From: Eric Biggers <ebiggers@xxxxxxxxxx> CRYPTO_CTR no longer selects CRYPTO_SEQIV, which breaks IPsec for users who need any of the algorithms that use seqiv. These users now would need to explicitly enable CRYPTO_SEQIV. There doesn't seem to be a clear rule on what algorithms the IPsec options (INET_ESP and INET6_ESP) actually select, as apparently none is *always* required. They currently select just a particular subset, along with CRYPTO_ECHAINIV which is the other IV generator template. As a compromise between too many and too few selections, select CRYPTO_SEQIV if either CRYPTO_CTR or CRYPTO_CHACHA20POLY1305 is enabled. These are the algorithms that can use seqiv for IPsec. (Note: GCM and CCM can too, but those both use CTR.) Fixes: f23efcbcc523 ("crypto: ctr - no longer needs CRYPTO_SEQIV") Cc: Corentin Labbe <clabbe@xxxxxxxxxxxx> Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Cc: Steffen Klassert <steffen.klassert@xxxxxxxxxxx> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx> --- v2: added the 'if' condition and updated commit message net/ipv4/Kconfig | 1 + net/ipv6/Kconfig | 1 + 2 files changed, 2 insertions(+) diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig index 23ba5045e3d3..6520b30883cf 100644 --- a/net/ipv4/Kconfig +++ b/net/ipv4/Kconfig @@ -361,6 +361,7 @@ config INET_ESP select CRYPTO_SHA1 select CRYPTO_DES select CRYPTO_ECHAINIV + select CRYPTO_SEQIV if CRYPTO_CTR || CRYPTO_CHACHA20POLY1305 ---help--- Support for IPsec ESP. diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig index 4f03aece2980..c78adb0f5339 100644 --- a/net/ipv6/Kconfig +++ b/net/ipv6/Kconfig @@ -70,6 +70,7 @@ config INET6_ESP select CRYPTO_SHA1 select CRYPTO_DES select CRYPTO_ECHAINIV + select CRYPTO_SEQIV if CRYPTO_CTR || CRYPTO_CHACHA20POLY1305 ---help--- Support for IPsec ESP. -- 2.27.0.278.ge193c7cf3a9-goog