[PATCH ipsec-next] xfrm: Drop support for HMAC-RIPEMD-160

public inbox for linux-crypto@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH ipsec-next] xfrm: Drop support for HMAC-RIPEMD-160
@ 2026-04-05  1:15 Eric Biggers
  0 siblings, 0 replies; only message in thread
From: Eric Biggers @ 2026-04-05  1:15 UTC (permalink / raw)
  To: netdev, Steffen Klassert, Herbert Xu, David S. Miller
  Cc: linux-crypto, linux-kernel, Eric Biggers

Drop support for HMAC-RIPEMD-160 from IPsec to reduce the UAPI surface
and simplify future maintenance.  It's almost certainly unused.

RIPEMD-160 received some attention in the early 2000s when SHA-* weren't
quite as well established.  But it never received much adoption outside
of certain niches such as Bitcoin.

It's actually unclear that Linux + IPsec + HMAC-RIPEMD-160 has *ever*
been used, even historically.  When support for it was added in 2003, it
was done so in a "cleanup" commit without any justification [1].  It
didn't actually work until someone happened to fix it 5 years later [2].
That person didn't use or test it either [3].  Finally, also note that
"hmac(rmd160)" is by far the slowest of the algorithms in aalg_list[].

Of course, today IPsec is usually used with an AEAD, such as AES-GCM.
But even for IPsec users still using a dedicated auth algorithm, they
almost certainly aren't using, and shouldn't use, HMAC-RIPEMD-160.

Thus, let's just drop support for it.  Note: no kconfig update is
needed, since CRYPTO_RMD160 wasn't actually being selected anyway.

References:
  [1] linux-history commit d462985fc1941a47
      ("[IPSEC]: Clean up key manager algorithm handling.")
  [2] linux commit a13366c632132bb9
      ("xfrm: xfrm_algo: correct usage of RIPEMD-160")
  [3] https://lore.kernel.org/all/1212340578-15574-1-git-send-email-rueegsegger@swiss-it.ch

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 net/xfrm/xfrm_algo.c                | 20 --------------------
 tools/testing/selftests/net/ipsec.c |  8 ++------
 2 files changed, 2 insertions(+), 26 deletions(-)

diff --git a/net/xfrm/xfrm_algo.c b/net/xfrm/xfrm_algo.c
index 749011e031c0a..70434495f23f5 100644
--- a/net/xfrm/xfrm_algo.c
+++ b/net/xfrm/xfrm_algo.c
@@ -288,30 +288,10 @@ static struct xfrm_algo_desc aalg_list[] = {
 		.sadb_alg_ivlen = 0,
 		.sadb_alg_minbits = 512,
 		.sadb_alg_maxbits = 512
 	}
 },
-{
-	.name = "hmac(rmd160)",
-	.compat = "rmd160",
-
-	.uinfo = {
-		.auth = {
-			.icv_truncbits = 96,
-			.icv_fullbits = 160,
-		}
-	},
-
-	.pfkey_supported = 1,
-
-	.desc = {
-		.sadb_alg_id = SADB_X_AALG_RIPEMD160HMAC,
-		.sadb_alg_ivlen = 0,
-		.sadb_alg_minbits = 160,
-		.sadb_alg_maxbits = 160
-	}
-},
 {
 	.name = "xcbc(aes)",

 	.uinfo = {
 		.auth = {
diff --git a/tools/testing/selftests/net/ipsec.c b/tools/testing/selftests/net/ipsec.c
index f4afef51b9307..89c32c354c008 100644
--- a/tools/testing/selftests/net/ipsec.c
+++ b/tools/testing/selftests/net/ipsec.c
@@ -60,12 +60,10 @@
 #define grchild_ip(nr)	(4*nr + 2)

 #define VETH_FMT	"ktst-%d"
 #define VETH_LEN	12

-#define XFRM_ALGO_NR_KEYS 29
-
 static int nsfd_parent	= -1;
 static int nsfd_childa	= -1;
 static int nsfd_childb	= -1;
 static long page_size;

@@ -94,11 +92,10 @@ struct xfrm_key_entry xfrm_key_entries[] = {
 	{"cmac(aes)", 128},
 	{"xcbc(aes)", 128},
 	{"cbc(cast5)", 128},
 	{"cbc(serpent)", 128},
 	{"hmac(sha1)", 160},
-	{"hmac(rmd160)", 160},
 	{"cbc(des3_ede)", 192},
 	{"hmac(sha256)", 256},
 	{"cbc(aes)", 256},
 	{"cbc(camellia)", 256},
 	{"cbc(twofish)", 256},
@@ -811,11 +808,11 @@ static int do_ping(int cmd_fd, char *buf, size_t buf_len, struct in_addr from,
 static int xfrm_fill_key(char *name, char *buf,
 		size_t buf_len, unsigned int *key_len)
 {
 	int i;

-	for (i = 0; i < XFRM_ALGO_NR_KEYS; i++) {
+	for (i = 0; i < ARRAY_SIZE(xfrm_key_entries); i++) {
 		if (strncmp(name, xfrm_key_entries[i].algo_name, ALGO_LEN) == 0)
 			*key_len = xfrm_key_entries[i].key_len;
 	}

 	if (*key_len > buf_len) {
@@ -2059,12 +2056,11 @@ static int write_desc(int proto, int test_desc_fd,
 }

 int proto_list[] = { IPPROTO_AH, IPPROTO_COMP, IPPROTO_ESP };
 char *ah_list[] = {
 	"digest_null", "hmac(md5)", "hmac(sha1)", "hmac(sha256)",
-	"hmac(sha384)", "hmac(sha512)", "hmac(rmd160)",
-	"xcbc(aes)", "cmac(aes)"
+	"hmac(sha384)", "hmac(sha512)", "xcbc(aes)", "cmac(aes)"
 };
 char *comp_list[] = {
 	"deflate",
 #if 0
 	/* No compression backend realization */

base-commit: be14d13625c9b070c33c423026b598ed65695225
-- 
2.53.0

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-04-05  1:16 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-05  1:15 [PATCH ipsec-next] xfrm: Drop support for HMAC-RIPEMD-160 Eric Biggers

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox