From: Simon Horman <horms@kernel.org>
To: ebiggers@kernel.org
Cc: 'Simon Horman' <horms@kernel.org>,
netdev@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-kernel@vger.kernel.org, edumazet@google.com,
ncardwell@google.com, kuniyu@google.com, davem@davemloft.net,
dsahern@kernel.org, kuba@kernel.org, pabeni@redhat.com,
ardb@kernel.org, Jason@zx2c4.com, herbert@gondor.apana.org.au,
0x7f454c46@gmail.com
Subject: Re: [PATCH net-next v2 1/5] net/tcp-ao: Drop support for most non-RFC-specified algorithms
Date: Wed, 29 Apr 2026 19:58:29 +0100 [thread overview]
Message-ID: <20260429185828.1539480-2-horms@kernel.org> (raw)
In-Reply-To: <20260427172727.9310-2-ebiggers@kernel.org>
From: 'Simon Horman' <horms@kernel.org>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://sashiko.dev
---
Subject: net/tcp-ao: Drop support for most non-RFC-specified algorithms
This change restricts the algorithms accepted by setsockopt(TCP_AO_ADD_KEY)
to cmac(aes128)/cmac(aes)+keylen=16, hmac(sha1) and hmac(sha256), returning
-ENOENT for anything else. The selftest algorithm table and its Kconfig
fragment are updated to drop FIPS detection and rmd160.
A few questions inline below.
> diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
> index a97cdf3e6af4..b21bd69b4e82 100644
> --- a/net/ipv4/tcp_ao.c
> +++ b/net/ipv4/tcp_ao.c
> @@ -1563,6 +1563,10 @@ static struct tcp_ao_key *tcp_ao_key_alloc(struct sock *sk,
> /* RFC5926, 3.1.1.2. KDF_AES_128_CMAC */
> if (!strcmp("cmac(aes128)", algo))
> algo = "cmac(aes)";
> + else if (strcmp("hmac(sha1)", algo) &&
> + strcmp("hmac(sha256)", algo) &&
> + (strcmp("cmac(aes)", algo) || cmd->keylen != 16))
> + return ERR_PTR(-ENOENT);
Is this a uAPI regression for existing users of TCP_AO_ADD_KEY?
Before this change, tcp_ao_add::alg_name accepted any crypto_ahash
algorithm name. The commit message itself notes "arbitrary HMAC algorithms
probably do work", and the selftest prior to this patch exercised
hmac(sha512), hmac(sha384), hmac(sha224), hmac(sha3-512), hmac(rmd160) and
hmac(md5), which demonstrates those configurations were functional in
practice.
A setsockopt call that previously succeeded with e.g. alg_name =
"hmac(sha512)" now returns -ENOENT after a kernel upgrade, with no
deprecation window, no Kconfig opt-in, and no runtime toggle. HMAC-SHA512
in particular seems like a plausible choice that a deployment may already
rely on.
Would it make sense to keep hmac(sha512) (and possibly hmac(sha384)) in the
accepted list, or to gate the removal behind a Kconfig/sysctl while warning
for a few releases?
Also, -ENOENT is the same error returned when the crypto module for an
otherwise-accepted algorithm is simply not built in. Should a distinct
errno (for example -EOPNOTSUPP) be used here so userspace can tell
"algorithm rejected by policy" apart from "algorithm module missing"?
> diff --git a/tools/testing/selftests/net/tcp_ao/config b/tools/testing/selftests/net/tcp_ao/config
> index f22148512365..47228a7d0b90 100644
> --- a/tools/testing/selftests/net/tcp_ao/config
> +++ b/tools/testing/selftests/net/tcp_ao/config
> @@ -1,6 +1,5 @@
> CONFIG_CRYPTO_CMAC=y
> CONFIG_CRYPTO_HMAC=y
> -CONFIG_CRYPTO_RMD160=y
> CONFIG_CRYPTO_SHA1=y
> CONFIG_IPV6=y
> CONFIG_IPV6_MULTIPLE_TABLES=y
Should CONFIG_CRYPTO_SHA256=y (and possibly CONFIG_CRYPTO_AES=y) be added
here?
