xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

esp, ah: modernize the crypto algorithm selections

Browse Source 
The crypto algorithms selected by the ESP and AH kconfig options are
out-of-date with the guidance of RFC 8221, which lists the legacy
algorithms MD5 and DES as "MUST NOT" be implemented, and some more
modern algorithms like AES-GCM and HMAC-SHA256 as "MUST" be implemented.
But the options select the legacy algorithms, not the modern ones.

Therefore, modify these options to select the MUST algorithms --
and *only* the MUST algorithms.

Also improve the help text.

Note that other algorithms may still be explicitly enabled in the
kconfig, and the choice of which to actually use is still controlled by
userspace.  This change only modifies the list of algorithms for which
kernel support is guaranteed to be present.

Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
Suggested-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Corentin Labbe <clabbe@baylibre.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
This commit is contained in:
Eric Biggers
2020-06-10 09:14:37 -07:00
committed by Steffen Klassert
parent 37ea0f18fb
commit be01369859
3 changed files with 41 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
net/ipv4/Kconfig
View File

@@ -342,7 +342,14 @@ config INET_AH
tristate "IP: AH transformation"
select XFRM_AH
---help---
Support for IPsec AH.
Support for IPsec AH (Authentication Header).
AH can be used with various authentication algorithms. Besides
enabling AH support itself, this option enables the generic
implementations of the algorithms that RFC 8221 lists as MUST be
implemented. If you need any other algorithms, you'll need to enable
them in the crypto API. You should also enable accelerated
implementations of any needed algorithms when available.
If unsure, say Y.
@@ -350,7 +357,14 @@ config INET_ESP
tristate "IP: ESP transformation"
select XFRM_ESP
---help---
Support for IPsec ESP.
Support for IPsec ESP (Encapsulating Security Payload).
ESP can be used with various encryption and authentication algorithms.
Besides enabling ESP support itself, this option enables the generic
implementations of the algorithms that RFC 8221 lists as MUST be
implemented. If you need any other algorithms, you'll need to enable
them in the crypto API. You should also enable accelerated
implementations of any needed algorithms when available.
If unsure, say Y.