From: Steffen Klassert <steffen.klassert@secunet.com>
To: Eric Biggers <ebiggers@kernel.org>
Cc: <netdev@vger.kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
<linux-crypto@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH ipsec-next] xfrm: Drop support for HMAC-RIPEMD-160
Date: Wed, 8 Apr 2026 11:34:44 +0200 [thread overview]
Message-ID: <adYhND1MsLgR1ZLg@secunet.com> (raw)
In-Reply-To: <20260405011513.64909-1-ebiggers@kernel.org>
On Sat, Apr 04, 2026 at 06:15:13PM -0700, Eric Biggers wrote:
> Drop support for HMAC-RIPEMD-160 from IPsec to reduce the UAPI surface
> and simplify future maintenance. It's almost certainly unused.
>
> RIPEMD-160 received some attention in the early 2000s when SHA-* weren't
> quite as well established. But it never received much adoption outside
> of certain niches such as Bitcoin.
>
> It's actually unclear that Linux + IPsec + HMAC-RIPEMD-160 has *ever*
> been used, even historically. When support for it was added in 2003, it
> was done so in a "cleanup" commit without any justification [1]. It
> didn't actually work until someone happened to fix it 5 years later [2].
> That person didn't use or test it either [3]. Finally, also note that
> "hmac(rmd160)" is by far the slowest of the algorithms in aalg_list[].
>
> Of course, today IPsec is usually used with an AEAD, such as AES-GCM.
> But even for IPsec users still using a dedicated auth algorithm, they
> almost certainly aren't using, and shouldn't use, HMAC-RIPEMD-160.
>
> Thus, let's just drop support for it. Note: no kconfig update is
> needed, since CRYPTO_RMD160 wasn't actually being selected anyway.
>
> References:
> [1] linux-history commit d462985fc1941a47
> ("[IPSEC]: Clean up key manager algorithm handling.")
> [2] linux commit a13366c632132bb9
> ("xfrm: xfrm_algo: correct usage of RIPEMD-160")
> [3] https://lore.kernel.org/all/1212340578-15574-1-git-send-email-rueegsegger@swiss-it.ch
>
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Applied, thanks a lot Eric!
prev parent reply other threads:[~2026-04-08 9:34 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-05 1:15 [PATCH ipsec-next] xfrm: Drop support for HMAC-RIPEMD-160 Eric Biggers
2026-04-08 9:34 ` Steffen Klassert [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=adYhND1MsLgR1ZLg@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.