> diff --git a/tools/testing/selftests/net/tcp_ao/key-management.c b/tools/testing/selftests/net/tcp_ao/key-management.c
> index 69d9a7a05d5c..d86bb380b79f 100644
> --- a/tools/testing/selftests/net/tcp_ao/key-management.c
> +++ b/tools/testing/selftests/net/tcp_ao/key-management.c
[ ... ]
> -const char *test_algos[] = {
> - "cmac(aes128)",
> - "hmac(sha1)", "hmac(sha512)", "hmac(sha384)", "hmac(sha256)",
> - "hmac(sha224)", "hmac(sha3-512)",
> - /* only if !CONFIG_FIPS */
> -#define TEST_NON_FIPS_ALGOS 2
> - "hmac(rmd160)", "hmac(md5)"
> -};
> +const char *test_algos[] = { "cmac(aes128)", "hmac(sha1)", "hmac(sha256)" };
With the FIPS/algorithm-probing logic removed and roughly one third of
generated keys now using hmac(sha256), and with the kernel side now
returning -ENOENT for non-whitelisted algorithms, tcp_sigpool_alloc_ahash()
will fail for every hmac(sha256) key on a kernel built from this config
unless CRYPTO_SHA256 is selected.
CRYPTO_SHA256 is not implied by CRYPTO_HMAC or TCP_AO, so on a kernel built
strictly from tools/testing/selftests/net/tcp_ao/config the tests would
appear to fail rather than be skipped. Can the config fragment be updated
to match the new required algorithm set?
One more question, on the commit message and documentation rather than the
diff: Documentation/networking/tcp_ao.rst still describes TCP-AO as "May
support any hashing algorithm" and does not mention the newly enforced
whitelist or the -ENOENT failure mode. Should tcp_ao.rst be updated in
this patch to list the accepted algorithm strings and the rationale (e.g.
the 20-byte TCP option MAC cap), so userspace has a documented contract?
next prev parent reply other threads:[~2026-04-29 19:02 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-27 17:27 [PATCH net-next v2 0/5] Reimplement TCP-AO using crypto library Eric Biggers
2026-04-27 17:27 ` [PATCH net-next v2 1/5] net/tcp-ao: Drop support for most non-RFC-specified algorithms Eric Biggers
2026-04-29 18:58 ` Simon Horman [this message]
2026-04-29 19:44 ` Eric Biggers
2026-04-29 21:11 ` Eric Biggers
2026-04-27 17:27 ` [PATCH net-next v2 2/5] net/tcp-ao: Use crypto library API instead of crypto_ahash Eric Biggers
2026-04-28 1:24 ` David Laight
2026-04-28 1:35 ` Eric Biggers
2026-04-28 6:34 ` Ard Biesheuvel
2026-04-28 10:10 ` David Laight
2026-04-28 16:38 ` Ard Biesheuvel
2026-04-28 22:00 ` David Laight
2026-04-27 17:27 ` [PATCH net-next v2 3/5] net/tcp-ao: Use stack-allocated MAC and traffic_key buffers Eric Biggers
2026-04-27 17:27 ` [PATCH net-next v2 4/5] net/tcp-ao: Return void from functions that can no longer fail Eric Biggers
2026-04-27 17:27 ` [PATCH net-next v2 5/5] net/tcp: Remove tcp_sigpool Eric Biggers
2026-04-27 19:09 ` [PATCH net-next v2 0/5] Reimplement TCP-AO using crypto library Dmitry Safonov
2026-04-27 20:01 ` Eric Biggers
2026-04-27 23:20 ` Eric Biggers
2026-04-28 16:26 ` Simo Sorce
2026-04-28 17:30 ` Eric Biggers
2026-04-27 22:55 ` Jakub Kicinski
2026-04-28 0:00 ` Dmitry Safonov
2026-04-28 5:41 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260429185828.1539480-2-horms@kernel.org \
--to=horms@kernel.org \
--cc=0x7f454c46@gmail.com \
--cc=Jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=ebiggers@kernel.org \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ncardwell@google.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox