From: Eric Biggers <ebiggers@kernel.org>
To: Simon Horman <horms@kernel.org>
Cc: netdev@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-kernel@vger.kernel.org, edumazet@google.com,
ncardwell@google.com, kuniyu@google.com, davem@davemloft.net,
dsahern@kernel.org, kuba@kernel.org, pabeni@redhat.com,
ardb@kernel.org, Jason@zx2c4.com, herbert@gondor.apana.org.au,
0x7f454c46@gmail.com
Subject: Re: [PATCH net-next v2 1/5] net/tcp-ao: Drop support for most non-RFC-specified algorithms
Date: Wed, 29 Apr 2026 19:44:56 +0000 [thread overview]
Message-ID: <20260429194456.GA621449@google.com> (raw)
In-Reply-To: <20260429185828.1539480-2-horms@kernel.org>
On Wed, Apr 29, 2026 at 07:58:29PM +0100, Simon Horman wrote:
> Is this a uAPI regression for existing users of TCP_AO_ADD_KEY?
>
> Before this change, tcp_ao_add::alg_name accepted any crypto_ahash
> algorithm name. The commit message itself notes "arbitrary HMAC algorithms
> probably do work", and the selftest prior to this patch exercised
> hmac(sha512), hmac(sha384), hmac(sha224), hmac(sha3-512), hmac(rmd160) and
> hmac(md5), which demonstrates those configurations were functional in
> practice.
>
> A setsockopt call that previously succeeded with e.g. alg_name =
> "hmac(sha512)" now returns -ENOENT after a kernel upgrade, with no
> deprecation window, no Kconfig opt-in, and no runtime toggle. HMAC-SHA512
> in particular seems like a plausible choice that a deployment may already
> rely on.
>
> Would it make sense to keep hmac(sha512) (and possibly hmac(sha384)) in the
> accepted list, or to gate the removal behind a Kconfig/sysctl while warning
> for a few releases?
This is intentional and has already been explained and discussed
extensively.
> Also, -ENOENT is the same error returned when the crypto module for an
> otherwise-accepted algorithm is simply not built in. Should a distinct
> errno (for example -EOPNOTSUPP) be used here so userspace can tell
> "algorithm rejected by policy" apart from "algorithm module missing"?
This review seems a bit inconsistent, as now it's advocating *for* a
UAPI change. I suggest we just stay with ENOENT, as this patch does.
> > diff --git a/tools/testing/selftests/net/tcp_ao/config b/tools/testing/selftests/net/tcp_ao/config
> > index f22148512365..47228a7d0b90 100644
> > --- a/tools/testing/selftests/net/tcp_ao/config
> > +++ b/tools/testing/selftests/net/tcp_ao/config
> > @@ -1,6 +1,5 @@
> > CONFIG_CRYPTO_CMAC=y
> > CONFIG_CRYPTO_HMAC=y
> > -CONFIG_CRYPTO_RMD160=y
> > CONFIG_CRYPTO_SHA1=y
> > CONFIG_IPV6=y
> > CONFIG_IPV6_MULTIPLE_TABLES=y
>
> Should CONFIG_CRYPTO_SHA256=y (and possibly CONFIG_CRYPTO_AES=y) be added
> here?
This is an existing bug, which patch 2 fixes by making CONFIG_TCP_AO
select the algorithms it uses.
> > diff --git a/tools/testing/selftests/net/tcp_ao/key-management.c b/tools/testing/selftests/net/tcp_ao/key-management.c
> > index 69d9a7a05d5c..d86bb380b79f 100644
> > --- a/tools/testing/selftests/net/tcp_ao/key-management.c
> > +++ b/tools/testing/selftests/net/tcp_ao/key-management.c
>
> [ ... ]
>
> > -const char *test_algos[] = {
> > - "cmac(aes128)",
> > - "hmac(sha1)", "hmac(sha512)", "hmac(sha384)", "hmac(sha256)",
> > - "hmac(sha224)", "hmac(sha3-512)",
> > - /* only if !CONFIG_FIPS */
> > -#define TEST_NON_FIPS_ALGOS 2
> > - "hmac(rmd160)", "hmac(md5)"
> > -};
> > +const char *test_algos[] = { "cmac(aes128)", "hmac(sha1)", "hmac(sha256)" };
>
> With the FIPS/algorithm-probing logic removed and roughly one third of
> generated keys now using hmac(sha256), and with the kernel side now
> returning -ENOENT for non-whitelisted algorithms, tcp_sigpool_alloc_ahash()
> will fail for every hmac(sha256) key on a kernel built from this config
> unless CRYPTO_SHA256 is selected.
>
> CRYPTO_SHA256 is not implied by CRYPTO_HMAC or TCP_AO, so on a kernel built
> strictly from tools/testing/selftests/net/tcp_ao/config the tests would
> appear to fail rather than be skipped. Can the config fragment be updated
> to match the new required algorithm set?
Again, this is an existing bug, which patch 2 fixes by making
CONFIG_TCP_AO select the algorithms it uses.
> One more question, on the commit message and documentation rather than the
> diff: Documentation/networking/tcp_ao.rst still describes TCP-AO as "May
> support any hashing algorithm"
That "May support any hashing algorithm" statement has always been
incorrect, so I wouldn't pay much attention to it. It also appears in a
table describing TCP-AO as a protocol, not the kernel's implementation.
> and does not mention the newly enforced
> whitelist or the -ENOENT failure mode. Should tcp_ao.rst be updated in
> this patch to list the accepted algorithm strings and the rationale (e.g.
> the 20-byte TCP option MAC cap), so userspace has a documented contract?
As stated in the commit message, the list of MAC algorithms supported by
the kernel's implementation of TCP-AO has always been undocumented. It
should be documented, but I would suggest documentation improvements
belong in a separate patch.
- Eric
next prev parent reply other threads:[~2026-04-29 19:44 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-27 17:27 [PATCH net-next v2 0/5] Reimplement TCP-AO using crypto library Eric Biggers
2026-04-27 17:27 ` [PATCH net-next v2 1/5] net/tcp-ao: Drop support for most non-RFC-specified algorithms Eric Biggers
2026-04-29 18:58 ` Simon Horman
2026-04-29 19:44 ` Eric Biggers [this message]
2026-04-29 21:11 ` Eric Biggers
2026-04-27 17:27 ` [PATCH net-next v2 2/5] net/tcp-ao: Use crypto library API instead of crypto_ahash Eric Biggers
2026-04-28 1:24 ` David Laight
2026-04-28 1:35 ` Eric Biggers
2026-04-28 6:34 ` Ard Biesheuvel
2026-04-28 10:10 ` David Laight
2026-04-28 16:38 ` Ard Biesheuvel
2026-04-28 22:00 ` David Laight
2026-04-27 17:27 ` [PATCH net-next v2 3/5] net/tcp-ao: Use stack-allocated MAC and traffic_key buffers Eric Biggers
2026-04-27 17:27 ` [PATCH net-next v2 4/5] net/tcp-ao: Return void from functions that can no longer fail Eric Biggers
2026-04-27 17:27 ` [PATCH net-next v2 5/5] net/tcp: Remove tcp_sigpool Eric Biggers
2026-04-27 19:09 ` [PATCH net-next v2 0/5] Reimplement TCP-AO using crypto library Dmitry Safonov
2026-04-27 20:01 ` Eric Biggers
2026-04-27 23:20 ` Eric Biggers
2026-04-28 16:26 ` Simo Sorce
2026-04-28 17:30 ` Eric Biggers
2026-04-27 22:55 ` Jakub Kicinski
2026-04-28 0:00 ` Dmitry Safonov
2026-04-28 5:41 ` Ard Biesheuvel
2026-04-30 7:38 ` Paolo Abeni
2026-04-30 17:01 ` Dmitry Safonov
2026-04-30 8:49 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260429194456.GA621449@google.com \
--to=ebiggers@kernel.org \
--cc=0x7f454c46@gmail.com \
--cc=Jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ncardwell@google.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.