Commit be013698 authored by Eric Biggers's avatar Eric Biggers Committed by Steffen Klassert

esp, ah: modernize the crypto algorithm selections

The crypto algorithms selected by the ESP and AH kconfig options are
out-of-date with the guidance of RFC 8221, which lists the legacy
algorithms MD5 and DES as "MUST NOT" be implemented, and some more
modern algorithms like AES-GCM and HMAC-SHA256 as "MUST" be implemented.
But the options select the legacy algorithms, not the modern ones.

Therefore, modify these options to select the MUST algorithms --
and *only* the MUST algorithms.

Also improve the help text.

Note that other algorithms may still be explicitly enabled in the
kconfig, and the choice of which to actually use is still controlled by
userspace.  This change only modifies the list of algorithms for which
kernel support is guaranteed to be present.
Suggested-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Suggested-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Cc: Corentin Labbe <clabbe@baylibre.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
parent 37ea0f18
...@@ -342,7 +342,14 @@ config INET_AH ...@@ -342,7 +342,14 @@ config INET_AH
tristate "IP: AH transformation" tristate "IP: AH transformation"
select XFRM_AH select XFRM_AH
---help--- ---help---
Support for IPsec AH. Support for IPsec AH (Authentication Header).
AH can be used with various authentication algorithms. Besides
enabling AH support itself, this option enables the generic
implementations of the algorithms that RFC 8221 lists as MUST be
implemented. If you need any other algorithms, you'll need to enable
them in the crypto API. You should also enable accelerated
implementations of any needed algorithms when available.
If unsure, say Y. If unsure, say Y.
...@@ -350,7 +357,14 @@ config INET_ESP ...@@ -350,7 +357,14 @@ config INET_ESP
tristate "IP: ESP transformation" tristate "IP: ESP transformation"
select XFRM_ESP select XFRM_ESP
---help--- ---help---
Support for IPsec ESP. Support for IPsec ESP (Encapsulating Security Payload).
ESP can be used with various encryption and authentication algorithms.
Besides enabling ESP support itself, this option enables the generic
implementations of the algorithms that RFC 8221 lists as MUST be
implemented. If you need any other algorithms, you'll need to enable
them in the crypto API. You should also enable accelerated
implementations of any needed algorithms when available.
If unsure, say Y. If unsure, say Y.
......
...@@ -51,7 +51,14 @@ config INET6_AH ...@@ -51,7 +51,14 @@ config INET6_AH
tristate "IPv6: AH transformation" tristate "IPv6: AH transformation"
select XFRM_AH select XFRM_AH
---help--- ---help---
Support for IPsec AH. Support for IPsec AH (Authentication Header).
AH can be used with various authentication algorithms. Besides
enabling AH support itself, this option enables the generic
implementations of the algorithms that RFC 8221 lists as MUST be
implemented. If you need any other algorithms, you'll need to enable
them in the crypto API. You should also enable accelerated
implementations of any needed algorithms when available.
If unsure, say Y. If unsure, say Y.
...@@ -59,7 +66,14 @@ config INET6_ESP ...@@ -59,7 +66,14 @@ config INET6_ESP
tristate "IPv6: ESP transformation" tristate "IPv6: ESP transformation"
select XFRM_ESP select XFRM_ESP
---help--- ---help---
Support for IPsec ESP. Support for IPsec ESP (Encapsulating Security Payload).
ESP can be used with various encryption and authentication algorithms.
Besides enabling ESP support itself, this option enables the generic
implementations of the algorithms that RFC 8221 lists as MUST be
implemented. If you need any other algorithms, you'll need to enable
them in the crypto API. You should also enable accelerated
implementations of any needed algorithms when available.
If unsure, say Y. If unsure, say Y.
......
...@@ -67,26 +67,29 @@ config XFRM_STATISTICS ...@@ -67,26 +67,29 @@ config XFRM_STATISTICS
If unsure, say N. If unsure, say N.
# This option selects XFRM_ALGO along with the AH authentication algorithms that
# RFC 8221 lists as MUST be implemented.
config XFRM_AH config XFRM_AH
tristate tristate
select XFRM_ALGO select XFRM_ALGO
select CRYPTO select CRYPTO
select CRYPTO_HMAC select CRYPTO_HMAC
select CRYPTO_MD5 select CRYPTO_SHA256
select CRYPTO_SHA1
# This option selects XFRM_ALGO along with the ESP encryption and authentication
# algorithms that RFC 8221 lists as MUST be implemented.
config XFRM_ESP config XFRM_ESP
tristate tristate
select XFRM_ALGO select XFRM_ALGO
select CRYPTO select CRYPTO
select CRYPTO_AES
select CRYPTO_AUTHENC select CRYPTO_AUTHENC
select CRYPTO_HMAC
select CRYPTO_MD5
select CRYPTO_CBC select CRYPTO_CBC
select CRYPTO_SHA1
select CRYPTO_DES
select CRYPTO_ECHAINIV select CRYPTO_ECHAINIV
select CRYPTO_GCM
select CRYPTO_HMAC
select CRYPTO_SEQIV select CRYPTO_SEQIV
select CRYPTO_SHA256
config XFRM_IPCOMP config XFRM_IPCOMP
tristate tristate
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment