Commit 0e5f9d50 authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 



Steffen Klassert says:

====================
pull request (net): ipsec 2020-06-19

1) Fix double ESP trailer insertion in IPsec crypto offload if
   netif_xmit_frozen_or_stopped is true. From Huy Nguyen.

2) Merge fixup for "remove output_finish indirection from
   xfrm_state_afinfo". From Stephen Rothwell.

3) Select CRYPTO_SEQIV for ESP as this is needed for GCM and several
   other encryption algorithms. Also modernize the crypto algorithm
   selections for ESP and AH, remove those that are maked as "MUST NOT"
   and add those that are marked as "MUST" be implemented in RFC 8221.
   From Eric Biggers.

Please note the merge conflict between commit:

a7f7f624 ("treewide: replace '---help---' in Kconfig files with 'help'")

from Linus' tree and commits:

7d4e3919 ("esp, ah: consolidate the crypto algorithm selections")
be013698 ("esp, ah: modernize the crypto algorithm selections")

from the ipsec tree.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 7b075ad9 be013698

include/net/xfrm.h

+1 −0
Original line number Diff line number Diff line
@@ -1008,6 +1008,7 @@ struct xfrm_offload { 
#define	XFRM_GRO		32

#define	XFRM_ESP_NO_TRAILER	64

#define	XFRM_DEV_RESUME		128

#define	XFRM_XMIT		256



	__u32			status;

#define CRYPTO_SUCCESS				1

net/ipv4/Kconfig

+18 −16
Original line number Diff line number Diff line
@@ -340,29 +340,31 @@ config NET_FOU_IP_TUNNELS 


config INET_AH

	tristate "IP: AH transformation"

	select XFRM_ALGO

	select CRYPTO

	select CRYPTO_HMAC

	select CRYPTO_MD5

	select CRYPTO_SHA1

	select XFRM_AH

	help

	  Support for IPsec AH.

	  Support for IPsec AH (Authentication Header).



	  AH can be used with various authentication algorithms.  Besides

	  enabling AH support itself, this option enables the generic

	  implementations of the algorithms that RFC 8221 lists as MUST be

	  implemented.  If you need any other algorithms, you'll need to enable

	  them in the crypto API.  You should also enable accelerated

	  implementations of any needed algorithms when available.



	  If unsure, say Y.



config INET_ESP

	tristate "IP: ESP transformation"

	select XFRM_ALGO

	select CRYPTO

	select CRYPTO_AUTHENC

	select CRYPTO_HMAC

	select CRYPTO_MD5

	select CRYPTO_CBC

	select CRYPTO_SHA1

	select CRYPTO_DES

	select CRYPTO_ECHAINIV

	select XFRM_ESP

	help

	  Support for IPsec ESP.

	  Support for IPsec ESP (Encapsulating Security Payload).



	  ESP can be used with various encryption and authentication algorithms.

	  Besides enabling ESP support itself, this option enables the generic

	  implementations of the algorithms that RFC 8221 lists as MUST be

	  implemented.  If you need any other algorithms, you'll need to enable

	  them in the crypto API.  You should also enable accelerated

	  implementations of any needed algorithms when available.



	  If unsure, say Y.

net/ipv6/Kconfig

+18 −16
Original line number Diff line number Diff line
@@ -49,29 +49,31 @@ config IPV6_OPTIMISTIC_DAD 


config INET6_AH

	tristate "IPv6: AH transformation"

	select XFRM_ALGO

	select CRYPTO

	select CRYPTO_HMAC

	select CRYPTO_MD5

	select CRYPTO_SHA1

	select XFRM_AH

	help

	  Support for IPsec AH.

	  Support for IPsec AH (Authentication Header).



	  AH can be used with various authentication algorithms.  Besides

	  enabling AH support itself, this option enables the generic

	  implementations of the algorithms that RFC 8221 lists as MUST be

	  implemented.  If you need any other algorithms, you'll need to enable

	  them in the crypto API.  You should also enable accelerated

	  implementations of any needed algorithms when available.



	  If unsure, say Y.



config INET6_ESP

	tristate "IPv6: ESP transformation"

	select XFRM_ALGO

	select CRYPTO

	select CRYPTO_AUTHENC

	select CRYPTO_HMAC

	select CRYPTO_MD5

	select CRYPTO_CBC

	select CRYPTO_SHA1

	select CRYPTO_DES

	select CRYPTO_ECHAINIV

	select XFRM_ESP

	help

	  Support for IPsec ESP.

	  Support for IPsec ESP (Encapsulating Security Payload).



	  ESP can be used with various encryption and authentication algorithms.

	  Besides enabling ESP support itself, this option enables the generic

	  implementations of the algorithms that RFC 8221 lists as MUST be

	  implemented.  If you need any other algorithms, you'll need to enable

	  them in the crypto API.  You should also enable accelerated

	  implementations of any needed algorithms when available.



	  If unsure, say Y.

net/xfrm/Kconfig

+24 −0
Original line number Diff line number Diff line
@@ -67,6 +67,30 @@ config XFRM_STATISTICS 


	  If unsure, say N.



# This option selects XFRM_ALGO along with the AH authentication algorithms that

# RFC 8221 lists as MUST be implemented.

config XFRM_AH

	tristate

	select XFRM_ALGO

	select CRYPTO

	select CRYPTO_HMAC

	select CRYPTO_SHA256



# This option selects XFRM_ALGO along with the ESP encryption and authentication

# algorithms that RFC 8221 lists as MUST be implemented.

config XFRM_ESP

	tristate

	select XFRM_ALGO

	select CRYPTO

	select CRYPTO_AES

	select CRYPTO_AUTHENC

	select CRYPTO_CBC

	select CRYPTO_ECHAINIV

	select CRYPTO_GCM

	select CRYPTO_HMAC

	select CRYPTO_SEQIV

	select CRYPTO_SHA256



config XFRM_IPCOMP

	tristate

	select XFRM_ALGO

net/xfrm/xfrm_device.c

+3 −1
Original line number Diff line number Diff line
@@ -108,7 +108,7 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur 
	struct xfrm_offload *xo = xfrm_offload(skb);

	struct sec_path *sp;



	if (!xo)

	if (!xo || (xo->flags & XFRM_XMIT))

		return skb;



	if (!(features & NETIF_F_HW_ESP))
@@ -129,6 +129,8 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur 
		return skb;

	}



	xo->flags |= XFRM_XMIT;



	if (skb_is_gso(skb)) {

		struct net_device *dev = skb->dev;

CRA Git | Maintained and supported by SUSTech CRA and CCSE