Re: [PATCH net-next v2 2/5] net/tcp-ao: Use crypto library API instead of crypto_ahash

[David Laight <david.laight.linux@gmail.com>]

On Mon, 27 Apr 2026 10:27:24 -0700
Eric Biggers <ebiggers@kernel.org> wrote:

> Currently the kernel's TCP-AO implementation does the MAC and KDF
> computations using the crypto_ahash API.  This API is inefficient and
> difficult to use, and it has required extensive workarounds in the form
> of per-CPU preallocated objects (tcp_sigpool) to work at all.
> 
> Let's use lib/crypto/ instead.  This means switching to straightforward
> stack-allocated structures, virtually addressed buffers, and direct
> function calls.  It also means removing quite a bit of error handling.
> This makes TCP-AO quite a bit faster.
> 
> This also enables many additional cleanups, which later commits will
> handle: removing tcp-sigpool, removing support for crypto_tfm cloning,
> removing more error handling, and replacing more dynamically-allocated
> buffers with stack buffers based on the now-statically-known limits.
> 
> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>
...
> @@ -344,33 +444,26 @@ static int tcp_v4_ao_calc_key(struct tcp_ao_key *mkt, u8 *key,
>  	struct kdf_input_block {
>  		u8                      counter;
>  		u8                      label[6];
>  		struct tcp4_ao_context	ctx;
>  		__be16                  outlen;
> -	} __packed * tmp;

That looks a bit horrid.
I also had a feeling that the compiler sometimes rejects non-packed structures
inside packed ones.
Perhaps nest the whole thing inside another structure that has an initial
u8 pad and is marked __packed __aligned(4).
Then the assignments to the fields of 'ctx' will be known to be aligned
even when tcp4_ao_context is also __packed.

	David

> -	struct tcp_sigpool hp;
> -	int err;
> -
> -	err = tcp_sigpool_start(mkt->tcp_sigpool_id, &hp);
> -	if (err)
> -		return err;
> -
> -	tmp = hp.scratch;
> -	tmp->counter	= 1;
> -	memcpy(tmp->label, "TCP-AO", 6);
> -	tmp->ctx.saddr	= saddr;
> -	tmp->ctx.daddr	= daddr;
> -	tmp->ctx.sport	= sport;
> -	tmp->ctx.dport	= dport;
> -	tmp->ctx.sisn	= sisn;
> -	tmp->ctx.disn	= disn;
> -	tmp->outlen	= htons(tcp_ao_digest_size(mkt) * 8); /* in bits */
> -
> -	err = tcp_ao_calc_traffic_key(mkt, key, tmp, sizeof(*tmp), &hp);
> -	tcp_sigpool_end(&hp);
> -
> -	return err;
> +	} __packed input = {
> +		.counter = 1,
> +		.label = "TCP-AO",
> +		.ctx = {
> +			.saddr = saddr,
> +			.daddr = daddr,
> +			.sport = sport,
> +			.dport = dport,
> +			.sisn = sisn,
> +			.disn = disn,
> +		},
> +		.outlen = htons(tcp_ao_digest_size(mkt) * 8), /* in bits */
> +	};
> +
> +	tcp_ao_calc_traffic_key(mkt, key, &input, sizeof(input));
> +	return 0;
>  }