayton@kernel.org>

Thanks, applied to nfsd-testing. An Acked-by: from one of the NFS
client maintainers would be great too.


-- 
Chuck Lever

Hi Chuck,

On Wed, Apr 29, 2026, at 11:17 AM, Chuck Lever wrote:
> On Wed, Apr 29, 2026, at 2:39 AM, Jeff Layton wrote:
>> On Mon, 2026-04-27 at 09:50 -0400, Chuck Lever wrote:
>>> The rpcsec_gss_krb5 module carries its own Kerberos 5 crypto imple-
>>> mentation: key derivation, CBC-CTS encryption, HMAC checksumming,
>>> and the encrypt-then-MAC construction from RFC 8009. Keeping
>>> cryptographic code inside an RPC module means it receives review
>>> only from the SUNRPC maintainers, who lack deep crypto expertise.
>>> Vulnerabilities and algorithmic errors can persist unnoticed.
>>> 
>>> Replacing the private SunRPC Kerberos implementation eliminates
>>> this duplicated audit surface. A single implementation of Kerberos
>>> 5 key derivation and authenticated encryption is easier to verify
>>> than two independent copies. New encryption types and hardware
>>> offload added to crypto/krb5 will automatically become available
>>> to SunRPC Kerberos consumers.
>>> 
>>> The crypto/krb5 library handles enctype differences internally, so
>>> a single encrypt function and a single decrypt function serve all
>>> enctypes, eliminating the per-enctype dispatch table that previously
>>> existed in struct gss_krb5_enctype.
>>> 
>>> RFC 4121 Section 4.2.4 requires MIC checksums to cover the message
>>> body followed by the GSS token header. The crypto/krb5 get_mic/
>>> verify_mic API hashes optional metadata before the scatterlist
>>> data, which is the wrong order for the GSS header. The header is
>>> therefore placed at the end of the scatterlist rather than passed
>>> as the metadata parameter, and a dedicated gss_krb5_mic_build_sg()
>>> helper constructs this three-section layout (checksum area, message
>>> body, token header) with proper sg_mark_end() termination.
>>> 
>>> This implementation was available during the Spring 2026 NFS bake-
>>> a-thon, and received testing there.
>
>>
>> Love that diffstat. Nice work! 
>>
>> One comment in general: Do you need to add Assisted-by: tags to any of
>> this? You can add this to the set:
>>
>> Reviewed-by: Jeff Layton <jlayton@kernel.org>
>
> Thanks, applied to nfsd-testing. An Acked-by: from one of the NFS
> client maintainers would be great too.

I finally had a chance to apply this and try it out. You can add my acked-by:

Acked-by: Anna Schumaker <anna.schumaker@hammerspace.com>

>
>
> -- 
> Chuck Lever