This series consolidates and modernizes the lists of crypto algorithms
that are selected by the IPsec kconfig options, and adds CRYPTO_SEQIV
since it no longer gets selected automatically by other things.
See previous discussion at
https://lkml.kernel.org/netdev/[email protected]/T/#u
Eric Biggers (3):
esp, ah: consolidate the crypto algorithm selections
esp: select CRYPTO_SEQIV
esp, ah: modernize the crypto algorithm selections
net/ipv4/Kconfig | 37 +++++++++++++++++++++----------------
net/ipv6/Kconfig | 37 +++++++++++++++++++++----------------
net/xfrm/Kconfig | 24 ++++++++++++++++++++++++
3 files changed, 66 insertions(+), 32 deletions(-)
base-commit: 8027bc0307ce59759b90679fa5d8b22949586d20
--
2.26.2
From: Eric Biggers <[email protected]>
Commit f23efcbcc523 ("crypto: ctr - no longer needs CRYPTO_SEQIV") made
CRYPTO_CTR stop selecting CRYPTO_SEQIV. This breaks IPsec for most
users since GCM and several other encryption algorithms require "seqiv"
-- and RFC 8221 lists AES-GCM as "MUST" be implemented.
Just make XFRM_ESP select CRYPTO_SEQIV.
Fixes: f23efcbcc523 ("crypto: ctr - no longer needs CRYPTO_SEQIV") made
Cc: Corentin Labbe <[email protected]>
Cc: Greg Kroah-Hartman <[email protected]>
Cc: Herbert Xu <[email protected]>
Cc: Steffen Klassert <[email protected]>
Signed-off-by: Eric Biggers <[email protected]>
---
net/xfrm/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig
index 169c22140709f7..b2ff8df2c836ef 100644
--- a/net/xfrm/Kconfig
+++ b/net/xfrm/Kconfig
@@ -86,6 +86,7 @@ config XFRM_ESP
select CRYPTO_SHA1
select CRYPTO_DES
select CRYPTO_ECHAINIV
+ select CRYPTO_SEQIV
config XFRM_IPCOMP
tristate
--
2.26.2
From: Eric Biggers <[email protected]>
The crypto algorithms selected by the ESP and AH kconfig options are
out-of-date with the guidance of RFC 8221, which lists the legacy
algorithms MD5 and DES as "MUST NOT" be implemented, and some more
modern algorithms like AES-GCM and HMAC-SHA256 as "MUST" be implemented.
But the options select the legacy algorithms, not the modern ones.
Therefore, modify these options to select the MUST algorithms --
and *only* the MUST algorithms.
Also improve the help text.
Suggested-by: Herbert Xu <[email protected]>
Suggested-by: Steffen Klassert <[email protected]>
Cc: Corentin Labbe <[email protected]>
Cc: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Eric Biggers <[email protected]>
---
net/ipv4/Kconfig | 21 +++++++++++++++++++--
net/ipv6/Kconfig | 21 +++++++++++++++++++--
net/xfrm/Kconfig | 15 +++++++++------
3 files changed, 47 insertions(+), 10 deletions(-)
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index 39a7a21744dc03..14fc8d6582499b 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -342,7 +342,17 @@ config INET_AH
tristate "IP: AH transformation"
select XFRM_AH
---help---
- Support for IPsec AH.
+ Support for IPsec AH (Authentication Header).
+
+ AH can be used with various authentication algorithms. Besides
+ enabling AH support itself, this option enables the generic
+ implementations of the algorithms that RFC 8221 lists as MUST be
+ implemented. If you need any other algorithms, you'll need to enable
+ them in the crypto API. You should also enable accelerated
+ implementations of any needed algorithms when available.
+
+ Note that RFC 8221 considers AH itself to be "NOT RECOMMENDED". It is
+ better to use ESP only, using an AEAD cipher such as AES-GCM.
If unsure, say Y.
@@ -350,7 +360,14 @@ config INET_ESP
tristate "IP: ESP transformation"
select XFRM_ESP
---help---
- Support for IPsec ESP.
+ Support for IPsec ESP (Encapsulating Security Payload).
+
+ ESP can be used with various encryption and authentication algorithms.
+ Besides enabling ESP support itself, this option enables the generic
+ implementations of the algorithms that RFC 8221 lists as MUST be
+ implemented. If you need any other algorithms, you'll need to enable
+ them in the crypto API. You should also enable accelerated
+ implementations of any needed algorithms when available.
If unsure, say Y.
diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig
index 70313f16319dd2..7398085ab10d58 100644
--- a/net/ipv6/Kconfig
+++ b/net/ipv6/Kconfig
@@ -51,7 +51,17 @@ config INET6_AH
tristate "IPv6: AH transformation"
select XFRM_AH
---help---
- Support for IPsec AH.
+ Support for IPsec AH (Authentication Header).
+
+ AH can be used with various authentication algorithms. Besides
+ enabling AH support itself, this option enables the generic
+ implementations of the algorithms that RFC 8221 lists as MUST be
+ implemented. If you need any other algorithms, you'll need to enable
+ them in the crypto API. You should also enable accelerated
+ implementations of any needed algorithms when available.
+
+ Note that RFC 8221 considers AH itself to be "NOT RECOMMENDED". It is
+ better to use ESP only, using an AEAD cipher such as AES-GCM.
If unsure, say Y.
@@ -59,7 +69,14 @@ config INET6_ESP
tristate "IPv6: ESP transformation"
select XFRM_ESP
---help---
- Support for IPsec ESP.
+ Support for IPsec ESP (Encapsulating Security Payload).
+
+ ESP can be used with various encryption and authentication algorithms.
+ Besides enabling ESP support itself, this option enables the generic
+ implementations of the algorithms that RFC 8221 lists as MUST be
+ implemented. If you need any other algorithms, you'll need to enable
+ them in the crypto API. You should also enable accelerated
+ implementations of any needed algorithms when available.
If unsure, say Y.
diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig
index b2ff8df2c836ef..e77ba529229cf5 100644
--- a/net/xfrm/Kconfig
+++ b/net/xfrm/Kconfig
@@ -67,26 +67,29 @@ config XFRM_STATISTICS
If unsure, say N.
+# This option selects XFRM_ALGO along with the AH authentication algorithms that
+# RFC 8221 lists as MUST be implemented.
config XFRM_AH
tristate
select XFRM_ALGO
select CRYPTO
select CRYPTO_HMAC
- select CRYPTO_MD5
- select CRYPTO_SHA1
+ select CRYPTO_SHA256
+# This option selects XFRM_ALGO along with the ESP encryption and authentication
+# algorithms that RFC 8221 lists as MUST be implemented.
config XFRM_ESP
tristate
select XFRM_ALGO
select CRYPTO
+ select CRYPTO_AES
select CRYPTO_AUTHENC
- select CRYPTO_HMAC
- select CRYPTO_MD5
select CRYPTO_CBC
- select CRYPTO_SHA1
- select CRYPTO_DES
select CRYPTO_ECHAINIV
+ select CRYPTO_GCM
+ select CRYPTO_HMAC
select CRYPTO_SEQIV
+ select CRYPTO_SHA256
config XFRM_IPCOMP
tristate
--
2.26.2
From: Eric Biggers <[email protected]>
Instead of duplicating the algorithm selections between INET_AH and
INET6_AH and between INET_ESP and INET6_ESP, create new tristates
XFRM_AH and XFRM_ESP that do the algorithm selections, and make these be
selected by the corresponding INET* options.
Suggested-by: Herbert Xu <[email protected]>
Cc: Corentin Labbe <[email protected]>
Cc: Greg Kroah-Hartman <[email protected]>
Cc: Steffen Klassert <[email protected]>
Signed-off-by: Eric Biggers <[email protected]>
---
net/ipv4/Kconfig | 16 ++--------------
net/ipv6/Kconfig | 16 ++--------------
net/xfrm/Kconfig | 20 ++++++++++++++++++++
3 files changed, 24 insertions(+), 28 deletions(-)
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index 23ba5045e3d3c1..39a7a21744dc03 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -340,11 +340,7 @@ config NET_FOU_IP_TUNNELS
config INET_AH
tristate "IP: AH transformation"
- select XFRM_ALGO
- select CRYPTO
- select CRYPTO_HMAC
- select CRYPTO_MD5
- select CRYPTO_SHA1
+ select XFRM_AH
---help---
Support for IPsec AH.
@@ -352,15 +348,7 @@ config INET_AH
config INET_ESP
tristate "IP: ESP transformation"
- select XFRM_ALGO
- select CRYPTO
- select CRYPTO_AUTHENC
- select CRYPTO_HMAC
- select CRYPTO_MD5
- select CRYPTO_CBC
- select CRYPTO_SHA1
- select CRYPTO_DES
- select CRYPTO_ECHAINIV
+ select XFRM_ESP
---help---
Support for IPsec ESP.
diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig
index 4f03aece2980fb..70313f16319dd2 100644
--- a/net/ipv6/Kconfig
+++ b/net/ipv6/Kconfig
@@ -49,11 +49,7 @@ config IPV6_OPTIMISTIC_DAD
config INET6_AH
tristate "IPv6: AH transformation"
- select XFRM_ALGO
- select CRYPTO
- select CRYPTO_HMAC
- select CRYPTO_MD5
- select CRYPTO_SHA1
+ select XFRM_AH
---help---
Support for IPsec AH.
@@ -61,15 +57,7 @@ config INET6_AH
config INET6_ESP
tristate "IPv6: ESP transformation"
- select XFRM_ALGO
- select CRYPTO
- select CRYPTO_AUTHENC
- select CRYPTO_HMAC
- select CRYPTO_MD5
- select CRYPTO_CBC
- select CRYPTO_SHA1
- select CRYPTO_DES
- select CRYPTO_ECHAINIV
+ select XFRM_ESP
---help---
Support for IPsec ESP.
diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig
index b7fd9c83841605..169c22140709f7 100644
--- a/net/xfrm/Kconfig
+++ b/net/xfrm/Kconfig
@@ -67,6 +67,26 @@ config XFRM_STATISTICS
If unsure, say N.
+config XFRM_AH
+ tristate
+ select XFRM_ALGO
+ select CRYPTO
+ select CRYPTO_HMAC
+ select CRYPTO_MD5
+ select CRYPTO_SHA1
+
+config XFRM_ESP
+ tristate
+ select XFRM_ALGO
+ select CRYPTO
+ select CRYPTO_AUTHENC
+ select CRYPTO_HMAC
+ select CRYPTO_MD5
+ select CRYPTO_CBC
+ select CRYPTO_SHA1
+ select CRYPTO_DES
+ select CRYPTO_ECHAINIV
+
config XFRM_IPCOMP
tristate
select XFRM_ALGO
--
2.26.2
On Tue, Jun 09, 2020 at 05:54:00PM -0700, Eric Biggers wrote:
> From: Eric Biggers <[email protected]>
>
> Instead of duplicating the algorithm selections between INET_AH and
> INET6_AH and between INET_ESP and INET6_ESP, create new tristates
> XFRM_AH and XFRM_ESP that do the algorithm selections, and make these be
> selected by the corresponding INET* options.
>
> Suggested-by: Herbert Xu <[email protected]>
> Cc: Corentin Labbe <[email protected]>
> Cc: Greg Kroah-Hartman <[email protected]>
> Cc: Steffen Klassert <[email protected]>
> Signed-off-by: Eric Biggers <[email protected]>
> ---
> net/ipv4/Kconfig | 16 ++--------------
> net/ipv6/Kconfig | 16 ++--------------
> net/xfrm/Kconfig | 20 ++++++++++++++++++++
> 3 files changed, 24 insertions(+), 28 deletions(-)
Acked-by: Herbert Xu <[email protected]>
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Tue, Jun 09, 2020 at 05:54:01PM -0700, Eric Biggers wrote:
> From: Eric Biggers <[email protected]>
>
> Commit f23efcbcc523 ("crypto: ctr - no longer needs CRYPTO_SEQIV") made
> CRYPTO_CTR stop selecting CRYPTO_SEQIV. This breaks IPsec for most
> users since GCM and several other encryption algorithms require "seqiv"
> -- and RFC 8221 lists AES-GCM as "MUST" be implemented.
>
> Just make XFRM_ESP select CRYPTO_SEQIV.
>
> Fixes: f23efcbcc523 ("crypto: ctr - no longer needs CRYPTO_SEQIV") made
> Cc: Corentin Labbe <[email protected]>
> Cc: Greg Kroah-Hartman <[email protected]>
> Cc: Herbert Xu <[email protected]>
> Cc: Steffen Klassert <[email protected]>
> Signed-off-by: Eric Biggers <[email protected]>
> ---
> net/xfrm/Kconfig | 1 +
> 1 file changed, 1 insertion(+)
Acked-by: Herbert Xu <[email protected]>
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Tue, Jun 09, 2020 at 05:54:02PM -0700, Eric Biggers wrote:
> From: Eric Biggers <[email protected]>
>
> The crypto algorithms selected by the ESP and AH kconfig options are
> out-of-date with the guidance of RFC 8221, which lists the legacy
> algorithms MD5 and DES as "MUST NOT" be implemented, and some more
> modern algorithms like AES-GCM and HMAC-SHA256 as "MUST" be implemented.
> But the options select the legacy algorithms, not the modern ones.
>
> Therefore, modify these options to select the MUST algorithms --
> and *only* the MUST algorithms.
>
> Also improve the help text.
>
> Suggested-by: Herbert Xu <[email protected]>
> Suggested-by: Steffen Klassert <[email protected]>
> Cc: Corentin Labbe <[email protected]>
> Cc: Greg Kroah-Hartman <[email protected]>
> Signed-off-by: Eric Biggers <[email protected]>
> ---
> net/ipv4/Kconfig | 21 +++++++++++++++++++--
> net/ipv6/Kconfig | 21 +++++++++++++++++++--
> net/xfrm/Kconfig | 15 +++++++++------
> 3 files changed, 47 insertions(+), 10 deletions(-)
Acked-by: Herbert Xu <[email protected]>
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Hi Eric,
> + Note that RFC 8221 considers AH itself to be "NOT RECOMMENDED". It is
> + better to use ESP only, using an AEAD cipher such as AES-GCM.
What's NOT RECOMMENDED according to the RFC is the combination of ESP+AH
(i.e. use ESP only for confidentiality and AH for authentication), not
AH by itself (although the RFC keeps ENCR_NULL as a MUST because ESP
with NULL encryption is generally preferred over AH due to NATs).
Regards,
Tobias
On Wed, Jun 10, 2020 at 11:03:55AM +0200, Tobias Brunner wrote:
> Hi Eric,
>
> > + Note that RFC 8221 considers AH itself to be "NOT RECOMMENDED". It is
> > + better to use ESP only, using an AEAD cipher such as AES-GCM.
>
> What's NOT RECOMMENDED according to the RFC is the combination of ESP+AH
> (i.e. use ESP only for confidentiality and AH for authentication), not
> AH by itself (although the RFC keeps ENCR_NULL as a MUST because ESP
> with NULL encryption is generally preferred over AH due to NATs).
>
> Regards,
> Tobias
Okay, I'll drop this paragraph. I'm surprised that authentication-only is still
considered a valid use case though.
- Eric