From patchwork Wed Jun 10 16:14:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11598273 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8CC951391 for ; Wed, 10 Jun 2020 16:15:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 75C372072E for ; Wed, 10 Jun 2020 16:15:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591805723; bh=68Za/4/OkgN1E2Gq9Y+zxhWeO1WdiaXkDnm/z4tnw0U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=kB1D+RICD8uNx7+dz6/2pob2PPvLn5xvMhaGeVeNZJB7qKKuLuNY4IUTqp8FtOwLj eF6I+6a9Ywo7aXo0ALq1kAvxypB01VdRSOQ/+9woyDAmV7z8N3Hmg9bZ7l9Fs+xAwo cfKUF9H3JjlOcg58/hTiXXTItPOguQtLBYHTsQYE= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728161AbgFJQPO (ORCPT ); Wed, 10 Jun 2020 12:15:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:60778 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727992AbgFJQPO (ORCPT ); Wed, 10 Jun 2020 12:15:14 -0400 Received: from sol.hsd1.ca.comcast.net (c-107-3-166-239.hsd1.ca.comcast.net [107.3.166.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D119120734; Wed, 10 Jun 2020 16:15:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591805714; bh=68Za/4/OkgN1E2Gq9Y+zxhWeO1WdiaXkDnm/z4tnw0U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kRkZQr9eoMiH8JrG9GXuKntne92gH4t+ojz6hvar2FVJ7Yc8FmtZob6do/UuLqxok GKhAfwkFf/w7hZIatFWqYwaJ/fAhHGOh2C9aZAYnuL3Q5n/AMt+3pcGXCCo0CdCZbA LWXoCD3nG2eXcW6rgi+Dc7mZltB0jQDzpHZ0unK8= From: Eric Biggers To: netdev@vger.kernel.org Cc: linux-crypto@vger.kernel.org, Corentin Labbe , Greg Kroah-Hartman , Herbert Xu , Steffen Klassert Subject: [PATCH net v4 1/3] esp, ah: consolidate the crypto algorithm selections Date: Wed, 10 Jun 2020 09:14:35 -0700 Message-Id: <20200610161437.4290-2-ebiggers@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200610161437.4290-1-ebiggers@kernel.org> References: <20200610161437.4290-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org From: Eric Biggers Instead of duplicating the algorithm selections between INET_AH and INET6_AH and between INET_ESP and INET6_ESP, create new tristates XFRM_AH and XFRM_ESP that do the algorithm selections, and make these be selected by the corresponding INET* options. Suggested-by: Herbert Xu Acked-by: Herbert Xu Cc: Corentin Labbe Cc: Greg Kroah-Hartman Cc: Steffen Klassert Signed-off-by: Eric Biggers --- net/ipv4/Kconfig | 16 ++-------------- net/ipv6/Kconfig | 16 ++-------------- net/xfrm/Kconfig | 20 ++++++++++++++++++++ 3 files changed, 24 insertions(+), 28 deletions(-) diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig index 23ba5045e3d3c1..39a7a21744dc03 100644 --- a/net/ipv4/Kconfig +++ b/net/ipv4/Kconfig @@ -340,11 +340,7 @@ config NET_FOU_IP_TUNNELS config INET_AH tristate "IP: AH transformation" - select XFRM_ALGO - select CRYPTO - select CRYPTO_HMAC - select CRYPTO_MD5 - select CRYPTO_SHA1 + select XFRM_AH ---help--- Support for IPsec AH. @@ -352,15 +348,7 @@ config INET_AH config INET_ESP tristate "IP: ESP transformation" - select XFRM_ALGO - select CRYPTO - select CRYPTO_AUTHENC - select CRYPTO_HMAC - select CRYPTO_MD5 - select CRYPTO_CBC - select CRYPTO_SHA1 - select CRYPTO_DES - select CRYPTO_ECHAINIV + select XFRM_ESP ---help--- Support for IPsec ESP. diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig index 4f03aece2980fb..70313f16319dd2 100644 --- a/net/ipv6/Kconfig +++ b/net/ipv6/Kconfig @@ -49,11 +49,7 @@ config IPV6_OPTIMISTIC_DAD config INET6_AH tristate "IPv6: AH