From: Herbert Xu <herbert@gondor.apana.org.au>
To: Eric Biggers <ebiggers@kernel.org>
Cc: netdev@vger.kernel.org, linux-crypto@vger.kernel.org,
Corentin Labbe <clabbe@baylibre.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Steffen Klassert <steffen.klassert@secunet.com>
Subject: Re: [PATCH net] esp: select CRYPTO_SEQIV
Date: Fri, 5 Jun 2020 16:47:48 +1000 [thread overview]
Message-ID: <20200605064748.GA595@gondor.apana.org.au> (raw)
In-Reply-To: <20200605050910.GS2667@sol.localdomain>
On Thu, Jun 04, 2020 at 10:09:10PM -0700, Eric Biggers wrote:
>
> There's also a case where "seqiv" is used without counter mode:
>
> net/xfrm/xfrm_algo.c:
>
> {
> .name = "rfc7539esp(chacha20,poly1305)",
So
select CRYPTO_SEQIV if CRYPTO_CTR || CRYPTO_CHACHA20POLY1305
and if the list gets too long we could create another symbol that is
selected by the algorithms, say CRYPTO_SEQIV_ESP which could then
be used as the condition:
config CRYPTO_SEQIV_ESP
bool
config CRYPTO_CTR
select CRYPTO_SEQIV_ESP
config INET_ESP
select CRYPTO_SEQIV if CRYPTO_SEQIV_ESP
> FWIW, we make CONFIG_FS_ENCRYPTION select only the algorithms that we consider
> the "default", and any "non-default" algorithms need to be explicitly enabled.
>
> Is something similar going on here with INET_ESP and INET_ESP6? Should "seqiv"
> be considered a "default" for IPsec?
The default with IPsec is up to the user-space IPsec manager,
e.g., libreswan. So the kernel has no idea what the default
is. Also, unlike filesystems IPsec is about interoperability
so the default is actually a list of algorithms.
If you were using libreswan then top of the list is gcm(aes),
followed by aes(cbc)+sha256, and then aes(cbc)+sha1.
Incidentally we should probably prune the INET_ESP select list.
At least MD5/SHA1/DES shouldn't be on it. We probably should
add AES, SHA256 and GCM to the list.
Another potential improvement is to merge the two select lists
between ESP and ESP6. Perhaps move them to a new tristate say
XFRM_ESP that would then be selected by ESP and ESP6.
Cheers,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
next prev parent reply other threads:[~2020-06-05 6:47 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-04 19:23 [PATCH net] esp: select CRYPTO_SEQIV Eric Biggers
2020-06-05 0:28 ` Herbert Xu
2020-06-05 0:29 ` Herbert Xu
2020-06-05 5:09 ` Eric Biggers
2020-06-05 6:47 ` Herbert Xu [this message]
2020-06-05 17:39 ` [PATCH net v2] esp: select CRYPTO_SEQIV when useful Eric Biggers
2020-06-05 18:00 ` Eric Biggers
2020-06-06 8:13 ` Steffen Klassert
2020-06-08 6:23 ` Herbert Xu
2020-06-05 10:01 ` [PATCH net] esp: select CRYPTO_SEQIV Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200605064748.GA595@gondor.apana.org.au \
--to=herbert@gondor.apana.org.au \
--cc=clabbe@baylibre.com \
--cc=ebiggers@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-crypto@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.