From: Steffen Klassert <steffen.klassert@secunet.com>
To: David Miller <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Steffen Klassert <steffen.klassert@secunet.com>,
<netdev@vger.kernel.org>
Subject: [PATCH 5/5] esp, ah: modernize the crypto algorithm selections
Date: Fri, 19 Jun 2020 09:43:42 +0200 [thread overview]
Message-ID: <20200619074342.14095-6-steffen.klassert@secunet.com> (raw)
In-Reply-To: <20200619074342.14095-1-steffen.klassert@secunet.com>
From: Eric Biggers <ebiggers@google.com>
The crypto algorithms selected by the ESP and AH kconfig options are
out-of-date with the guidance of RFC 8221, which lists the legacy
algorithms MD5 and DES as "MUST NOT" be implemented, and some more
modern algorithms like AES-GCM and HMAC-SHA256 as "MUST" be implemented.
But the options select the legacy algorithms, not the modern ones.
Therefore, modify these options to select the MUST algorithms --
and *only* the MUST algorithms.
Also improve the help text.
Note that other algorithms may still be explicitly enabled in the
kconfig, and the choice of which to actually use is still controlled by
userspace. This change only modifies the list of algorithms for which
kernel support is guaranteed to be present.
Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
Suggested-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Corentin Labbe <clabbe@baylibre.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/ipv4/Kconfig | 18 ++++++++++++++++--
net/ipv6/Kconfig | 18 ++++++++++++++++--
net/xfrm/Kconfig | 15 +++++++++------
3 files changed, 41 insertions(+), 10 deletions(-)
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index 39a7a21744dc..dc9dfaef77e5 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -342,7 +342,14 @@ config INET_AH
tristate "IP: AH transformation"
select XFRM_AH
---help---
- Support for IPsec AH.
+ Support for IPsec AH (Authentication Header).
+
+ AH can be used with various authentication algorithms. Besides
+ enabling AH support itself, this option enables the generic
+ implementations of the algorithms that RFC 8221 lists as MUST be
+ implemented. If you need any other algorithms, you'll need to enable
+ them in the crypto API. You should also enable accelerated
+ implementations of any needed algorithms when available.
If unsure, say Y.
@@ -350,7 +357,14 @@ config INET_ESP
tristate "IP: ESP transformation"
select XFRM_ESP
---help---
- Support for IPsec ESP.
+ Support for IPsec ESP (Encapsulating Security Payload).
+
+ ESP can be used with various encryption and authentication algorithms.
+ Besides enabling ESP support itself, this option enables the generic
+ implementations of the algorithms that RFC 8221 lists as MUST be
+ implemented. If you need any other algorithms, you'll need to enable
+ them in the crypto API. You should also enable accelerated
+ implementations of any needed algorithms when available.
If unsure, say Y.
diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig
index 70313f16319d..414a68b16869 100644
--- a/net/ipv6/Kconfig
+++ b/net/ipv6/Kconfig
@@ -51,7 +51,14 @@ config INET6_AH
tristate "IPv6: AH transformation"
select XFRM_AH
---help---
- Support for IPsec AH.
+ Support for IPsec AH (Authentication Header).
+
+ AH can be used with various authentication algorithms. Besides
+ enabling AH support itself, this option enables the generic
+ implementations of the algorithms that RFC 8221 lists as MUST be
+ implemented. If you need any other algorithms, you'll need to enable
+ them in the crypto API. You should also enable accelerated
+ implementations of any needed algorithms when available.
If unsure, say Y.
@@ -59,7 +66,14 @@ config INET6_ESP
tristate "IPv6: ESP transformation"
select XFRM_ESP
---help---
- Support for IPsec ESP.
+ Support for IPsec ESP (Encapsulating Security Payload).
+
+ ESP can be used with various encryption and authentication algorithms.
+ Besides enabling ESP support itself, this option enables the generic
+ implementations of the algorithms that RFC 8221 lists as MUST be
+ implemented. If you need any other algorithms, you'll need to enable
+ them in the crypto API. You should also enable accelerated
+ implementations of any needed algorithms when available.
If unsure, say Y.
diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig
index b2ff8df2c836..e77ba529229c 100644
--- a/net/xfrm/Kconfig
+++ b/net/xfrm/Kconfig
@@ -67,26 +67,29 @@ config XFRM_STATISTICS
If unsure, say N.
+# This option selects XFRM_ALGO along with the AH authentication algorithms that
+# RFC 8221 lists as MUST be implemented.
config XFRM_AH
tristate
select XFRM_ALGO
select CRYPTO
select CRYPTO_HMAC
- select CRYPTO_MD5
- select CRYPTO_SHA1
+ select CRYPTO_SHA256
+# This option selects XFRM_ALGO along with the ESP encryption and authentication
+# algorithms that RFC 8221 lists as MUST be implemented.
config XFRM_ESP
tristate
select XFRM_ALGO
select CRYPTO
+ select CRYPTO_AES
select CRYPTO_AUTHENC
- select CRYPTO_HMAC
- select CRYPTO_MD5
select CRYPTO_CBC
- select CRYPTO_SHA1
- select CRYPTO_DES
select CRYPTO_ECHAINIV
+ select CRYPTO_GCM
+ select CRYPTO_HMAC
select CRYPTO_SEQIV
+ select CRYPTO_SHA256
config XFRM_IPCOMP
tristate
--
2.17.1
next prev parent reply other threads:[~2020-06-19 7:43 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-19 7:43 pull request (net): ipsec 2020-06-19 Steffen Klassert
2020-06-19 7:43 ` [PATCH 1/5] xfrm: Fix double ESP trailer insertion in IPsec crypto offload Steffen Klassert
2020-06-19 7:43 ` [PATCH 2/5] xfrm: merge fixup for "remove output_finish indirection from xfrm_state_afinfo" Steffen Klassert
2020-06-19 7:43 ` [PATCH 3/5] esp, ah: consolidate the crypto algorithm selections Steffen Klassert
2020-06-19 7:43 ` [PATCH 4/5] esp: select CRYPTO_SEQIV Steffen Klassert
2020-06-19 7:43 ` Steffen Klassert [this message]
2020-06-19 20:04 ` pull request (net): ipsec 2020-06-19 David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200619074342.14095-6-steffen.klassert@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox