From: Eric Biggers <ebiggers@xxxxxxxxxx>
CRYPTO_CTR no longer selects CRYPTO_SEQIV, which breaks IPsec for users
who need any of the algorithms that use seqiv. These users now would
need to explicitly enable CRYPTO_SEQIV.
There doesn't seem to be a clear rule on what algorithms the IPsec
options (INET_ESP and INET6_ESP) actually select, as apparently none is
*always* required. They currently select just a particular subset,
along with CRYPTO_ECHAINIV which is the other IV generator template.
As a compromise between too many and too few selections, select
CRYPTO_SEQIV if either CRYPTO_CTR or CRYPTO_CHACHA20POLY1305 is enabled.
These are the algorithms that can use seqiv for IPsec. (Note: GCM and
CCM can too, but those both use CTR.)
Fixes: f23efcbcc523 ("crypto: ctr - no longer needs CRYPTO_SEQIV")
Cc: Corentin Labbe <clabbe@xxxxxxxxxxxx>
Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Cc: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
---
v2: added the 'if' condition and updated commit message
net/ipv4/Kconfig | 1 +
net/ipv6/Kconfig | 1 +
2 files changed, 2 insertions(+)
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index 23ba5045e3d3..6520b30883cf 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -361,6 +361,7 @@ config INET_ESP
select CRYPTO_SHA1
select CRYPTO_DES
select CRYPTO_ECHAINIV
+ select CRYPTO_SEQIV if CRYPTO_CTR || CRYPTO_CHACHA20POLY1305
---help---
Support for IPsec ESP.
diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig
index 4f03aece2980..c78adb0f5339 100644
--- a/net/ipv6/Kconfig
+++ b/net/ipv6/Kconfig
@@ -70,6 +70,7 @@ config INET6_ESP
select CRYPTO_SHA1
select CRYPTO_DES
select CRYPTO_ECHAINIV
+ select CRYPTO_SEQIV if CRYPTO_CTR || CRYPTO_CHACHA20POLY1305
---help---
Support for IPsec ESP.
--
2.27.0.278.ge193c7cf3a9-goog
