summaryrefslogtreecommitdiffstats
path: root/net/ipv6/Kconfig
diff options
context:
space:
mode:
authorDavid Lebrun <david.lebrun@uclouvain.be>2016-11-08 14:57:42 +0100
committerDavid S. Miller <davem@davemloft.net>2016-11-09 20:40:06 -0500
commitbf355b8d2c30a289232042cacc1cfaea4923936c (patch)
treee7f1a5472ac6ac4c5b6c46ff4fe54d9bb9c4ab0f /net/ipv6/Kconfig
parent6c8702c60b88651072460f3f4026c7dfe2521d12 (diff)
downloadlinux-bf355b8d2c30a289232042cacc1cfaea4923936c.tar.bz2
ipv6: sr: add core files for SR HMAC support
This patch adds the necessary functions to compute and check the HMAC signature of an SR-enabled packet. Two HMAC algorithms are supported: hmac(sha1) and hmac(sha256). In order to avoid dynamic memory allocation for each HMAC computation, a per-cpu ring buffer is allocated for this purpose. A new per-interface sysctl called seg6_require_hmac is added, allowing a user-defined policy for processing HMAC-signed SR-enabled packets. A value of -1 means that the HMAC field will always be ignored. A value of 0 means that if an HMAC field is present, its validity will be enforced (the packet is dropped is the signature is incorrect). Finally, a value of 1 means that any SR-enabled packet that does not contain an HMAC signature or whose signature is incorrect will be dropped. Signed-off-by: David Lebrun <david.lebrun@uclouvain.be> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/Kconfig')
-rw-r--r--net/ipv6/Kconfig12
1 files changed, 12 insertions, 0 deletions
diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig
index 1123a001d729..0f00811a785f 100644
--- a/net/ipv6/Kconfig
+++ b/net/ipv6/Kconfig
@@ -301,4 +301,16 @@ config IPV6_SEG6_INLINE
If unsure, say N.
+config IPV6_SEG6_HMAC
+ bool "IPv6: Segment Routing HMAC support"
+ depends on IPV6
+ select CRYPTO_HMAC
+ select CRYPTO_SHA1
+ select CRYPTO_SHA256
+ ---help---
+ Support for HMAC signature generation and verification
+ of SR-enabled packets.
+
+ If unsure, say N.
+
endif # IPV6