transformation" - select XFRM_ALGO - select CRYPTO - select CRYPTO_HMAC - select CRYPTO_MD5 - select CRYPTO_SHA1 + select XFRM_AH ---help--- Support for IPsec AH. @@ -61,15 +57,7 @@ config INET6_AH config INET6_ESP tristate "IPv6: ESP transformation" - select XFRM_ALGO - select CRYPTO - select CRYPTO_AUTHENC - select CRYPTO_HMAC - select CRYPTO_MD5 - select CRYPTO_CBC - select CRYPTO_SHA1 - select CRYPTO_DES - select CRYPTO_ECHAINIV + select XFRM_ESP ---help--- Support for IPsec ESP. diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig index b7fd9c83841605..169c22140709f7 100644 --- a/net/xfrm/Kconfig +++ b/net/xfrm/Kconfig @@ -67,6 +67,26 @@ config XFRM_STATISTICS If unsure, say N. +config XFRM_AH + tristate + select XFRM_ALGO + select CRYPTO + select CRYPTO_HMAC + select CRYPTO_MD5 + select CRYPTO_SHA1 + +config XFRM_ESP + tristate + select XFRM_ALGO + select CRYPTO + select CRYPTO_AUTHENC + select CRYPTO_HMAC + select CRYPTO_MD5 + select CRYPTO_CBC + select CRYPTO_SHA1 + select CRYPTO_DES + select CRYPTO_ECHAINIV + config XFRM_IPCOMP tristate select XFRM_ALGO From patchwork Wed Jun 10 16:14:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11598269 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 53D6990 for ; Wed, 10 Jun 2020 16:15:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 31E992072E for ; Wed, 10 Jun 2020 16:15:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591805717; bh=tFLtFU9slykfm4dIs2excokQc97ZcoVyyfzMpnBhZms=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=udQfAz5Sk4skjG7uxIOasAJ0u/33Qs8Wjp0/R7xsbDI8nYfTXklUq0UTvoPs9h7YS aCe6EntInHmqr1ySKlYoA8I//iO0w+Mfdz+ottB2zAqr0FxrXcG6OCvKuW+1eFD5KF zx750A86XPMmk3TgbdRZylcCY7ADpeC9aE/5224g= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728230AbgFJQPP (ORCPT ); Wed, 10 Jun 2020 12:15:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:60792 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727948AbgFJQPO (ORCPT ); Wed, 10 Jun 2020 12:15:14 -0400 Received: from sol.hsd1.ca.comcast.net (c-107-3-166-239.hsd1.ca.comcast.net [107.3.166.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 315C62064C; Wed, 10 Jun 2020 16:15:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591805714; bh=tFLtFU9slykfm4dIs2excokQc97ZcoVyyfzMpnBhZms=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=m97IPMjjux5oFq6+hsRk0IPd5o6rGePDP9300wmqcqj2+ZFQ4jrh3smM4T479iPf2 m1BXThEnFcxZyWxswrzzvRT6dijkgdQzNTfywscGYGCPaujosPRlJozIAt7NUbRNeY VUue+2ZAoNA3FcCurG4Jqnb+UVa0emEv9Pp1Jrpg= From: Eric Biggers To: netdev@vger.kernel.org Cc: linux-crypto@vger.kernel.org, Corentin Labbe , Greg Kroah-Hartman , Herbert Xu , Steffen Klassert Subject: [PATCH net v4 2/3] esp: select CRYPTO_SEQIV Date: Wed, 10 Jun 2020 09:14:36 -0700 Message-Id: <20200610161437.4290-3-ebiggers@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200610161437.4290-1-ebiggers@kernel.org> References: <20200610161437.4290-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org From: Eric Biggers Commit f23efcbcc523 ("crypto: ctr - no longer needs CRYPTO_SEQIV") made CRYPTO_CTR stop selecting CRYPTO_SEQIV. This breaks IPsec for most users since GCM and several other encryption algorithms require "seqiv" -- and RFC 8221 lists AES-GCM as "MUST" be implemented. Just make XFRM_ESP select CRYPTO_SEQIV. Fixes: f23efcbcc523 ("crypto: ctr - no longer needs CRYPTO_SEQIV") Acked-by: Herbert Xu Cc: Corentin Labbe Cc: Greg Kroah-Hartman Cc: Steffen Klassert Signed-off-by: Eric Biggers --- net/xfrm/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig index 169c22140709f7..b2ff8df2c836ef 100644 --- a/net/xfrm/Kconfig +++ b/net/xfrm/Kconfig @@ -86,6 +86,7 @@ config XFRM_ESP select CRYPTO_SHA1 select CRYPTO_DES select CRYPTO_ECHAINIV + select CRYPTO_SEQIV config XFRM_IPCOMP tristate From patchwork Wed Jun 10 16:14:37 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11598271 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 65B2390 for ; Wed, 10 Jun 2020 16:15:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4BECC2063A for ; Wed, 10 Jun 2020 16:15:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591805721; bh=JTVkSgWkJihPLtCWKweEsxhbQ0qYru0uoNX3rx2Wcfg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=oqaCzQ0m8ThKVX3ZE8v+Rp2ydWHBC4jOPnzcXQpzIrco3OVmDAnoTGr1suQPTAEYC aoLL+aM1MGIxAyj3AWhRl9WPtCtzsx8Z7xDIMRoF0Bj4+u3ZpIWLXiGjQg714BOlo2 eVkxi2Iv1NevHU9NMyfqce4+c2+7oE1AWgi9F2nM= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727948AbgFJQPT (ORCPT ); Wed, 10 Jun 2020 12:15:19 -0400 Received: from mail.kernel.org ([198.145.29.99]:60802 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728157AbgFJQPP (ORCPT ); Wed, 10 Jun 2020 12:15:15 -0400 Received: from sol.hsd1.ca.comcast.net (c-107-3-166-239.hsd1.ca.comcast.net [107.3.166.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 85B1D2067B; Wed, 10 Jun 2020 16:15:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591805714; bh=JTVkSgWkJihPLtCWKweEsxhbQ0qYru0uoNX3rx2Wcfg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SKWjbGw9Xo6m4O5FhhQcLX76zvNI0xt6kW1FIWGrKtCFvES9MMkTDcOuYoKu0syW9 H2LIIarUyaAPG4/ifEZmxXKKQlz9ivD9yVcWVVwqVNyvreUli63Szo2oCfBdY03g82 HUT5Ho5Hc7+p5pQ+Oy0BJI0PREe2i+W/G5riHoYU= From: Eric Biggers To: netdev@vger.kernel.org Cc: linux-crypto@vger.kernel.org, Corentin Labbe , Greg Kroah-Hartman , Herbert Xu , Steffen Klassert Subject: [PATCH net v4 3/3] esp, ah: modernize the crypto algorithm selections Date: Wed, 10 Jun 2020 09:14:37 -0700 Message-Id: <20200610161437.4290-4-ebiggers@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200610161437.4290-1-ebiggers@kernel.org> References: <20200610161437.4290-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org From: Eric Biggers The crypto algorithms selected by the ESP and AH kconfig options are out-of-date with the guidance of RFC 8221, which lists the legacy algorithms MD5 and DES as "MUST NOT" be implemented, and some more modern algorithms like AES-GCM and HMAC-SHA256 as "MUST" be implemented. But the options select the legacy algorithms, not the modern ones. Therefore, modify these options to select the MUST algorithms -- and *only* the MUST algorithms. Also improve the help text. Note that other algorithms may still be explicitly enabled in the kconfig, and the choice of which to actually use is still controlled by userspace. This change only modifies the list of algorithms for which kernel support is guaranteed to be present. Suggested-by: Herbert Xu Suggested-by: Steffen Klassert Acked-by: Herbert Xu Cc: Corentin Labbe Cc: Greg Kroah-Hartman Signed-off-by: Eric Biggers --- net/ipv4/Kconfig | 18 ++++++++++++++++-- net/ipv6/Kconfig | 18 ++++++++++++++++-- net/xfrm/Kconfig | 15 +++++++++------ 3 files changed, 41 insertions(+), 10 deletions(-) diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig index 39a7a21744dc03..dc9dfaef77e5a4 100644 --- a/net/ipv4/Kconfig +++ b/net/ipv4/Kconfig @@ -342,7 +342,14 @@ config INET_AH tristate "IP: AH transformation" select XFRM_AH ---help--- - Support for IPsec AH. + Support for IPsec AH (Authentication Header). + + AH can be used with various authentication algorithms. Besides + enabling AH support itself, this option enables the generic + implementations of the algorithms that RFC 8221 lists as MUST be + implemented. If you need any other algorithms, you'll need to enable + them in the crypto API. You should also enable accelerated + implementations of any needed algorithms when available. If unsure, say Y. @@ -350,7 +357,14 @@ config INET_ESP tristate "IP: ESP transformation" select XFRM_ESP ---help--- - Support for IPsec ESP. + Support for IPsec ESP (Encapsulating Security Payload). + + ESP can be used with various encryption and authentication algorithms. + Besides enabling ESP support itself, this option enables the generic + implementations of the algorithms that RFC 8221 lists as MUST be + implemented. If you need any other algorithms, you'll need to enable + them in the crypto API. You should also enable accelerated + implementations of any needed algorithms when available. If unsure, say Y. diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig index 70313f16319dd2..414a68b16869ec 100644 --- a/net/ipv6/Kconfig +++ b/net/ipv6/Kconfig @@ -51,7 +51,14 @@ config INET6_AH tristate "IPv6: AH transformation" select XFRM_AH ---help--- - Support for IPsec AH. + Support for IPsec AH (Authentication Header). + + AH can be used with various authentication algorithms. Besides + enabling AH support itself, this option enables the generic + implementations of the algorithms that RFC 8221 lists as MUST be + implemented. If you need any other algorithms, you'll need to enable + them in the crypto API. You should also enable accelerated + implementations of any needed algorithms when available. If unsure, say Y. @@ -59,7 +66,14 @@ config INET6_ESP tristate "IPv6: ESP transformation" select XFRM_ESP ---help--- - Support for IPsec ESP. + Support for IPsec ESP (Encapsulating Security Payload). + + ESP can be used with various encryption and authentication algorithms. + Besides enabling ESP support itself, this option enables the generic + implementations of the algorithms that RFC 8221 lists as MUST be + implemented. If you need any other algorithms, you'll need to enable + them in the crypto API. You should also enable accelerated + implementations of any needed algorithms when available. If unsure, say Y. diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig index b2ff8df2c836ef..e77ba529229cf5 100644 --- a/net/xfrm/Kconfig +++ b/net/xfrm/Kconfig @@ -67,26 +67,29 @@ config XFRM_STATISTICS If unsure, say N. +# This option selects XFRM_ALGO along with the AH authentication algorithms that +# RFC 8221 lists as MUST be implemented. config XFRM_AH tristate select XFRM_ALGO select CRYPTO select CRYPTO_HMAC - select CRYPTO_MD5 - select CRYPTO_SHA1 + select CRYPTO_SHA256 +# This option selects XFRM_ALGO along with the ESP encryption and authentication +# algorithms that RFC 8221 lists as MUST be implemented. config XFRM_ESP tristate select XFRM_ALGO select CRYPTO + select CRYPTO_AES select CRYPTO_AUTHENC - select CRYPTO_HMAC - select CRYPTO_MD5 select CRYPTO_CBC - select CRYPTO_SHA1 - select CRYPTO_DES select CRYPTO_ECHAINIV + select CRYPTO_GCM + select CRYPTO_HMAC select CRYPTO_SEQIV + select CRYPTO_SHA256 config XFRM_IPCOMP tristate