Commit 0e5f9d50 authored by David S. Miller's avatar David S. Miller

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Steffen Klassert says:

====================
pull request (net): ipsec 2020-06-19

1) Fix double ESP trailer insertion in IPsec crypto offload if
   netif_xmit_frozen_or_stopped is true. From Huy Nguyen.

2) Merge fixup for "remove output_finish indirection from
   xfrm_state_afinfo". From Stephen Rothwell.

3) Select CRYPTO_SEQIV for ESP as this is needed for GCM and several
   other encryption algorithms. Also modernize the crypto algorithm
   selections for ESP and AH, remove those that are maked as "MUST NOT"
   and add those that are marked as "MUST" be implemented in RFC 8221.
   From Eric Biggers.

Please note the merge conflict between commit:

a7f7f624 ("treewide: replace '---help---' in Kconfig files with 'help'")

from Linus' tree and commits:

7d4e3919 ("esp, ah: consolidate the crypto algorithm selections")
be013698 ("esp, ah: modernize the crypto algorithm selections")

from the ipsec tree.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 7b075ad9 be013698
......@@ -1008,6 +1008,7 @@ struct xfrm_offload {
#define XFRM_GRO 32
#define XFRM_ESP_NO_TRAILER 64
#define XFRM_DEV_RESUME 128
#define XFRM_XMIT 256
__u32 status;
#define CRYPTO_SUCCESS 1
......
......@@ -340,29 +340,31 @@ config NET_FOU_IP_TUNNELS
config INET_AH
tristate "IP: AH transformation"
select XFRM_ALGO
select CRYPTO
select CRYPTO_HMAC
select CRYPTO_MD5
select CRYPTO_SHA1
select XFRM_AH
help
Support for IPsec AH.
Support for IPsec AH (Authentication Header).
AH can be used with various authentication algorithms. Besides
enabling AH support itself, this option enables the generic
implementations of the algorithms that RFC 8221 lists as MUST be
implemented. If you need any other algorithms, you'll need to enable
them in the crypto API. You should also enable accelerated
implementations of any needed algorithms when available.
If unsure, say Y.
config INET_ESP
tristate "IP: ESP transformation"
select XFRM_ALGO
select CRYPTO
select CRYPTO_AUTHENC
select CRYPTO_HMAC
select CRYPTO_MD5
select CRYPTO_CBC
select CRYPTO_SHA1
select CRYPTO_DES
select CRYPTO_ECHAINIV
select XFRM_ESP
help
Support for IPsec ESP.
Support for IPsec ESP (Encapsulating Security Payload).
ESP can be used with various encryption and authentication algorithms.
Besides enabling ESP support itself, this option enables the generic
implementations of the algorithms that RFC 8221 lists as MUST be
implemented. If you need any other algorithms, you'll need to enable
them in the crypto API. You should also enable accelerated
implementations of any needed algorithms when available.
If unsure, say Y.
......
......@@ -49,29 +49,31 @@ config IPV6_OPTIMISTIC_DAD
config INET6_AH
tristate "IPv6: AH transformation"
select XFRM_ALGO
select CRYPTO
select CRYPTO_HMAC
select CRYPTO_MD5
select CRYPTO_SHA1
select XFRM_AH
help
Support for IPsec AH.
Support for IPsec AH (Authentication Header).
AH can be used with various authentication algorithms. Besides
enabling AH support itself, this option enables the generic
implementations of the algorithms that RFC 8221 lists as MUST be
implemented. If you need any other algorithms, you'll need to enable
them in the crypto API. You should also enable accelerated
implementations of any needed algorithms when available.
If unsure, say Y.
config INET6_ESP
tristate "IPv6: ESP transformation"
select XFRM_ALGO
select CRYPTO
select CRYPTO_AUTHENC
select CRYPTO_HMAC
select CRYPTO_MD5
select CRYPTO_CBC
select CRYPTO_SHA1
select CRYPTO_DES
select CRYPTO_ECHAINIV
select XFRM_ESP
help
Support for IPsec ESP.
Support for IPsec ESP (Encapsulating Security Payload).
ESP can be used with various encryption and authentication algorithms.
Besides enabling ESP support itself, this option enables the generic
implementations of the algorithms that RFC 8221 lists as MUST be
implemented. If you need any other algorithms, you'll need to enable
them in the crypto API. You should also enable accelerated
implementations of any needed algorithms when available.
If unsure, say Y.
......
......@@ -67,6 +67,30 @@ config XFRM_STATISTICS
If unsure, say N.
# This option selects XFRM_ALGO along with the AH authentication algorithms that
# RFC 8221 lists as MUST be implemented.
config XFRM_AH
tristate
select XFRM_ALGO
select CRYPTO
select CRYPTO_HMAC
select CRYPTO_SHA256
# This option selects XFRM_ALGO along with the ESP encryption and authentication
# algorithms that RFC 8221 lists as MUST be implemented.
config XFRM_ESP
tristate
select XFRM_ALGO
select CRYPTO
select CRYPTO_AES
select CRYPTO_AUTHENC
select CRYPTO_CBC
select CRYPTO_ECHAINIV
select CRYPTO_GCM
select CRYPTO_HMAC
select CRYPTO_SEQIV
select CRYPTO_SHA256
config XFRM_IPCOMP
tristate
select XFRM_ALGO
......
......@@ -108,7 +108,7 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur
struct xfrm_offload *xo = xfrm_offload(skb);
struct sec_path *sp;
if (!xo)
if (!xo || (xo->flags & XFRM_XMIT))
return skb;
if (!(features & NETIF_F_HW_ESP))
......@@ -129,6 +129,8 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur
return skb;
}
xo->flags |= XFRM_XMIT;
if (skb_is_gso(skb)) {
struct net_device *dev = skb->dev;
......
......@@ -574,16 +574,12 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb)
switch (x->outer_mode.family) {
case AF_INET:
memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
#ifdef CONFIG_NETFILTER
IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
#endif
break;
case AF_INET6:
memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
#ifdef CONFIG_NETFILTER
IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
#endif
break;
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment