* [RFC PATCH 0/8] Reimplement TCP-AO using crypto library
@ 2026-03-07 22:43 Eric Biggers
2026-03-07 22:43 ` [RFC PATCH 1/8] net/tcp-ao: Drop support for most non-RFC-specified algorithms Eric Biggers
` (9 more replies)
0 siblings, 10 replies; 13+ messages in thread
From: Eric Biggers @ 2026-03-07 22:43 UTC (permalink / raw)
To: netdev
Cc: linux-crypto, linux-kernel, Eric Dumazet, Neal Cardwell,
Kuniyuki Iwashima, David S . Miller, David Ahern, Jakub Kicinski,
Paolo Abeni, Simon Horman, Ard Biesheuvel, Jason A . Donenfeld,
Herbert Xu, Dmitry Safonov, Eric Biggers
This series can also be retrieved from:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git tcp-ao-v1
For now this series is an RFC, since it depends on the AES-CMAC library
API that is queued in libcrypto-next for 7.1. So, the soonest that this
could be applied to net-next is 7.2. I'm sending it out now in case
anyone has any early feedback.
This series refactors the TCP-AO (TCP Authentication Option) code to do
MAC and KDF computations using lib/crypto/ instead of crypto_ahash.
This greatly simplifies the code and makes it much more efficient. The
entire tcp_sigpool and crypto_ahash cloning mechanisms become
unnecessary and are removed, as the problems they were designed to solve
don't exist with the library APIs.
To make this possible, this series also restricts the supported
algorithms to a reasonable set, rather than supporting arbitrary
algorithms that don't make sense and are very likely not being used.
Specifically, this series leaves in place the support for AES-128-CMAC
and HMAC-SHA1 which are the only algorithms that actually have an RFC
specifying their use in TCP-AO, along with HMAC-SHA256 which is a
reasonable algorithm to continue supporting as a Linux extension.
This passes the tcp_ao selftests (tools/testing/selftests/net/tcp_ao).
To get a sense for how much more efficient this makes the TCP-AO code,
here's a microbenchmark for tcp_ao_hash_skb() with skb->len == 128:
Algorithm Avg cycles (before) Avg cycles (after)
--------- ------------------- ------------------
HMAC-SHA1 3319 1256
HMAC-SHA256 3311 1344
AES-128-CMAC 2720 1107
Eric Biggers (8):
net/tcp-ao: Drop support for most non-RFC-specified algorithms
net/tcp-ao: Use crypto library API instead of crypto_ahash
net/tcp-ao: Use stack-allocated MAC and traffic_key buffers
net/tcp-ao: Return void from functions that can no longer fail
net/tcp: Remove tcp_sigpool
crypto: hash - Remove support for cloning hash tfms
crypto: cipher - Remove support for cloning cipher tfms
crypto: api - Remove core support for cloning tfms
crypto/ahash.c | 70 --
crypto/api.c | 26 -
crypto/cipher.c | 28 -
crypto/cmac.c | 16 -
crypto/cryptd.c | 16 -
crypto/hmac.c | 31 -
crypto/internal.h | 2 -
crypto/shash.c | 37 -
include/crypto/hash.h | 8 -
include/crypto/internal/cipher.h | 2 -
include/net/tcp.h | 42 +-
include/net/tcp_ao.h | 69 +-
net/ipv4/Kconfig | 8 +-
net/ipv4/Makefile | 1 -
net/ipv4/tcp_ao.c | 677 +++++++++---------
net/ipv4/tcp_output.c | 10 +-
net/ipv4/tcp_sigpool.c | 366 ----------
net/ipv6/tcp_ao.c | 139 ++--
tools/testing/selftests/net/tcp_ao/config | 3 -
.../selftests/net/tcp_ao/key-management.c | 41 +-
20 files changed, 435 insertions(+), 1157 deletions(-)
delete mode 100644 net/ipv4/tcp_sigpool.c
base-commit: 0a217be68aedd0f6b48cf0476462bc94bd73eee7
--
2.53.0
^ permalink raw reply [flat|nested] 13+ messages in thread
* [RFC PATCH 1/8] net/tcp-ao: Drop support for most non-RFC-specified algorithms
2026-03-07 22:43 [RFC PATCH 0/8] Reimplement TCP-AO using crypto library Eric Biggers
@ 2026-03-07 22:43 ` Eric Biggers
2026-03-07 22:43 ` [RFC PATCH 2/8] net/tcp-ao: Use crypto library API instead of crypto_ahash Eric Biggers
` (8 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Eric Biggers @ 2026-03-07 22:43 UTC (permalink / raw)
To: netdev
Cc: linux-crypto, linux-kernel, Eric Dumazet, Neal Cardwell,
Kuniyuki Iwashima, David S . Miller, David Ahern, Jakub Kicinski,
Paolo Abeni, Simon Horman, Ard Biesheuvel, Jason A . Donenfeld,
Herbert Xu, Dmitry Safonov, Eric Biggers
RFC 5926 (https://datatracker.ietf.org/doc/html/rfc5926) specifies the
use of AES-128-CMAC and HMAC-SHA1 with TCP-AO. This includes a
specification for how traffic keys shall be derived for each algorithm.
Support for any other algorithms with TCP-AO isn't standardized, though
an expired Internet Draft (a work-in-progress document, not a standard)
from 2019 does propose adding HMAC-SHA256 support:
https://datatracker.ietf.org/doc/html/draft-nayak-tcp-sha2-03
Since both documents specify the KDF for each algorithm individually, it
isn't necessarily clear how any other algorithm should be integrated.
Nevertheless, the Linux implementation of TCP-AO allows userspace to
specify the MAC algorithm as a string tcp_ao_add::alg_name naming either
"cmac(aes128)" or an arbitrary algorithm in the crypto_ahash API. The
set of valid strings is undocumented. The implementation assumes that
"cmac(aes128)" is the only algorithm that requires an entropy extraction
step and that all algorithms accept keys with length equal to the
untruncated MAC; thus, arbitrary HMAC algorithms probably do work, but
some other MAC algorithms like AES-256-CMAC have never actually worked.
Unfortunately, this undocumented string allows many obsolete, insecure,
or redundant algorithms. For example, "hmac(md5)" and the
non-cryptographic "crc32" are accepted. It also ties the implementation
to crypto_ahash and requires that most memory be dynamically allocated,
making the implementation unnecessarily complex and inefficient.
Fortunately, it's very likely that only a few algorithms are actually
used in practice. Let's restrict the set of allowed algorithms to
"cmac(aes128)" (or "cmac(aes)" with keylen=16), "hmac(sha1)", and
"hmac(sha256)". The first two are the actually standard ones, while
HMAC-SHA256 seems like a reasonable algorithm to continue supporting as
a Linux extension, considering the Internet Draft for it and the fact
that SHA-256 is the usual choice of upgrade from the outdated SHA-1.
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
net/ipv4/tcp_ao.c | 4 ++
tools/testing/selftests/net/tcp_ao/config | 1 -
.../selftests/net/tcp_ao/key-management.c | 41 ++-----------------
3 files changed, 7 insertions(+), 39 deletions(-)
diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
index a97cdf3e6af4c..b21bd69b4e829 100644
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -1561,10 +1561,14 @@ static struct tcp_ao_key *tcp_ao_key_alloc(struct sock *sk,
cmd->alg_name[ARRAY_SIZE(cmd->alg_name) - 1] = '\0';
/* RFC5926, 3.1.1.2. KDF_AES_128_CMAC */
if (!strcmp("cmac(aes128)", algo))
algo = "cmac(aes)";
+ else if (strcmp("hmac(sha1)", algo) &&
+ strcmp("hmac(sha256)", algo) &&
+ (strcmp("cmac(aes)", algo) || cmd->keylen != 16))
+ return ERR_PTR(-ENOENT);
/* Full TCP header (th->doff << 2) should fit into scratch area,
* see tcp_ao_hash_header().
*/
pool_id = tcp_sigpool_alloc_ahash(algo, 60);
diff --git a/tools/testing/selftests/net/tcp_ao/config b/tools/testing/selftests/net/tcp_ao/config
index 971cb6fa2d630..0ec38c167e6df 100644
--- a/tools/testing/selftests/net/tcp_ao/config
+++ b/tools/testing/selftests/net/tcp_ao/config
@@ -1,7 +1,6 @@
CONFIG_CRYPTO_HMAC=y
-CONFIG_CRYPTO_RMD160=y
CONFIG_CRYPTO_SHA1=y
CONFIG_IPV6=y
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_NET_L3_MASTER_DEV=y
CONFIG_NET_VRF=y
diff --git a/tools/testing/selftests/net/tcp_ao/key-management.c b/tools/testing/selftests/net/tcp_ao/key-management.c
index 69d9a7a05d5c1..d86bb380b79f7 100644
--- a/tools/testing/selftests/net/tcp_ao/key-management.c
+++ b/tools/testing/selftests/net/tcp_ao/key-management.c
@@ -378,35 +378,10 @@ static void check_listen_socket(void)
this_ip_dest, DEFAULT_TEST_PREFIX,
false, true, 20, 10, FAULT_CURRNEXT);
close(sk);
}
-static const char *fips_fpath = "/proc/sys/crypto/fips_enabled";
-static bool is_fips_enabled(void)
-{
- static int fips_checked = -1;
- FILE *fenabled;
- int enabled;
-
- if (fips_checked >= 0)
- return !!fips_checked;
- if (access(fips_fpath, R_OK)) {
- if (errno != ENOENT)
- test_error("Can't open %s", fips_fpath);
- fips_checked = 0;
- return false;
- }
- fenabled = fopen(fips_fpath, "r");
- if (!fenabled)
- test_error("Can't open %s", fips_fpath);
- if (fscanf(fenabled, "%d", &enabled) != 1)
- test_error("Can't read from %s", fips_fpath);
- fclose(fenabled);
- fips_checked = !!enabled;
- return !!fips_checked;
-}
-
struct test_key {
char password[TCP_AO_MAXKEYLEN];
const char *alg;
unsigned int len;
uint8_t client_keyid;
@@ -428,18 +403,11 @@ struct key_collection {
};
static struct key_collection collection;
#define TEST_MAX_MACLEN 16
-const char *test_algos[] = {
- "cmac(aes128)",
- "hmac(sha1)", "hmac(sha512)", "hmac(sha384)", "hmac(sha256)",
- "hmac(sha224)", "hmac(sha3-512)",
- /* only if !CONFIG_FIPS */
-#define TEST_NON_FIPS_ALGOS 2
- "hmac(rmd160)", "hmac(md5)"
-};
+const char *test_algos[] = { "cmac(aes128)", "hmac(sha1)", "hmac(sha256)" };
const unsigned int test_maclens[] = { 1, 4, 12, 16 };
#define MACLEN_SHIFT 2
#define ALGOS_SHIFT 4
static unsigned int make_mask(unsigned int shift, unsigned int prev_shift)
@@ -450,11 +418,11 @@ static unsigned int make_mask(unsigned int shift, unsigned int prev_shift)
}
static void init_key_in_collection(unsigned int index, bool randomized)
{
struct test_key *key = &collection.keys[index];
- unsigned int algos_nr, algos_index;
+ unsigned int algos_index;
/* Same for randomized and non-randomized test flows */
key->client_keyid = index;
key->server_keyid = 127 + index;
key->matches_client = 1;
@@ -472,14 +440,11 @@ static void init_key_in_collection(unsigned int index, bool randomized)
unsigned int shift = MACLEN_SHIFT;
key->maclen = test_maclens[index & make_mask(shift, 0)];
algos_index = index & make_mask(ALGOS_SHIFT, shift);
}
- algos_nr = ARRAY_SIZE(test_algos);
- if (is_fips_enabled())
- algos_nr -= TEST_NON_FIPS_ALGOS;
- key->alg = test_algos[algos_index % algos_nr];
+ key->alg = test_algos[algos_index % ARRAY_SIZE(test_algos)];
}
static int init_default_key_collection(unsigned int nr_keys, bool randomized)
{
size_t key_sz = sizeof(collection.keys[0]);
--
2.53.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [RFC PATCH 2/8] net/tcp-ao: Use crypto library API instead of crypto_ahash
2026-03-07 22:43 [RFC PATCH 0/8] Reimplement TCP-AO using crypto library Eric Biggers
2026-03-07 22:43 ` [RFC PATCH 1/8] net/tcp-ao: Drop support for most non-RFC-specified algorithms Eric Biggers
@ 2026-03-07 22:43 ` Eric Biggers
2026-03-07 22:43 ` [RFC PATCH 3/8] net/tcp-ao: Use stack-allocated MAC and traffic_key buffers Eric Biggers
` (7 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Eric Biggers @ 2026-03-07 22:43 UTC (permalink / raw)
To: netdev
Cc: linux-crypto, linux-kernel, Eric Dumazet, Neal Cardwell,
Kuniyuki Iwashima, David S . Miller, David Ahern, Jakub Kicinski,
Paolo Abeni, Simon Horman, Ard Biesheuvel, Jason A . Donenfeld,
Herbert Xu, Dmitry Safonov, Eric Biggers
Currently the kernel's TCP-AO implementation does the MAC and KDF
computations using the crypto_ahash API. This API is inefficient and
difficult to use, and it has required extensive workarounds in the form
of per-CPU preallocated objects (tcp_sigpool) to work at all.
Let's use lib/crypto/ instead. This means switching to straightforward
stack-allocated structures, virtually addressed buffers, and direct
function calls. It also means removing quite a bit of error handling.
This makes TCP-AO quite a bit faster.
This also enables many additional cleanups, which later commits will
handle: removing tcp-sigpool, removing support for crypto_tfm cloning,
removing more error handling, and replacing more dynamically-allocated
buffers with stack buffers based on the now-statically-known limits.
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
include/net/tcp_ao.h | 27 +-
net/ipv4/Kconfig | 5 +-
net/ipv4/tcp_ao.c | 523 +++++++++++-----------
net/ipv6/tcp_ao.c | 63 ++-
tools/testing/selftests/net/tcp_ao/config | 2 -
5 files changed, 304 insertions(+), 316 deletions(-)
diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h
index 1e9e27d6e06ba..f845bc631bc1e 100644
--- a/include/net/tcp_ao.h
+++ b/include/net/tcp_ao.h
@@ -1,11 +1,10 @@
/* SPDX-License-Identifier: GPL-2.0-or-later */
#ifndef _TCP_AO_H
#define _TCP_AO_H
-#define TCP_AO_KEY_ALIGN 1
-#define __tcp_ao_key_align __aligned(TCP_AO_KEY_ALIGN)
+#include <crypto/sha2.h> /* for SHA256_DIGEST_SIZE */
union tcp_ao_addr {
struct in_addr a4;
#if IS_ENABLED(CONFIG_IPV6)
struct in6_addr a6;
@@ -30,15 +29,26 @@ struct tcp_ao_counters {
atomic64_t key_not_found;
atomic64_t ao_required;
atomic64_t dropped_icmp;
};
+enum tcp_ao_algo_id {
+ TCP_AO_ALGO_HMAC_SHA1 = 1, /* specified by RFC 5926 */
+ TCP_AO_ALGO_HMAC_SHA256 = 2, /* Linux extension */
+ TCP_AO_ALGO_AES_128_CMAC = 3, /* specified by RFC 5926 */
+};
+
+#define TCP_AO_MAX_MAC_LEN SHA256_DIGEST_SIZE
+#define TCP_AO_MAX_TRAFFIC_KEY_LEN SHA256_DIGEST_SIZE
+
+struct tcp_ao_mac_ctx;
+
struct tcp_ao_key {
struct hlist_node node;
union tcp_ao_addr addr;
- u8 key[TCP_AO_MAXKEYLEN] __tcp_ao_key_align;
- unsigned int tcp_sigpool_id;
+ u8 key[TCP_AO_MAXKEYLEN];
+ enum tcp_ao_algo_id algo;
unsigned int digest_size;
int l3index;
u8 prefixlen;
u8 family;
u8 keylen;
@@ -166,18 +176,19 @@ struct tcp6_ao_context {
__be16 dport;
__be32 sisn;
__be32 disn;
};
-struct tcp_sigpool;
/* Established states are fast-path and there always is current_key/rnext_key */
#define TCP_AO_ESTABLISHED (TCPF_ESTABLISHED | TCPF_FIN_WAIT1 | TCPF_FIN_WAIT2 | \
TCPF_CLOSE_WAIT | TCPF_LAST_ACK | TCPF_CLOSING)
int tcp_ao_transmit_skb(struct sock *sk, struct sk_buff *skb,
struct tcp_ao_key *key, struct tcphdr *th,
__u8 *hash_location);
+void tcp_ao_mac_update(struct tcp_ao_mac_ctx *mac_ctx, const void *data,
+ size_t data_len);
int tcp_ao_hash_skb(unsigned short int family,
char *ao_hash, struct tcp_ao_key *key,
const struct sock *sk, const struct sk_buff *skb,
const u8 *tkey, int hash_offset, u32 sne);
int tcp_parse_ao(struct sock *sk, int cmd, unsigned short int family,
@@ -186,12 +197,12 @@ struct tcp_ao_key *tcp_ao_established_key(const struct sock *sk,
struct tcp_ao_info *ao,
int sndid, int rcvid);
int tcp_ao_copy_all_matching(const struct sock *sk, struct sock *newsk,
struct request_sock *req, struct sk_buff *skb,
int family);
-int tcp_ao_calc_traffic_key(struct tcp_ao_key *mkt, u8 *key, void *ctx,
- unsigned int len, struct tcp_sigpool *hp);
+void tcp_ao_calc_traffic_key(const struct tcp_ao_key *mkt, u8 *traffic_key,
+ const void *input, unsigned int input_len);
void tcp_ao_destroy_sock(struct sock *sk, bool twsk);
void tcp_ao_time_wait(struct tcp_timewait_sock *tcptw, struct tcp_sock *tp);
bool tcp_ao_ignore_icmp(const struct sock *sk, int family, int type, int code);
int tcp_ao_get_mkts(struct sock *sk, sockptr_t optval, sockptr_t optlen);
int tcp_ao_get_sock_info(struct sock *sk, sockptr_t optval, sockptr_t optlen);
@@ -232,11 +243,11 @@ struct tcp_ao_key *tcp_v4_ao_lookup_rsk(const struct sock *sk,
int sndid, int rcvid);
int tcp_v4_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key,
const struct sock *sk, const struct sk_buff *skb,
const u8 *tkey, int hash_offset, u32 sne);
/* ipv6 specific functions */
-int tcp_v6_ao_hash_pseudoheader(struct tcp_sigpool *hp,
+int tcp_v6_ao_hash_pseudoheader(struct tcp_ao_mac_ctx *mac_ctx,
const struct in6_addr *daddr,
const struct in6_addr *saddr, int nbytes);
int tcp_v6_ao_calc_key_skb(struct tcp_ao_key *mkt, u8 *key,
const struct sk_buff *skb, __be32 sisn, __be32 disn);
int tcp_v6_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key,
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index df922f9f52891..0fa293527cee9 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -745,13 +745,14 @@ config DEFAULT_TCP_CONG
config TCP_SIGPOOL
tristate
config TCP_AO
bool "TCP: Authentication Option (RFC5925)"
- select CRYPTO
+ select CRYPTO_LIB_AES_CBC_MACS
+ select CRYPTO_LIB_SHA1
+ select CRYPTO_LIB_SHA256
select CRYPTO_LIB_UTILS
- select TCP_SIGPOOL
depends on 64BIT && IPV6 != m # seq-number extension needs WRITE_ONCE(u64)
help
TCP-AO specifies the use of stronger Message Authentication Codes (MACs),
protects against replays for long-lived TCP connections, and
provides more details on the association of security with TCP
diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
index b21bd69b4e829..0d24cbd66c9a1 100644
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -7,11 +7,13 @@
* Francesco Ruggeri <fruggeri@arista.com>
* Salam Noureddine <noureddine@arista.com>
*/
#define pr_fmt(fmt) "TCP: " fmt
-#include <crypto/hash.h>
+#include <crypto/aes-cbc-macs.h>
+#include <crypto/sha1.h>
+#include <crypto/sha2.h>
#include <crypto/utils.h>
#include <linux/inetdevice.h>
#include <linux/tcp.h>
#include <net/tcp.h>
@@ -19,36 +21,137 @@
#include <net/icmp.h>
#include <trace/events/tcp.h>
DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);
-int tcp_ao_calc_traffic_key(struct tcp_ao_key *mkt, u8 *key, void *ctx,
- unsigned int len, struct tcp_sigpool *hp)
-{
- struct scatterlist sg;
- int ret;
+static const struct tcp_ao_algo {
+ const char *name;
+ unsigned int digest_size;
+} tcp_ao_algos[] = {
+ [TCP_AO_ALGO_HMAC_SHA1] = {
+ .name = "hmac(sha1)",
+ .digest_size = SHA1_DIGEST_SIZE,
+ },
+ [TCP_AO_ALGO_HMAC_SHA256] = {
+ .name = "hmac(sha256)",
+ .digest_size = SHA256_DIGEST_SIZE,
+ },
+ [TCP_AO_ALGO_AES_128_CMAC] = {
+ .name = "cmac(aes128)",
+ .digest_size = AES_BLOCK_SIZE, /* same as AES_KEYSIZE_128 */
+ },
+};
+
+struct tcp_ao_mac_ctx {
+ enum tcp_ao_algo_id algo;
+ union {
+ struct hmac_sha1_ctx hmac_sha1;
+ struct hmac_sha256_ctx hmac_sha256;
+ struct {
+ struct aes_cmac_key key;
+ struct aes_cmac_ctx ctx;
+ } aes_cmac;
+ };
+};
+
+static const struct tcp_ao_algo *tcp_ao_find_algo(const char *name)
+{
+ for (size_t i = 0; i < ARRAY_SIZE(tcp_ao_algos); i++) {
+ const struct tcp_ao_algo *algo = &tcp_ao_algos[i];
+
+ if (!algo->name)
+ continue;
+ if (WARN_ON_ONCE(algo->digest_size > TCP_AO_MAX_MAC_LEN ||
+ algo->digest_size >
+ TCP_AO_MAX_TRAFFIC_KEY_LEN))
+ continue;
+ if (strcmp(name, algo->name) == 0)
+ return algo;
+ }
+ return NULL;
+}
- if (crypto_ahash_setkey(crypto_ahash_reqtfm(hp->req),
- mkt->key, mkt->keylen))
- goto clear_hash;
+static void tcp_ao_mac_init(struct tcp_ao_mac_ctx *mac_ctx,
+ enum tcp_ao_algo_id algo, const u8 *traffic_key)
+{
+ mac_ctx->algo = algo;
+ switch (mac_ctx->algo) {
+ case TCP_AO_ALGO_HMAC_SHA1:
+ hmac_sha1_init_usingrawkey(&mac_ctx->hmac_sha1, traffic_key,
+ SHA1_DIGEST_SIZE);
+ return;
+ case TCP_AO_ALGO_HMAC_SHA256:
+ hmac_sha256_init_usingrawkey(&mac_ctx->hmac_sha256, traffic_key,
+ SHA256_DIGEST_SIZE);
+ return;
+ case TCP_AO_ALGO_AES_128_CMAC:
+ aes_cmac_preparekey(&mac_ctx->aes_cmac.key, traffic_key,
+ AES_KEYSIZE_128);
+ aes_cmac_init(&mac_ctx->aes_cmac.ctx, &mac_ctx->aes_cmac.key);
+ return;
+ default:
+ WARN_ON_ONCE(1); /* algo was validated earlier. */
+ }
+}
- ret = crypto_ahash_init(hp->req);
- if (ret)
- goto clear_hash;
+void tcp_ao_mac_update(struct tcp_ao_mac_ctx *mac_ctx, const void *data,
+ size_t data_len)
+{
+ switch (mac_ctx->algo) {
+ case TCP_AO_ALGO_HMAC_SHA1:
+ hmac_sha1_update(&mac_ctx->hmac_sha1, data, data_len);
+ return;
+ case TCP_AO_ALGO_HMAC_SHA256:
+ hmac_sha256_update(&mac_ctx->hmac_sha256, data, data_len);
+ return;
+ case TCP_AO_ALGO_AES_128_CMAC:
+ aes_cmac_update(&mac_ctx->aes_cmac.ctx, data, data_len);
+ return;
+ default:
+ WARN_ON_ONCE(1); /* algo was validated earlier. */
+ }
+}
- sg_init_one(&sg, ctx, len);
- ahash_request_set_crypt(hp->req, &sg, key, len);
- crypto_ahash_update(hp->req);
+static void tcp_ao_mac_final(struct tcp_ao_mac_ctx *mac_ctx, u8 *out)
+{
+ switch (mac_ctx->algo) {
+ case TCP_AO_ALGO_HMAC_SHA1:
+ hmac_sha1_final(&mac_ctx->hmac_sha1, out);
+ return;
+ case TCP_AO_ALGO_HMAC_SHA256:
+ hmac_sha256_final(&mac_ctx->hmac_sha256, out);
+ return;
+ case TCP_AO_ALGO_AES_128_CMAC:
+ aes_cmac_final(&mac_ctx->aes_cmac.ctx, out);
+ return;
+ default:
+ WARN_ON_ONCE(1); /* algo was validated earlier. */
+ }
+}
- ret = crypto_ahash_final(hp->req);
- if (ret)
- goto clear_hash;
+void tcp_ao_calc_traffic_key(const struct tcp_ao_key *mkt, u8 *traffic_key,
+ const void *input, unsigned int input_len)
+{
+ switch (mkt->algo) {
+ case TCP_AO_ALGO_HMAC_SHA1:
+ hmac_sha1_usingrawkey(mkt->key, mkt->keylen, input, input_len,
+ traffic_key);
+ return;
+ case TCP_AO_ALGO_HMAC_SHA256:
+ hmac_sha256_usingrawkey(mkt->key, mkt->keylen, input, input_len,
+ traffic_key);
+ return;
+ case TCP_AO_ALGO_AES_128_CMAC: {
+ struct aes_cmac_key k;
- return 0;
-clear_hash:
- memset(key, 0, tcp_ao_digest_size(mkt));
- return 1;
+ aes_cmac_preparekey(&k, mkt->key, AES_KEYSIZE_128);
+ aes_cmac(&k, input, input_len, traffic_key);
+ return;
+ }
+ default:
+ WARN_ON_ONCE(1); /* algo was validated earlier. */
+ }
}
bool tcp_ao_ignore_icmp(const struct sock *sk, int family, int type, int code)
{
bool ignore_icmp = false;
@@ -252,33 +355,30 @@ static struct tcp_ao_key *tcp_ao_copy_key(struct sock *sk,
if (!new_key)
return NULL;
*new_key = *key;
INIT_HLIST_NODE(&new_key->node);
- tcp_sigpool_get(new_key->tcp_sigpool_id);
atomic64_set(&new_key->pkt_good, 0);
atomic64_set(&new_key->pkt_bad, 0);
return new_key;
}
static void tcp_ao_key_free_rcu(struct rcu_head *head)
{
struct tcp_ao_key *key = container_of(head, struct tcp_ao_key, rcu);
- tcp_sigpool_release(key->tcp_sigpool_id);
kfree_sensitive(key);
}
static void tcp_ao_info_free(struct tcp_ao_info *ao)
{
struct tcp_ao_key *key;
struct hlist_node *n;
hlist_for_each_entry_safe(key, n, &ao->head, node) {
hlist_del(&key->node);
- tcp_sigpool_release(key->tcp_sigpool_id);
kfree_sensitive(key);
}
kfree(ao);
static_branch_slow_dec_deferred(&tcp_ao_needed);
}
@@ -344,33 +444,26 @@ static int tcp_v4_ao_calc_key(struct tcp_ao_key *mkt, u8 *key,
struct kdf_input_block {
u8 counter;
u8 label[6];
struct tcp4_ao_context ctx;
__be16 outlen;
- } __packed * tmp;
- struct tcp_sigpool hp;
- int err;
-
- err = tcp_sigpool_start(mkt->tcp_sigpool_id, &hp);
- if (err)
- return err;
-
- tmp = hp.scratch;
- tmp->counter = 1;
- memcpy(tmp->label, "TCP-AO", 6);
- tmp->ctx.saddr = saddr;
- tmp->ctx.daddr = daddr;
- tmp->ctx.sport = sport;
- tmp->ctx.dport = dport;
- tmp->ctx.sisn = sisn;
- tmp->ctx.disn = disn;
- tmp->outlen = htons(tcp_ao_digest_size(mkt) * 8); /* in bits */
-
- err = tcp_ao_calc_traffic_key(mkt, key, tmp, sizeof(*tmp), &hp);
- tcp_sigpool_end(&hp);
-
- return err;
+ } __packed input = {
+ .counter = 1,
+ .label = "TCP-AO",
+ .ctx = {
+ .saddr = saddr,
+ .daddr = daddr,
+ .sport = sport,
+ .dport = dport,
+ .sisn = sisn,
+ .disn = disn,
+ },
+ .outlen = htons(tcp_ao_digest_size(mkt) * 8), /* in bits */
+ };
+
+ tcp_ao_calc_traffic_key(mkt, key, &input, sizeof(input));
+ return 0;
}
int tcp_v4_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key,
const struct sock *sk,
__be32 sisn, __be32 disn, bool send)
@@ -433,60 +526,57 @@ static int tcp_ao_calc_key_skb(struct tcp_ao_key *mkt, u8 *key,
return tcp_v6_ao_calc_key_skb(mkt, key, skb, sisn, disn);
#endif
return -EAFNOSUPPORT;
}
-static int tcp_v4_ao_hash_pseudoheader(struct tcp_sigpool *hp,
+static int tcp_v4_ao_hash_pseudoheader(struct tcp_ao_mac_ctx *mac_ctx,
__be32 daddr, __be32 saddr,
int nbytes)
{
- struct tcp4_pseudohdr *bp;
- struct scatterlist sg;
+ struct tcp4_pseudohdr phdr = {
+ .saddr = saddr,
+ .daddr = daddr,
+ .pad = 0,
+ .protocol = IPPROTO_TCP,
+ .len = cpu_to_be16(nbytes),
+ };
- bp = hp->scratch;
- bp->saddr = saddr;
- bp->daddr = daddr;
- bp->pad = 0;
- bp->protocol = IPPROTO_TCP;
- bp->len = cpu_to_be16(nbytes);
-
- sg_init_one(&sg, bp, sizeof(*bp));
- ahash_request_set_crypt(hp->req, &sg, NULL, sizeof(*bp));
- return crypto_ahash_update(hp->req);
+ tcp_ao_mac_update(mac_ctx, &phdr, sizeof(phdr));
+ return 0;
}
static int tcp_ao_hash_pseudoheader(unsigned short int family,
const struct sock *sk,
const struct sk_buff *skb,
- struct tcp_sigpool *hp, int nbytes)
+ struct tcp_ao_mac_ctx *mac_ctx, int nbytes)
{
const struct tcphdr *th = tcp_hdr(skb);
/* TODO: Can we rely on checksum being zero to mean outbound pkt? */
if (!th->check) {
if (family == AF_INET)
- return tcp_v4_ao_hash_pseudoheader(hp, sk->sk_daddr,
+ return tcp_v4_ao_hash_pseudoheader(mac_ctx, sk->sk_daddr,
sk->sk_rcv_saddr, skb->len);
#if IS_ENABLED(CONFIG_IPV6)
else if (family == AF_INET6)
- return tcp_v6_ao_hash_pseudoheader(hp, &sk->sk_v6_daddr,
+ return tcp_v6_ao_hash_pseudoheader(mac_ctx, &sk->sk_v6_daddr,
&sk->sk_v6_rcv_saddr, skb->len);
#endif
else
return -EAFNOSUPPORT;
}
if (family == AF_INET) {
const struct iphdr *iph = ip_hdr(skb);
- return tcp_v4_ao_hash_pseudoheader(hp, iph->daddr,
+ return tcp_v4_ao_hash_pseudoheader(mac_ctx, iph->daddr,
iph->saddr, skb->len);
#if IS_ENABLED(CONFIG_IPV6)
} else if (family == AF_INET6) {
const struct ipv6hdr *iph = ipv6_hdr(skb);
- return tcp_v6_ao_hash_pseudoheader(hp, &iph->daddr,
+ return tcp_v6_ao_hash_pseudoheader(mac_ctx, &iph->daddr,
&iph->saddr, skb->len);
#endif
}
return -EAFNOSUPPORT;
}
@@ -504,35 +594,24 @@ u32 tcp_ao_compute_sne(u32 next_sne, u32 next_seq, u32 seq)
}
return sne;
}
-/* tcp_ao_hash_sne(struct tcp_sigpool *hp)
- * @hp - used for hashing
- * @sne - sne value
- */
-static int tcp_ao_hash_sne(struct tcp_sigpool *hp, u32 sne)
+static void tcp_ao_hash_sne(struct tcp_ao_mac_ctx *mac_ctx, u32 sne)
{
- struct scatterlist sg;
- __be32 *bp;
-
- bp = (__be32 *)hp->scratch;
- *bp = htonl(sne);
+ __be32 sne_be32 = htonl(sne);
- sg_init_one(&sg, bp, sizeof(*bp));
- ahash_request_set_crypt(hp->req, &sg, NULL, sizeof(*bp));
- return crypto_ahash_update(hp->req);
+ tcp_ao_mac_update(mac_ctx, &sne_be32, sizeof(sne_be32));
}
-static int tcp_ao_hash_header(struct tcp_sigpool *hp,
- const struct tcphdr *th,
- bool exclude_options, u8 *hash,
- int hash_offset, int hash_len)
+static void tcp_ao_hash_header(struct tcp_ao_mac_ctx *mac_ctx,
+ const struct tcphdr *th, bool exclude_options,
+ u8 *hash, int hash_offset, int hash_len)
{
- struct scatterlist sg;
- u8 *hdr = hp->scratch;
- int err, len;
+ /* Full TCP header (th->doff << 2) should fit into scratch area. */
+ u8 hdr[60];
+ int len;
/* We are not allowed to change tcphdr, make a local copy */
if (exclude_options) {
len = sizeof(*th) + sizeof(struct tcp_ao_hdr) + hash_len;
memcpy(hdr, th, sizeof(*th));
@@ -548,126 +627,105 @@ static int tcp_ao_hash_header(struct tcp_sigpool *hp,
/* zero out tcp-ao hash */
((struct tcphdr *)hdr)->check = 0;
memset(hdr + hash_offset, 0, hash_len);
}
- sg_init_one(&sg, hdr, len);
- ahash_request_set_crypt(hp->req, &sg, NULL, len);
- err = crypto_ahash_update(hp->req);
- WARN_ON_ONCE(err != 0);
- return err;
+ tcp_ao_mac_update(mac_ctx, hdr, len);
}
int tcp_ao_hash_hdr(unsigned short int family, char *ao_hash,
struct tcp_ao_key *key, const u8 *tkey,
const union tcp_ao_addr *daddr,
const union tcp_ao_addr *saddr,
const struct tcphdr *th, u32 sne)
{
- int tkey_len = tcp_ao_digest_size(key);
int hash_offset = ao_hash - (char *)th;
- struct tcp_sigpool hp;
- void *hash_buf = NULL;
-
- hash_buf = kmalloc(tkey_len, GFP_ATOMIC);
- if (!hash_buf)
- goto clear_hash_noput;
-
- if (tcp_sigpool_start(key->tcp_sigpool_id, &hp))
- goto clear_hash_noput;
-
- if (crypto_ahash_setkey(crypto_ahash_reqtfm(hp.req), tkey, tkey_len))
- goto clear_hash;
-
- if (crypto_ahash_init(hp.req))
- goto clear_hash;
+ struct tcp_ao_mac_ctx mac_ctx;
+ u8 hash_buf[TCP_AO_MAX_MAC_LEN];
- if (tcp_ao_hash_sne(&hp, sne))
- goto clear_hash;
+ tcp_ao_mac_init(&mac_ctx, key->algo, tkey);
+ tcp_ao_hash_sne(&mac_ctx, sne);
if (family == AF_INET) {
- if (tcp_v4_ao_hash_pseudoheader(&hp, daddr->a4.s_addr,
- saddr->a4.s_addr, th->doff * 4))
- goto clear_hash;
+ tcp_v4_ao_hash_pseudoheader(&mac_ctx, daddr->a4.s_addr,
+ saddr->a4.s_addr, th->doff * 4);
#if IS_ENABLED(CONFIG_IPV6)
} else if (family == AF_INET6) {
- if (tcp_v6_ao_hash_pseudoheader(&hp, &daddr->a6,
- &saddr->a6, th->doff * 4))
- goto clear_hash;
+ tcp_v6_ao_hash_pseudoheader(&mac_ctx, &daddr->a6,
+ &saddr->a6, th->doff * 4);
#endif
} else {
WARN_ON_ONCE(1);
goto clear_hash;
}
- if (tcp_ao_hash_header(&hp, th,
- !!(key->keyflags & TCP_AO_KEYF_EXCLUDE_OPT),
- ao_hash, hash_offset, tcp_ao_maclen(key)))
- goto clear_hash;
- ahash_request_set_crypt(hp.req, NULL, hash_buf, 0);
- if (crypto_ahash_final(hp.req))
- goto clear_hash;
+ tcp_ao_hash_header(&mac_ctx, th,
+ !!(key->keyflags & TCP_AO_KEYF_EXCLUDE_OPT),
+ ao_hash, hash_offset, tcp_ao_maclen(key));
+ tcp_ao_mac_final(&mac_ctx, hash_buf);
memcpy(ao_hash, hash_buf, tcp_ao_maclen(key));
- tcp_sigpool_end(&hp);
- kfree(hash_buf);
return 0;
clear_hash:
- tcp_sigpool_end(&hp);
-clear_hash_noput:
memset(ao_hash, 0, tcp_ao_maclen(key));
- kfree(hash_buf);
return 1;
}
+static void tcp_ao_hash_skb_data(struct tcp_ao_mac_ctx *mac_ctx,
+ const struct sk_buff *skb,
+ unsigned int header_len)
+{
+ const unsigned int head_data_len = skb_headlen(skb) > header_len ?
+ skb_headlen(skb) - header_len : 0;
+ const struct skb_shared_info *shi = skb_shinfo(skb);
+ struct sk_buff *frag_iter;
+ unsigned int i;
+
+ tcp_ao_mac_update(mac_ctx, (const u8 *)tcp_hdr(skb) + header_len,
+ head_data_len);
+
+ for (i = 0; i < shi->nr_frags; ++i) {
+ const skb_frag_t *f = &shi->frags[i];
+ u32 p_off, p_len, copied;
+ const void *vaddr;
+ struct page *p;
+
+ skb_frag_foreach_page(f, skb_frag_off(f), skb_frag_size(f),
+ p, p_off, p_len, copied) {
+ vaddr = kmap_local_page(p);
+ tcp_ao_mac_update(mac_ctx, vaddr + p_off, p_len);
+ kunmap_local(vaddr);
+ }
+ }
+
+ skb_walk_frags(skb, frag_iter)
+ tcp_ao_hash_skb_data(mac_ctx, frag_iter, 0);
+}
+
int tcp_ao_hash_skb(unsigned short int family,
char *ao_hash, struct tcp_ao_key *key,
const struct sock *sk, const struct sk_buff *skb,
const u8 *tkey, int hash_offset, u32 sne)
{
const struct tcphdr *th = tcp_hdr(skb);
- int tkey_len = tcp_ao_digest_size(key);
- struct tcp_sigpool hp;
- void *hash_buf = NULL;
-
- hash_buf = kmalloc(tkey_len, GFP_ATOMIC);
- if (!hash_buf)
- goto clear_hash_noput;
-
- if (tcp_sigpool_start(key->tcp_sigpool_id, &hp))
- goto clear_hash_noput;
-
- if (crypto_ahash_setkey(crypto_ahash_reqtfm(hp.req), tkey, tkey_len))
- goto clear_hash;
-
- /* For now use sha1 by default. Depends on alg in tcp_ao_key */
- if (crypto_ahash_init(hp.req))
- goto clear_hash;
+ struct tcp_ao_mac_ctx mac_ctx;
+ u8 hash_buf[TCP_AO_MAX_MAC_LEN];
- if (tcp_ao_hash_sne(&hp, sne))
- goto clear_hash;
- if (tcp_ao_hash_pseudoheader(family, sk, skb, &hp, skb->len))
- goto clear_hash;
- if (tcp_ao_hash_header(&hp, th,
- !!(key->keyflags & TCP_AO_KEYF_EXCLUDE_OPT),
- ao_hash, hash_offset, tcp_ao_maclen(key)))
- goto clear_hash;
- if (tcp_sigpool_hash_skb_data(&hp, skb, th->doff << 2))
- goto clear_hash;
- ahash_request_set_crypt(hp.req, NULL, hash_buf, 0);
- if (crypto_ahash_final(hp.req))
+ tcp_ao_mac_init(&mac_ctx, key->algo, tkey);
+ tcp_ao_hash_sne(&mac_ctx, sne);
+ if (tcp_ao_hash_pseudoheader(family, sk, skb, &mac_ctx, skb->len))
goto clear_hash;
+ tcp_ao_hash_header(&mac_ctx, th,
+ !!(key->keyflags & TCP_AO_KEYF_EXCLUDE_OPT),
+ ao_hash, hash_offset, tcp_ao_maclen(key));
+ tcp_ao_hash_skb_data(&mac_ctx, skb, th->doff << 2);
+ tcp_ao_mac_final(&mac_ctx, hash_buf);
memcpy(ao_hash, hash_buf, tcp_ao_maclen(key));
- tcp_sigpool_end(&hp);
- kfree(hash_buf);
return 0;
clear_hash:
- tcp_sigpool_end(&hp);
-clear_hash_noput:
memset(ao_hash, 0, tcp_ao_maclen(key));
- kfree(hash_buf);
return 1;
}
int tcp_v4_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key,
const struct sock *sk, const struct sk_buff *skb,
@@ -1278,11 +1336,10 @@ int tcp_ao_copy_all_matching(const struct sock *sk, struct sock *newsk,
return 0;
free_and_exit:
hlist_for_each_entry_safe(key, key_head, &new_ao->head, node) {
hlist_del(&key->node);
- tcp_sigpool_release(key->tcp_sigpool_id);
atomic_sub(tcp_ao_sizeof_key(key), &newsk->sk_omem_alloc);
kfree_sensitive(key);
}
free_ao:
kfree(new_ao);
@@ -1334,27 +1391,14 @@ static int tcp_ao_verify_ipv4(struct sock *sk, struct tcp_ao_add *cmd,
*addr = (union tcp_ao_addr *)&sin->sin_addr;
return 0;
}
-static int tcp_ao_parse_crypto(struct tcp_ao_add *cmd, struct tcp_ao_key *key)
+static int tcp_ao_parse_crypto(const struct tcp_ao_add *cmd,
+ struct tcp_ao_key *key)
{
unsigned int syn_tcp_option_space;
- bool is_kdf_aes_128_cmac = false;
- struct crypto_ahash *tfm;
- struct tcp_sigpool hp;
- void *tmp_key = NULL;
- int err;
-
- /* RFC5926, 3.1.1.2. KDF_AES_128_CMAC */
- if (!strcmp("cmac(aes128)", cmd->alg_name)) {
- strscpy(cmd->alg_name, "cmac(aes)", sizeof(cmd->alg_name));
- is_kdf_aes_128_cmac = (cmd->keylen != 16);
- tmp_key = kmalloc(cmd->keylen, GFP_KERNEL);
- if (!tmp_key)
- return -ENOMEM;
- }
key->maclen = cmd->maclen ?: 12; /* 12 is the default in RFC5925 */
/* Check: maclen + tcp-ao header <= (MAX_TCP_OPTION_SPACE - mss
* - tstamp (including sackperm)
@@ -1386,68 +1430,31 @@ static int tcp_ao_parse_crypto(struct tcp_ao_add *cmd, struct tcp_ao_key *key)
*/
syn_tcp_option_space = MAX_TCP_OPTION_SPACE;
syn_tcp_option_space -= TCPOLEN_MSS_ALIGNED;
syn_tcp_option_space -= TCPOLEN_TSTAMP_ALIGNED;
syn_tcp_option_space -= TCPOLEN_WSCALE_ALIGNED;
- if (tcp_ao_len_aligned(key) > syn_tcp_option_space) {
- err = -EMSGSIZE;
- goto err_kfree;
- }
-
- key->keylen = cmd->keylen;
- memcpy(key->key, cmd->key, cmd->keylen);
-
- err = tcp_sigpool_start(key->tcp_sigpool_id, &hp);
- if (err)
- goto err_kfree;
-
- tfm = crypto_ahash_reqtfm(hp.req);
- if (is_kdf_aes_128_cmac) {
- void *scratch = hp.scratch;
- struct scatterlist sg;
-
- memcpy(tmp_key, cmd->key, cmd->keylen);
- sg_init_one(&sg, tmp_key, cmd->keylen);
-
- /* Using zero-key of 16 bytes as described in RFC5926 */
- memset(scratch, 0, 16);
- err = crypto_ahash_setkey(tfm, scratch, 16);
- if (err)
- goto err_pool_end;
-
- err = crypto_ahash_init(hp.req);
- if (err)
- goto err_pool_end;
-
- ahash_request_set_crypt(hp.req, &sg, key->key, cmd->keylen);
- err = crypto_ahash_update(hp.req);
- if (err)
- goto err_pool_end;
-
- err |= crypto_ahash_final(hp.req);
- if (err)
- goto err_pool_end;
- key->keylen = 16;
+ if (tcp_ao_len_aligned(key) > syn_tcp_option_space)
+ return -EMSGSIZE;
+
+ if (key->algo == TCP_AO_ALGO_AES_128_CMAC &&
+ cmd->keylen != AES_KEYSIZE_128) {
+ /* RFC5926, 3.1.1.2. KDF_AES_128_CMAC */
+ static const u8 zeroes[AES_KEYSIZE_128];
+ struct aes_cmac_key extractor;
+
+ aes_cmac_preparekey(&extractor, zeroes, AES_KEYSIZE_128);
+ aes_cmac(&extractor, cmd->key, cmd->keylen, key->key);
+ key->keylen = AES_KEYSIZE_128;
+ } else {
+ memcpy(key->key, cmd->key, cmd->keylen);
+ key->keylen = cmd->keylen;
}
- err = crypto_ahash_setkey(tfm, key->key, key->keylen);
- if (err)
- goto err_pool_end;
-
- tcp_sigpool_end(&hp);
- kfree_sensitive(tmp_key);
-
if (tcp_ao_maclen(key) > key->digest_size)
return -EINVAL;
return 0;
-
-err_pool_end:
- tcp_sigpool_end(&hp);
-err_kfree:
- kfree_sensitive(tmp_key);
- return err;
}
#if IS_ENABLED(CONFIG_IPV6)
static int tcp_ao_verify_ipv6(struct sock *sk, struct tcp_ao_add *cmd,
union tcp_ao_addr **paddr,
@@ -1547,58 +1554,37 @@ static struct tcp_ao_info *getsockopt_ao_info(struct sock *sk)
#define TCP_AO_GET_KEYF_VALID (TCP_AO_KEYF_IFINDEX)
static struct tcp_ao_key *tcp_ao_key_alloc(struct sock *sk,
struct tcp_ao_add *cmd)
{
- const char *algo = cmd->alg_name;
- unsigned int digest_size;
- struct crypto_ahash *tfm;
+ const struct tcp_ao_algo *algo;
struct tcp_ao_key *key;
- struct tcp_sigpool hp;
- int err, pool_id;
size_t size;
/* Force null-termination of alg_name */
cmd->alg_name[ARRAY_SIZE(cmd->alg_name) - 1] = '\0';
- /* RFC5926, 3.1.1.2. KDF_AES_128_CMAC */
- if (!strcmp("cmac(aes128)", algo))
- algo = "cmac(aes)";
- else if (strcmp("hmac(sha1)", algo) &&
- strcmp("hmac(sha256)", algo) &&
- (strcmp("cmac(aes)", algo) || cmd->keylen != 16))
- return ERR_PTR(-ENOENT);
-
- /* Full TCP header (th->doff << 2) should fit into scratch area,
- * see tcp_ao_hash_header().
+ /*
+ * For backwards compatibility, accept "cmac(aes)" as an alias for
+ * "cmac(aes128)", provided that the key length is exactly 128 bits.
*/
- pool_id = tcp_sigpool_alloc_ahash(algo, 60);
- if (pool_id < 0)
- return ERR_PTR(pool_id);
-
- err = tcp_sigpool_start(pool_id, &hp);
- if (err)
- goto err_free_pool;
+ if (strcmp(cmd->alg_name, "cmac(aes)") == 0 &&
+ cmd->keylen == AES_KEYSIZE_128)
+ strscpy(cmd->alg_name, "cmac(aes128)");
- tfm = crypto_ahash_reqtfm(hp.req);
- digest_size = crypto_ahash_digestsize(tfm);
- tcp_sigpool_end(&hp);
+ algo = tcp_ao_find_algo(cmd->alg_name);
+ if (!algo)
+ return ERR_PTR(-ENOENT);
- size = sizeof(struct tcp_ao_key) + (digest_size << 1);
+ size = sizeof(struct tcp_ao_key) + (algo->digest_size << 1);
key = sock_kmalloc(sk, size, GFP_KERNEL);
- if (!key) {
- err = -ENOMEM;
- goto err_free_pool;
- }
+ if (!key)
+ return ERR_PTR(-ENOMEM);
- key->tcp_sigpool_id = pool_id;
- key->digest_size = digest_size;
+ key->algo = algo - tcp_ao_algos;
+ key->digest_size = algo->digest_size;
return key;
-
-err_free_pool:
- tcp_sigpool_release(pool_id);
- return ERR_PTR(err);
}
static int tcp_ao_add_cmd(struct sock *sk, unsigned short int family,
sockptr_t optval, int optlen)
{
@@ -1755,11 +1741,10 @@ static int tcp_ao_add_cmd(struct sock *sk, unsigned short int family,
WRITE_ONCE(ao_info->rnext_key, key);
return 0;
err_free_sock:
atomic_sub(tcp_ao_sizeof_key(key), &sk->sk_omem_alloc);
- tcp_sigpool_release(key->tcp_sigpool_id);
kfree_sensitive(key);
err_free_ao:
if (first)
kfree(ao_info);
return ret;
@@ -2286,11 +2271,15 @@ static int tcp_ao_copy_mkts_to_user(const struct sock *sk,
opt_out.keylen = key->keylen;
opt_out.ifindex = key->l3index;
opt_out.pkt_good = atomic64_read(&key->pkt_good);
opt_out.pkt_bad = atomic64_read(&key->pkt_bad);
memcpy(&opt_out.key, key->key, key->keylen);
- tcp_sigpool_algo(key->tcp_sigpool_id, opt_out.alg_name, 64);
+ if (key->algo == TCP_AO_ALGO_AES_128_CMAC)
+ /* This is needed for backwards compatibility. */
+ strscpy(opt_out.alg_name, "cmac(aes)");
+ else
+ strscpy(opt_out.alg_name, tcp_ao_algos[key->algo].name);
/* Copy key to user */
if (copy_to_sockptr_offset(optval, out_offset,
&opt_out, bytes_to_write))
return -EFAULT;
diff --git a/net/ipv6/tcp_ao.c b/net/ipv6/tcp_ao.c
index 3c09ac26206e3..2dcfe9dda7f4a 100644
--- a/net/ipv6/tcp_ao.c
+++ b/net/ipv6/tcp_ao.c
@@ -5,11 +5,10 @@
*
* Authors: Dmitry Safonov <dima@arista.com>
* Francesco Ruggeri <fruggeri@arista.com>
* Salam Noureddine <noureddine@arista.com>
*/
-#include <crypto/hash.h>
#include <linux/tcp.h>
#include <net/tcp.h>
#include <net/ipv6.h>
@@ -22,33 +21,26 @@ static int tcp_v6_ao_calc_key(struct tcp_ao_key *mkt, u8 *key,
struct kdf_input_block {
u8 counter;
u8 label[6];
struct tcp6_ao_context ctx;
__be16 outlen;
- } __packed * tmp;
- struct tcp_sigpool hp;
- int err;
-
- err = tcp_sigpool_start(mkt->tcp_sigpool_id, &hp);
- if (err)
- return err;
-
- tmp = hp.scratch;
- tmp->counter = 1;
- memcpy(tmp->label, "TCP-AO", 6);
- tmp->ctx.saddr = *saddr;
- tmp->ctx.daddr = *daddr;
- tmp->ctx.sport = sport;
- tmp->ctx.dport = dport;
- tmp->ctx.sisn = sisn;
- tmp->ctx.disn = disn;
- tmp->outlen = htons(tcp_ao_digest_size(mkt) * 8); /* in bits */
-
- err = tcp_ao_calc_traffic_key(mkt, key, tmp, sizeof(*tmp), &hp);
- tcp_sigpool_end(&hp);
-
- return err;
+ } __packed input = {
+ .counter = 1,
+ .label = "TCP-AO",
+ .ctx = {
+ .saddr = *saddr,
+ .daddr = *daddr,
+ .sport = sport,
+ .dport = dport,
+ .sisn = sisn,
+ .disn = disn,
+ },
+ .outlen = htons(tcp_ao_digest_size(mkt) * 8), /* in bits */
+ };
+
+ tcp_ao_calc_traffic_key(mkt, key, &input, sizeof(input));
+ return 0;
}
int tcp_v6_ao_calc_key_skb(struct tcp_ao_key *mkt, u8 *key,
const struct sk_buff *skb,
__be32 sisn, __be32 disn)
@@ -110,27 +102,24 @@ struct tcp_ao_key *tcp_v6_ao_lookup_rsk(const struct sock *sk,
l3index = l3mdev_master_ifindex_by_index(sock_net(sk), ireq->ir_iif);
return tcp_ao_do_lookup(sk, l3index, (union tcp_ao_addr *)addr,
AF_INET6, sndid, rcvid);
}
-int tcp_v6_ao_hash_pseudoheader(struct tcp_sigpool *hp,
+int tcp_v6_ao_hash_pseudoheader(struct tcp_ao_mac_ctx *mac_ctx,
const struct in6_addr *daddr,
const struct in6_addr *saddr, int nbytes)
{
- struct tcp6_pseudohdr *bp;
- struct scatterlist sg;
-
- bp = hp->scratch;
/* 1. TCP pseudo-header (RFC2460) */
- bp->saddr = *saddr;
- bp->daddr = *daddr;
- bp->len = cpu_to_be32(nbytes);
- bp->protocol = cpu_to_be32(IPPROTO_TCP);
-
- sg_init_one(&sg, bp, sizeof(*bp));
- ahash_request_set_crypt(hp->req, &sg, NULL, sizeof(*bp));
- return crypto_ahash_update(hp->req);
+ struct tcp6_pseudohdr phdr = {
+ .saddr = *saddr,
+ .daddr = *daddr,
+ .len = cpu_to_be32(nbytes),
+ .protocol = cpu_to_be32(IPPROTO_TCP),
+ };
+
+ tcp_ao_mac_update(mac_ctx, &phdr, sizeof(phdr));
+ return 0;
}
int tcp_v6_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key,
const struct sock *sk, const struct sk_buff *skb,
const u8 *tkey, int hash_offset, u32 sne)
diff --git a/tools/testing/selftests/net/tcp_ao/config b/tools/testing/selftests/net/tcp_ao/config
index 0ec38c167e6df..1b120bfd89c40 100644
--- a/tools/testing/selftests/net/tcp_ao/config
+++ b/tools/testing/selftests/net/tcp_ao/config
@@ -1,7 +1,5 @@
-CONFIG_CRYPTO_HMAC=y
-CONFIG_CRYPTO_SHA1=y
CONFIG_IPV6=y
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_NET_L3_MASTER_DEV=y
CONFIG_NET_VRF=y
CONFIG_TCP_AO=y
--
2.53.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [RFC PATCH 3/8] net/tcp-ao: Use stack-allocated MAC and traffic_key buffers
2026-03-07 22:43 [RFC PATCH 0/8] Reimplement TCP-AO using crypto library Eric Biggers
2026-03-07 22:43 ` [RFC PATCH 1/8] net/tcp-ao: Drop support for most non-RFC-specified algorithms Eric Biggers
2026-03-07 22:43 ` [RFC PATCH 2/8] net/tcp-ao: Use crypto library API instead of crypto_ahash Eric Biggers
@ 2026-03-07 22:43 ` Eric Biggers
2026-03-07 22:43 ` [RFC PATCH 4/8] net/tcp-ao: Return void from functions that can no longer fail Eric Biggers
` (6 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Eric Biggers @ 2026-03-07 22:43 UTC (permalink / raw)
To: netdev
Cc: linux-crypto, linux-kernel, Eric Dumazet, Neal Cardwell,
Kuniyuki Iwashima, David S . Miller, David Ahern, Jakub Kicinski,
Paolo Abeni, Simon Horman, Ard Biesheuvel, Jason A . Donenfeld,
Herbert Xu, Dmitry Safonov, Eric Biggers
Now that the maximum MAC and traffic key lengths are statically-known
small values, allocate MACs and traffic keys on the stack instead of
with kmalloc. This eliminates multiple failure-prone GFP_ATOMIC
allocations.
Note that some cases such as tcp_ao_prepare_reset() are left unchanged
for now since they would require slightly wider changes.
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
net/ipv4/tcp_ao.c | 44 +++++++++++---------------------------------
net/ipv6/tcp_ao.c | 17 +++++------------
2 files changed, 16 insertions(+), 45 deletions(-)
diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
index 0d24cbd66c9a1..69f1d6d26562e 100644
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -737,26 +737,19 @@ int tcp_v4_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key,
int tcp_v4_ao_synack_hash(char *ao_hash, struct tcp_ao_key *ao_key,
struct request_sock *req, const struct sk_buff *skb,
int hash_offset, u32 sne)
{
- void *hash_buf = NULL;
+ u8 tkey_buf[TCP_AO_MAX_TRAFFIC_KEY_LEN];
int err;
- hash_buf = kmalloc(tcp_ao_digest_size(ao_key), GFP_ATOMIC);
- if (!hash_buf)
- return -ENOMEM;
-
- err = tcp_v4_ao_calc_key_rsk(ao_key, hash_buf, req);
+ err = tcp_v4_ao_calc_key_rsk(ao_key, tkey_buf, req);
if (err)
- goto out;
+ return err;
- err = tcp_ao_hash_skb(AF_INET, ao_hash, ao_key, req_to_sk(req), skb,
- hash_buf, hash_offset, sne);
-out:
- kfree(hash_buf);
- return err;
+ return tcp_ao_hash_skb(AF_INET, ao_hash, ao_key, req_to_sk(req), skb,
+ tkey_buf, hash_offset, sne);
}
struct tcp_ao_key *tcp_v4_ao_lookup_rsk(const struct sock *sk,
struct request_sock *req,
int sndid, int rcvid)
@@ -867,13 +860,13 @@ int tcp_ao_prepare_reset(const struct sock *sk, struct sk_buff *skb,
int tcp_ao_transmit_skb(struct sock *sk, struct sk_buff *skb,
struct tcp_ao_key *key, struct tcphdr *th,
__u8 *hash_location)
{
struct tcp_skb_cb *tcb = TCP_SKB_CB(skb);
+ u8 tkey_buf[TCP_AO_MAX_TRAFFIC_KEY_LEN];
struct tcp_sock *tp = tcp_sk(sk);
struct tcp_ao_info *ao;
- void *tkey_buf = NULL;
u8 *traffic_key;
u32 sne;
ao = rcu_dereference_protected(tcp_sk(sk)->ao_info,
lockdep_sock_is_held(sk));
@@ -881,13 +874,10 @@ int tcp_ao_transmit_skb(struct sock *sk, struct sk_buff *skb,
if (unlikely(tcb->tcp_flags & TCPHDR_SYN)) {
__be32 disn;
if (!(tcb->tcp_flags & TCPHDR_ACK)) {
disn = 0;
- tkey_buf = kmalloc(tcp_ao_digest_size(key), GFP_ATOMIC);
- if (!tkey_buf)
- return -ENOMEM;
traffic_key = tkey_buf;
} else {
disn = ao->risn;
}
tp->af_specific->ao_calc_key_sk(key, traffic_key,
@@ -895,11 +885,10 @@ int tcp_ao_transmit_skb(struct sock *sk, struct sk_buff *skb,
}
sne = tcp_ao_compute_sne(READ_ONCE(ao->snd_sne), READ_ONCE(tp->snd_una),
ntohl(th->seq));
tp->af_specific->calc_ao_hash(hash_location, key, sk, skb, traffic_key,
hash_location - (u8 *)th, sne);
- kfree(tkey_buf);
return 0;
}
static struct tcp_ao_key *tcp_ao_inbound_lookup(unsigned short int family,
const struct sock *sk, const struct sk_buff *skb,
@@ -961,54 +950,48 @@ tcp_ao_verify_hash(const struct sock *sk, const struct sk_buff *skb,
const struct tcp_ao_hdr *aoh, struct tcp_ao_key *key,
u8 *traffic_key, u8 *phash, u32 sne, int l3index)
{
const struct tcphdr *th = tcp_hdr(skb);
u8 maclen = tcp_ao_hdr_maclen(aoh);
- void *hash_buf = NULL;
+ u8 hash_buf[TCP_AO_MAX_MAC_LEN];
if (maclen != tcp_ao_maclen(key)) {
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD);
atomic64_inc(&info->counters.pkt_bad);
atomic64_inc(&key->pkt_bad);
trace_tcp_ao_wrong_maclen(sk, skb, aoh->keyid,
aoh->rnext_keyid, maclen);
return SKB_DROP_REASON_TCP_AOFAILURE;
}
- hash_buf = kmalloc(tcp_ao_digest_size(key), GFP_ATOMIC);
- if (!hash_buf)
- return SKB_DROP_REASON_NOT_SPECIFIED;
-
/* XXX: make it per-AF callback? */
tcp_ao_hash_skb(family, hash_buf, key, sk, skb, traffic_key,
(phash - (u8 *)th), sne);
if (crypto_memneq(phash, hash_buf, maclen)) {
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD);
atomic64_inc(&info->counters.pkt_bad);
atomic64_inc(&key->pkt_bad);
trace_tcp_ao_mismatch(sk, skb, aoh->keyid,
aoh->rnext_keyid, maclen);
- kfree(hash_buf);
return SKB_DROP_REASON_TCP_AOFAILURE;
}
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOGOOD);
atomic64_inc(&info->counters.pkt_good);
atomic64_inc(&key->pkt_good);
- kfree(hash_buf);
return SKB_NOT_DROPPED_YET;
}
enum skb_drop_reason
tcp_inbound_ao_hash(struct sock *sk, const struct sk_buff *skb,
unsigned short int family, const struct request_sock *req,
int l3index, const struct tcp_ao_hdr *aoh)
{
+ u8 tkey_buf[TCP_AO_MAX_TRAFFIC_KEY_LEN];
const struct tcphdr *th = tcp_hdr(skb);
u8 maclen = tcp_ao_hdr_maclen(aoh);
u8 *phash = (u8 *)(aoh + 1); /* hash goes just after the header */
struct tcp_ao_info *info;
- enum skb_drop_reason ret;
struct tcp_ao_key *key;
__be32 sisn, disn;
u8 *traffic_key;
int state;
u32 sne = 0;
@@ -1112,18 +1095,13 @@ tcp_inbound_ao_hash(struct sock *sk, const struct sk_buff *skb,
} else {
WARN_ONCE(1, "TCP-AO: Unexpected sk_state %d", state);
return SKB_DROP_REASON_TCP_AOFAILURE;
}
verify_hash:
- traffic_key = kmalloc(tcp_ao_digest_size(key), GFP_ATOMIC);
- if (!traffic_key)
- return SKB_DROP_REASON_NOT_SPECIFIED;
- tcp_ao_calc_key_skb(key, traffic_key, skb, sisn, disn, family);
- ret = tcp_ao_verify_hash(sk, skb, family, info, aoh, key,
- traffic_key, phash, sne, l3index);
- kfree(traffic_key);
- return ret;
+ tcp_ao_calc_key_skb(key, tkey_buf, skb, sisn, disn, family);
+ return tcp_ao_verify_hash(sk, skb, family, info, aoh, key,
+ tkey_buf, phash, sne, l3index);
key_not_found:
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOKEYNOTFOUND);
atomic64_inc(&info->counters.key_not_found);
trace_tcp_ao_key_not_found(sk, skb, aoh->keyid,
diff --git a/net/ipv6/tcp_ao.c b/net/ipv6/tcp_ao.c
index 2dcfe9dda7f4a..bf30b970181d7 100644
--- a/net/ipv6/tcp_ao.c
+++ b/net/ipv6/tcp_ao.c
@@ -136,22 +136,15 @@ int tcp_v6_parse_ao(struct sock *sk, int cmd,
int tcp_v6_ao_synack_hash(char *ao_hash, struct tcp_ao_key *ao_key,
struct request_sock *req, const struct sk_buff *skb,
int hash_offset, u32 sne)
{
- void *hash_buf = NULL;
+ u8 tkey_buf[TCP_AO_MAX_TRAFFIC_KEY_LEN];
int err;
- hash_buf = kmalloc(tcp_ao_digest_size(ao_key), GFP_ATOMIC);
- if (!hash_buf)
- return -ENOMEM;
-
- err = tcp_v6_ao_calc_key_rsk(ao_key, hash_buf, req);
+ err = tcp_v6_ao_calc_key_rsk(ao_key, tkey_buf, req);
if (err)
- goto out;
+ return err;
- err = tcp_ao_hash_skb(AF_INET6, ao_hash, ao_key, req_to_sk(req), skb,
- hash_buf, hash_offset, sne);
-out:
- kfree(hash_buf);
- return err;
+ return tcp_ao_hash_skb(AF_INET6, ao_hash, ao_key, req_to_sk(req), skb,
+ tkey_buf, hash_offset, sne);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [RFC PATCH 4/8] net/tcp-ao: Return void from functions that can no longer fail
2026-03-07 22:43 [RFC PATCH 0/8] Reimplement TCP-AO using crypto library Eric Biggers
` (2 preceding siblings ...)
2026-03-07 22:43 ` [RFC PATCH 3/8] net/tcp-ao: Use stack-allocated MAC and traffic_key buffers Eric Biggers
@ 2026-03-07 22:43 ` Eric Biggers
2026-03-07 22:43 ` [RFC PATCH 5/8] net/tcp: Remove tcp_sigpool Eric Biggers
` (5 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Eric Biggers @ 2026-03-07 22:43 UTC (permalink / raw)
To: netdev
Cc: linux-crypto, linux-kernel, Eric Dumazet, Neal Cardwell,
Kuniyuki Iwashima, David S . Miller, David Ahern, Jakub Kicinski,
Paolo Abeni, Simon Horman, Ard Biesheuvel, Jason A . Donenfeld,
Herbert Xu, Dmitry Safonov, Eric Biggers
Since tcp-ao now uses the crypto library API instead of crypto_ahash,
and MACs and keys now have a statically-known maximum size, many tcp-ao
functions can no longer fail. Propagate this change up into the return
types of various functions.
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
include/net/tcp.h | 8 +--
include/net/tcp_ao.h | 44 +++++++--------
net/ipv4/tcp_ao.c | 128 ++++++++++++++++++++++--------------------
net/ipv4/tcp_output.c | 10 +---
net/ipv6/tcp_ao.c | 65 ++++++++++-----------
5 files changed, 123 insertions(+), 132 deletions(-)
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 978eea2d5df04..18fb675d05bc4 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -2426,13 +2426,13 @@ struct tcp_sock_af_ops {
#ifdef CONFIG_TCP_AO
int (*ao_parse)(struct sock *sk, int optname, sockptr_t optval, int optlen);
struct tcp_ao_key *(*ao_lookup)(const struct sock *sk,
struct sock *addr_sk,
int sndid, int rcvid);
- int (*ao_calc_key_sk)(struct tcp_ao_key *mkt, u8 *key,
- const struct sock *sk,
- __be32 sisn, __be32 disn, bool send);
+ void (*ao_calc_key_sk)(struct tcp_ao_key *mkt, u8 *key,
+ const struct sock *sk,
+ __be32 sisn, __be32 disn, bool send);
int (*calc_ao_hash)(char *location, struct tcp_ao_key *ao,
const struct sock *sk, const struct sk_buff *skb,
const u8 *tkey, int hash_offset, u32 sne);
#endif
};
@@ -2449,11 +2449,11 @@ struct tcp_request_sock_ops {
#endif
#ifdef CONFIG_TCP_AO
struct tcp_ao_key *(*ao_lookup)(const struct sock *sk,
struct request_sock *req,
int sndid, int rcvid);
- int (*ao_calc_key)(struct tcp_ao_key *mkt, u8 *key, struct request_sock *sk);
+ void (*ao_calc_key)(struct tcp_ao_key *mkt, u8 *key, struct request_sock *sk);
int (*ao_synack_hash)(char *ao_hash, struct tcp_ao_key *mkt,
struct request_sock *req, const struct sk_buff *skb,
int hash_offset, u32 sne);
#endif
#ifdef CONFIG_SYN_COOKIES
diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h
index f845bc631bc1e..2f20c57ea46b2 100644
--- a/include/net/tcp_ao.h
+++ b/include/net/tcp_ao.h
@@ -180,13 +180,13 @@ struct tcp6_ao_context {
/* Established states are fast-path and there always is current_key/rnext_key */
#define TCP_AO_ESTABLISHED (TCPF_ESTABLISHED | TCPF_FIN_WAIT1 | TCPF_FIN_WAIT2 | \
TCPF_CLOSE_WAIT | TCPF_LAST_ACK | TCPF_CLOSING)
-int tcp_ao_transmit_skb(struct sock *sk, struct sk_buff *skb,
- struct tcp_ao_key *key, struct tcphdr *th,
- __u8 *hash_location);
+void tcp_ao_transmit_skb(struct sock *sk, struct sk_buff *skb,
+ struct tcp_ao_key *key, struct tcphdr *th,
+ __u8 *hash_location);
void tcp_ao_mac_update(struct tcp_ao_mac_ctx *mac_ctx, const void *data,
size_t data_len);
int tcp_ao_hash_skb(unsigned short int family,
char *ao_hash, struct tcp_ao_key *key,
const struct sock *sk, const struct sk_buff *skb,
@@ -231,32 +231,33 @@ int tcp_v4_parse_ao(struct sock *sk, int cmd, sockptr_t optval, int optlen);
struct tcp_ao_key *tcp_v4_ao_lookup(const struct sock *sk, struct sock *addr_sk,
int sndid, int rcvid);
int tcp_v4_ao_synack_hash(char *ao_hash, struct tcp_ao_key *mkt,
struct request_sock *req, const struct sk_buff *skb,
int hash_offset, u32 sne);
-int tcp_v4_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key,
- const struct sock *sk,
- __be32 sisn, __be32 disn, bool send);
-int tcp_v4_ao_calc_key_rsk(struct tcp_ao_key *mkt, u8 *key,
- struct request_sock *req);
+void tcp_v4_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key,
+ const struct sock *sk,
+ __be32 sisn, __be32 disn, bool send);
+void tcp_v4_ao_calc_key_rsk(struct tcp_ao_key *mkt, u8 *key,
+ struct request_sock *req);
struct tcp_ao_key *tcp_v4_ao_lookup_rsk(const struct sock *sk,
struct request_sock *req,
int sndid, int rcvid);
int tcp_v4_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key,
const struct sock *sk, const struct sk_buff *skb,
const u8 *tkey, int hash_offset, u32 sne);
/* ipv6 specific functions */
-int tcp_v6_ao_hash_pseudoheader(struct tcp_ao_mac_ctx *mac_ctx,
- const struct in6_addr *daddr,
- const struct in6_addr *saddr, int nbytes);
-int tcp_v6_ao_calc_key_skb(struct tcp_ao_key *mkt, u8 *key,
- const struct sk_buff *skb, __be32 sisn, __be32 disn);
-int tcp_v6_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key,
- const struct sock *sk, __be32 sisn,
- __be32 disn, bool send);
-int tcp_v6_ao_calc_key_rsk(struct tcp_ao_key *mkt, u8 *key,
- struct request_sock *req);
+void tcp_v6_ao_hash_pseudoheader(struct tcp_ao_mac_ctx *mac_ctx,
+ const struct in6_addr *daddr,
+ const struct in6_addr *saddr, int nbytes);
+void tcp_v6_ao_calc_key_skb(struct tcp_ao_key *mkt, u8 *key,
+ const struct sk_buff *skb, __be32 sisn,
+ __be32 disn);
+void tcp_v6_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key,
+ const struct sock *sk, __be32 sisn,
+ __be32 disn, bool send);
+void tcp_v6_ao_calc_key_rsk(struct tcp_ao_key *mkt, u8 *key,
+ struct request_sock *req);
struct tcp_ao_key *tcp_v6_ao_lookup(const struct sock *sk,
struct sock *addr_sk, int sndid, int rcvid);
struct tcp_ao_key *tcp_v6_ao_lookup_rsk(const struct sock *sk,
struct request_sock *req,
int sndid, int rcvid);
@@ -272,15 +273,14 @@ void tcp_ao_finish_connect(struct sock *sk, struct sk_buff *skb);
void tcp_ao_connect_init(struct sock *sk);
void tcp_ao_syncookie(struct sock *sk, const struct sk_buff *skb,
struct request_sock *req, unsigned short int family);
#else /* CONFIG_TCP_AO */
-static inline int tcp_ao_transmit_skb(struct sock *sk, struct sk_buff *skb,
- struct tcp_ao_key *key, struct tcphdr *th,
- __u8 *hash_location)
+static inline void tcp_ao_transmit_skb(struct sock *sk, struct sk_buff *skb,
+ struct tcp_ao_key *key,
+ struct tcphdr *th, __u8 *hash_location)
{
- return 0;
}
static inline void tcp_ao_syncookie(struct sock *sk, const struct sk_buff *skb,
struct request_sock *req, unsigned short int family)
{
diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
index 69f1d6d26562e..36a64c1cd8c99 100644
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -433,14 +433,14 @@ void tcp_ao_time_wait(struct tcp_timewait_sock *tcptw, struct tcp_sock *tp)
tcptw->ao_info = NULL;
}
}
/* 4 tuple and ISNs are expected in NBO */
-static int tcp_v4_ao_calc_key(struct tcp_ao_key *mkt, u8 *key,
- __be32 saddr, __be32 daddr,
- __be16 sport, __be16 dport,
- __be32 sisn, __be32 disn)
+static void tcp_v4_ao_calc_key(struct tcp_ao_key *mkt, u8 *key,
+ __be32 saddr, __be32 daddr,
+ __be16 sport, __be16 dport,
+ __be32 sisn, __be32 disn)
{
/* See RFC5926 3.1.1 */
struct kdf_input_block {
u8 counter;
u8 label[6];
@@ -459,91 +459,92 @@ static int tcp_v4_ao_calc_key(struct tcp_ao_key *mkt, u8 *key,
},
.outlen = htons(tcp_ao_digest_size(mkt) * 8), /* in bits */
};
tcp_ao_calc_traffic_key(mkt, key, &input, sizeof(input));
- return 0;
}
-int tcp_v4_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key,
- const struct sock *sk,
- __be32 sisn, __be32 disn, bool send)
+void tcp_v4_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key,
+ const struct sock *sk,
+ __be32 sisn, __be32 disn, bool send)
{
if (send)
- return tcp_v4_ao_calc_key(mkt, key, sk->sk_rcv_saddr,
- sk->sk_daddr, htons(sk->sk_num),
- sk->sk_dport, sisn, disn);
+ tcp_v4_ao_calc_key(mkt, key, sk->sk_rcv_saddr, sk->sk_daddr,
+ htons(sk->sk_num), sk->sk_dport, sisn, disn);
else
- return tcp_v4_ao_calc_key(mkt, key, sk->sk_daddr,
- sk->sk_rcv_saddr, sk->sk_dport,
- htons(sk->sk_num), disn, sisn);
+ tcp_v4_ao_calc_key(mkt, key, sk->sk_daddr, sk->sk_rcv_saddr,
+ sk->sk_dport, htons(sk->sk_num), disn, sisn);
}
static int tcp_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key,
const struct sock *sk,
__be32 sisn, __be32 disn, bool send)
{
- if (mkt->family == AF_INET)
- return tcp_v4_ao_calc_key_sk(mkt, key, sk, sisn, disn, send);
+ if (mkt->family == AF_INET) {
+ tcp_v4_ao_calc_key_sk(mkt, key, sk, sisn, disn, send);
+ return 0;
+ }
#if IS_ENABLED(CONFIG_IPV6)
- else if (mkt->family == AF_INET6)
- return tcp_v6_ao_calc_key_sk(mkt, key, sk, sisn, disn, send);
+ if (mkt->family == AF_INET6) {
+ tcp_v6_ao_calc_key_sk(mkt, key, sk, sisn, disn, send);
+ return 0;
+ }
#endif
- else
- return -EOPNOTSUPP;
+ return -EOPNOTSUPP;
}
-int tcp_v4_ao_calc_key_rsk(struct tcp_ao_key *mkt, u8 *key,
- struct request_sock *req)
+void tcp_v4_ao_calc_key_rsk(struct tcp_ao_key *mkt, u8 *key,
+ struct request_sock *req)
{
struct inet_request_sock *ireq = inet_rsk(req);
- return tcp_v4_ao_calc_key(mkt, key,
- ireq->ir_loc_addr, ireq->ir_rmt_addr,
- htons(ireq->ir_num), ireq->ir_rmt_port,
- htonl(tcp_rsk(req)->snt_isn),
- htonl(tcp_rsk(req)->rcv_isn));
+ tcp_v4_ao_calc_key(mkt, key, ireq->ir_loc_addr, ireq->ir_rmt_addr,
+ htons(ireq->ir_num), ireq->ir_rmt_port,
+ htonl(tcp_rsk(req)->snt_isn),
+ htonl(tcp_rsk(req)->rcv_isn));
}
-static int tcp_v4_ao_calc_key_skb(struct tcp_ao_key *mkt, u8 *key,
- const struct sk_buff *skb,
- __be32 sisn, __be32 disn)
+static void tcp_v4_ao_calc_key_skb(struct tcp_ao_key *mkt, u8 *key,
+ const struct sk_buff *skb,
+ __be32 sisn, __be32 disn)
{
const struct iphdr *iph = ip_hdr(skb);
const struct tcphdr *th = tcp_hdr(skb);
- return tcp_v4_ao_calc_key(mkt, key, iph->saddr, iph->daddr,
- th->source, th->dest, sisn, disn);
+ tcp_v4_ao_calc_key(mkt, key, iph->saddr, iph->daddr, th->source,
+ th->dest, sisn, disn);
}
static int tcp_ao_calc_key_skb(struct tcp_ao_key *mkt, u8 *key,
const struct sk_buff *skb,
__be32 sisn, __be32 disn, int family)
{
- if (family == AF_INET)
- return tcp_v4_ao_calc_key_skb(mkt, key, skb, sisn, disn);
+ if (family == AF_INET) {
+ tcp_v4_ao_calc_key_skb(mkt, key, skb, sisn, disn);
+ return 0;
+ }
#if IS_ENABLED(CONFIG_IPV6)
- else if (family == AF_INET6)
- return tcp_v6_ao_calc_key_skb(mkt, key, skb, sisn, disn);
+ if (family == AF_INET6) {
+ tcp_v6_ao_calc_key_skb(mkt, key, skb, sisn, disn);
+ return 0;
+ }
#endif
return -EAFNOSUPPORT;
}
-static int tcp_v4_ao_hash_pseudoheader(struct tcp_ao_mac_ctx *mac_ctx,
- __be32 daddr, __be32 saddr,
- int nbytes)
+static void tcp_v4_ao_hash_pseudoheader(struct tcp_ao_mac_ctx *mac_ctx,
+ __be32 daddr, __be32 saddr, int nbytes)
{
struct tcp4_pseudohdr phdr = {
.saddr = saddr,
.daddr = daddr,
.pad = 0,
.protocol = IPPROTO_TCP,
.len = cpu_to_be16(nbytes),
};
tcp_ao_mac_update(mac_ctx, &phdr, sizeof(phdr));
- return 0;
}
static int tcp_ao_hash_pseudoheader(unsigned short int family,
const struct sock *sk,
const struct sk_buff *skb,
@@ -551,35 +552,42 @@ static int tcp_ao_hash_pseudoheader(unsigned short int family,
{
const struct tcphdr *th = tcp_hdr(skb);
/* TODO: Can we rely on checksum being zero to mean outbound pkt? */
if (!th->check) {
- if (family == AF_INET)
- return tcp_v4_ao_hash_pseudoheader(mac_ctx, sk->sk_daddr,
- sk->sk_rcv_saddr, skb->len);
+ if (family == AF_INET) {
+ tcp_v4_ao_hash_pseudoheader(mac_ctx, sk->sk_daddr,
+ sk->sk_rcv_saddr, skb->len);
+ return 0;
+ }
#if IS_ENABLED(CONFIG_IPV6)
- else if (family == AF_INET6)
- return tcp_v6_ao_hash_pseudoheader(mac_ctx, &sk->sk_v6_daddr,
- &sk->sk_v6_rcv_saddr, skb->len);
+ if (family == AF_INET6) {
+ tcp_v6_ao_hash_pseudoheader(mac_ctx, &sk->sk_v6_daddr,
+ &sk->sk_v6_rcv_saddr,
+ skb->len);
+ return 0;
+ }
#endif
- else
- return -EAFNOSUPPORT;
+ return -EAFNOSUPPORT;
}
if (family == AF_INET) {
const struct iphdr *iph = ip_hdr(skb);
- return tcp_v4_ao_hash_pseudoheader(mac_ctx, iph->daddr,
- iph->saddr, skb->len);
+ tcp_v4_ao_hash_pseudoheader(mac_ctx, iph->daddr, iph->saddr,
+ skb->len);
+ return 0;
+ }
#if IS_ENABLED(CONFIG_IPV6)
- } else if (family == AF_INET6) {
+ if (family == AF_INET6) {
const struct ipv6hdr *iph = ipv6_hdr(skb);
- return tcp_v6_ao_hash_pseudoheader(mac_ctx, &iph->daddr,
- &iph->saddr, skb->len);
-#endif
+ tcp_v6_ao_hash_pseudoheader(mac_ctx, &iph->daddr, &iph->saddr,
+ skb->len);
+ return 0;
}
+#endif
return -EAFNOSUPPORT;
}
u32 tcp_ao_compute_sne(u32 next_sne, u32 next_seq, u32 seq)
{
@@ -738,15 +746,12 @@ int tcp_v4_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key,
int tcp_v4_ao_synack_hash(char *ao_hash, struct tcp_ao_key *ao_key,
struct request_sock *req, const struct sk_buff *skb,
int hash_offset, u32 sne)
{
u8 tkey_buf[TCP_AO_MAX_TRAFFIC_KEY_LEN];
- int err;
- err = tcp_v4_ao_calc_key_rsk(ao_key, tkey_buf, req);
- if (err)
- return err;
+ tcp_v4_ao_calc_key_rsk(ao_key, tkey_buf, req);
return tcp_ao_hash_skb(AF_INET, ao_hash, ao_key, req_to_sk(req), skb,
tkey_buf, hash_offset, sne);
}
@@ -855,13 +860,13 @@ int tcp_ao_prepare_reset(const struct sock *sk, struct sk_buff *skb,
snd_basis, seq);
}
return 0;
}
-int tcp_ao_transmit_skb(struct sock *sk, struct sk_buff *skb,
- struct tcp_ao_key *key, struct tcphdr *th,
- __u8 *hash_location)
+void tcp_ao_transmit_skb(struct sock *sk, struct sk_buff *skb,
+ struct tcp_ao_key *key, struct tcphdr *th,
+ __u8 *hash_location)
{
struct tcp_skb_cb *tcb = TCP_SKB_CB(skb);
u8 tkey_buf[TCP_AO_MAX_TRAFFIC_KEY_LEN];
struct tcp_sock *tp = tcp_sk(sk);
struct tcp_ao_info *ao;
@@ -885,11 +890,10 @@ int tcp_ao_transmit_skb(struct sock *sk, struct sk_buff *skb,
}
sne = tcp_ao_compute_sne(READ_ONCE(ao->snd_sne), READ_ONCE(tp->snd_una),
ntohl(th->seq));
tp->af_specific->calc_ao_hash(hash_location, key, sk, skb, traffic_key,
hash_location - (u8 *)th, sne);
- return 0;
}
static struct tcp_ao_key *tcp_ao_inbound_lookup(unsigned short int family,
const struct sock *sk, const struct sk_buff *skb,
int sndid, int rcvid, int l3index)
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 326b58ff1118d..8145f9aad77b3 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1644,18 +1644,12 @@ static int __tcp_transmit_skb(struct sock *sk, struct sk_buff *skb,
sk_gso_disable(sk);
tp->af_specific->calc_md5_hash(opts.hash_location,
key.md5_key, sk, skb);
#endif
} else if (tcp_key_is_ao(&key)) {
- int err;
-
- err = tcp_ao_transmit_skb(sk, skb, key.ao_key, th,
- opts.hash_location);
- if (err) {
- sk_skb_reason_drop(sk, skb, SKB_DROP_REASON_NOT_SPECIFIED);
- return -ENOMEM;
- }
+ tcp_ao_transmit_skb(sk, skb, key.ao_key, th,
+ opts.hash_location);
}
/* BPF prog is the last one writing header option */
bpf_skops_write_hdr_opt(sk, skb, NULL, NULL, 0, &opts);
diff --git a/net/ipv6/tcp_ao.c b/net/ipv6/tcp_ao.c
index bf30b970181d7..01a8472805d1d 100644
--- a/net/ipv6/tcp_ao.c
+++ b/net/ipv6/tcp_ao.c
@@ -10,15 +10,15 @@
#include <linux/tcp.h>
#include <net/tcp.h>
#include <net/ipv6.h>
-static int tcp_v6_ao_calc_key(struct tcp_ao_key *mkt, u8 *key,
- const struct in6_addr *saddr,
- const struct in6_addr *daddr,
- __be16 sport, __be16 dport,
- __be32 sisn, __be32 disn)
+static void tcp_v6_ao_calc_key(struct tcp_ao_key *mkt, u8 *key,
+ const struct in6_addr *saddr,
+ const struct in6_addr *daddr,
+ __be16 sport, __be16 dport,
+ __be32 sisn, __be32 disn)
{
struct kdf_input_block {
u8 counter;
u8 label[6];
struct tcp6_ao_context ctx;
@@ -36,49 +36,46 @@ static int tcp_v6_ao_calc_key(struct tcp_ao_key *mkt, u8 *key,
},
.outlen = htons(tcp_ao_digest_size(mkt) * 8), /* in bits */
};
tcp_ao_calc_traffic_key(mkt, key, &input, sizeof(input));
- return 0;
}
-int tcp_v6_ao_calc_key_skb(struct tcp_ao_key *mkt, u8 *key,
- const struct sk_buff *skb,
- __be32 sisn, __be32 disn)
+void tcp_v6_ao_calc_key_skb(struct tcp_ao_key *mkt, u8 *key,
+ const struct sk_buff *skb, __be32 sisn, __be32 disn)
{
const struct ipv6hdr *iph = ipv6_hdr(skb);
const struct tcphdr *th = tcp_hdr(skb);
- return tcp_v6_ao_calc_key(mkt, key, &iph->saddr,
- &iph->daddr, th->source,
- th->dest, sisn, disn);
+ tcp_v6_ao_calc_key(mkt, key, &iph->saddr, &iph->daddr, th->source,
+ th->dest, sisn, disn);
}
-int tcp_v6_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key,
- const struct sock *sk, __be32 sisn,
- __be32 disn, bool send)
+void tcp_v6_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key,
+ const struct sock *sk, __be32 sisn,
+ __be32 disn, bool send)
{
if (send)
- return tcp_v6_ao_calc_key(mkt, key, &sk->sk_v6_rcv_saddr,
- &sk->sk_v6_daddr, htons(sk->sk_num),
- sk->sk_dport, sisn, disn);
+ tcp_v6_ao_calc_key(mkt, key, &sk->sk_v6_rcv_saddr,
+ &sk->sk_v6_daddr, htons(sk->sk_num),
+ sk->sk_dport, sisn, disn);
else
- return tcp_v6_ao_calc_key(mkt, key, &sk->sk_v6_daddr,
- &sk->sk_v6_rcv_saddr, sk->sk_dport,
- htons(sk->sk_num), disn, sisn);
+ tcp_v6_ao_calc_key(mkt, key, &sk->sk_v6_daddr,
+ &sk->sk_v6_rcv_saddr, sk->sk_dport,
+ htons(sk->sk_num), disn, sisn);
}
-int tcp_v6_ao_calc_key_rsk(struct tcp_ao_key *mkt, u8 *key,
- struct request_sock *req)
+void tcp_v6_ao_calc_key_rsk(struct tcp_ao_key *mkt, u8 *key,
+ struct request_sock *req)
{
struct inet_request_sock *ireq = inet_rsk(req);
- return tcp_v6_ao_calc_key(mkt, key,
- &ireq->ir_v6_loc_addr, &ireq->ir_v6_rmt_addr,
- htons(ireq->ir_num), ireq->ir_rmt_port,
- htonl(tcp_rsk(req)->snt_isn),
- htonl(tcp_rsk(req)->rcv_isn));
+ tcp_v6_ao_calc_key(mkt, key,
+ &ireq->ir_v6_loc_addr, &ireq->ir_v6_rmt_addr,
+ htons(ireq->ir_num), ireq->ir_rmt_port,
+ htonl(tcp_rsk(req)->snt_isn),
+ htonl(tcp_rsk(req)->rcv_isn));
}
struct tcp_ao_key *tcp_v6_ao_lookup(const struct sock *sk,
struct sock *addr_sk,
int sndid, int rcvid)
@@ -102,24 +99,23 @@ struct tcp_ao_key *tcp_v6_ao_lookup_rsk(const struct sock *sk,
l3index = l3mdev_master_ifindex_by_index(sock_net(sk), ireq->ir_iif);
return tcp_ao_do_lookup(sk, l3index, (union tcp_ao_addr *)addr,
AF_INET6, sndid, rcvid);
}
-int tcp_v6_ao_hash_pseudoheader(struct tcp_ao_mac_ctx *mac_ctx,
- const struct in6_addr *daddr,
- const struct in6_addr *saddr, int nbytes)
+void tcp_v6_ao_hash_pseudoheader(struct tcp_ao_mac_ctx *mac_ctx,
+ const struct in6_addr *daddr,
+ const struct in6_addr *saddr, int nbytes)
{
/* 1. TCP pseudo-header (RFC2460) */
struct tcp6_pseudohdr phdr = {
.saddr = *saddr,
.daddr = *daddr,
.len = cpu_to_be32(nbytes),
.protocol = cpu_to_be32(IPPROTO_TCP),
};
tcp_ao_mac_update(mac_ctx, &phdr, sizeof(phdr));
- return 0;
}
int tcp_v6_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key,
const struct sock *sk, const struct sk_buff *skb,
const u8 *tkey, int hash_offset, u32 sne)
@@ -137,14 +133,11 @@ int tcp_v6_parse_ao(struct sock *sk, int cmd,
int tcp_v6_ao_synack_hash(char *ao_hash, struct tcp_ao_key *ao_key,
struct request_sock *req, const struct sk_buff *skb,
int hash_offset, u32 sne)
{
u8 tkey_buf[TCP_AO_MAX_TRAFFIC_KEY_LEN];
- int err;
- err = tcp_v6_ao_calc_key_rsk(ao_key, tkey_buf, req);
- if (err)
- return err;
+ tcp_v6_ao_calc_key_rsk(ao_key, tkey_buf, req);
return tcp_ao_hash_skb(AF_INET6, ao_hash, ao_key, req_to_sk(req), skb,
tkey_buf, hash_offset, sne);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [RFC PATCH 5/8] net/tcp: Remove tcp_sigpool
2026-03-07 22:43 [RFC PATCH 0/8] Reimplement TCP-AO using crypto library Eric Biggers
` (3 preceding siblings ...)
2026-03-07 22:43 ` [RFC PATCH 4/8] net/tcp-ao: Return void from functions that can no longer fail Eric Biggers
@ 2026-03-07 22:43 ` Eric Biggers
2026-03-07 22:43 ` [RFC PATCH 6/8] crypto: hash - Remove support for cloning hash tfms Eric Biggers
` (4 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Eric Biggers @ 2026-03-07 22:43 UTC (permalink / raw)
To: netdev
Cc: linux-crypto, linux-kernel, Eric Dumazet, Neal Cardwell,
Kuniyuki Iwashima, David S . Miller, David Ahern, Jakub Kicinski,
Paolo Abeni, Simon Horman, Ard Biesheuvel, Jason A . Donenfeld,
Herbert Xu, Dmitry Safonov, Eric Biggers
tcp_sigpool is no longer used. It existed only as a workaround for
issues in the design of the crypto_ahash API, which have been avoided by
switching to the much easier-to-use library APIs instead. Remove it.
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
include/net/tcp.h | 34 ----
net/ipv4/Kconfig | 3 -
net/ipv4/Makefile | 1 -
net/ipv4/tcp_sigpool.c | 366 -----------------------------------------
4 files changed, 404 deletions(-)
delete mode 100644 net/ipv4/tcp_sigpool.c
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 18fb675d05bc4..73e7c1c1050b8 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1968,44 +1968,10 @@ struct tcp6_pseudohdr {
struct in6_addr daddr;
__be32 len;
__be32 protocol; /* including padding */
};
-/*
- * struct tcp_sigpool - per-CPU pool of ahash_requests
- * @scratch: per-CPU temporary area, that can be used between
- * tcp_sigpool_start() and tcp_sigpool_end() to perform
- * crypto request
- * @req: pre-allocated ahash request
- */
-struct tcp_sigpool {
- void *scratch;
- struct ahash_request *req;
-};
-
-int tcp_sigpool_alloc_ahash(const char *alg, size_t scratch_size);
-void tcp_sigpool_get(unsigned int id);
-void tcp_sigpool_release(unsigned int id);
-int tcp_sigpool_hash_skb_data(struct tcp_sigpool *hp,
- const struct sk_buff *skb,
- unsigned int header_len);
-
-/**
- * tcp_sigpool_start - disable bh and start using tcp_sigpool_ahash
- * @id: tcp_sigpool that was previously allocated by tcp_sigpool_alloc_ahash()
- * @c: returned tcp_sigpool for usage (uninitialized on failure)
- *
- * Returns: 0 on success, error otherwise.
- */
-int tcp_sigpool_start(unsigned int id, struct tcp_sigpool *c);
-/**
- * tcp_sigpool_end - enable bh and stop using tcp_sigpool
- * @c: tcp_sigpool context that was returned by tcp_sigpool_start()
- */
-void tcp_sigpool_end(struct tcp_sigpool *c);
-size_t tcp_sigpool_algo(unsigned int id, char *buf, size_t buf_len);
-/* - functions */
void tcp_v4_md5_hash_skb(char *md5_hash, const struct tcp_md5sig_key *key,
const struct sock *sk, const struct sk_buff *skb);
int tcp_md5_do_add(struct sock *sk, const union tcp_md5_addr *addr,
int family, u8 prefixlen, int l3index, u8 flags,
const u8 *newkey, u8 newkeylen);
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index 0fa293527cee9..7b945a5186c9b 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -740,13 +740,10 @@ config DEFAULT_TCP_CONG
default "dctcp" if DEFAULT_DCTCP
default "cdg" if DEFAULT_CDG
default "bbr" if DEFAULT_BBR
default "cubic"
-config TCP_SIGPOOL
- tristate
-
config TCP_AO
bool "TCP: Authentication Option (RFC5925)"
select CRYPTO_LIB_AES_CBC_MACS
select CRYPTO_LIB_SHA1
select CRYPTO_LIB_SHA256
diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile
index 18108a6f04999..f98d4734e4eeb 100644
--- a/net/ipv4/Makefile
+++ b/net/ipv4/Makefile
@@ -58,11 +58,10 @@ obj-$(CONFIG_TCP_CONG_NV) += tcp_nv.o
obj-$(CONFIG_TCP_CONG_VENO) += tcp_veno.o
obj-$(CONFIG_TCP_CONG_SCALABLE) += tcp_scalable.o
obj-$(CONFIG_TCP_CONG_LP) += tcp_lp.o
obj-$(CONFIG_TCP_CONG_YEAH) += tcp_yeah.o
obj-$(CONFIG_TCP_CONG_ILLINOIS) += tcp_illinois.o
-obj-$(CONFIG_TCP_SIGPOOL) += tcp_sigpool.o
obj-$(CONFIG_NET_SOCK_MSG) += tcp_bpf.o
obj-$(CONFIG_BPF_SYSCALL) += udp_bpf.o
obj-$(CONFIG_NETLABEL) += cipso_ipv4.o
obj-$(CONFIG_XFRM) += xfrm4_policy.o xfrm4_state.o xfrm4_input.o \
diff --git a/net/ipv4/tcp_sigpool.c b/net/ipv4/tcp_sigpool.c
deleted file mode 100644
index 10b2e5970c402..0000000000000
--- a/net/ipv4/tcp_sigpool.c
+++ /dev/null
@@ -1,366 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0-or-later
-
-#include <crypto/hash.h>
-#include <linux/cpu.h>
-#include <linux/kref.h>
-#include <linux/module.h>
-#include <linux/mutex.h>
-#include <linux/percpu.h>
-#include <linux/workqueue.h>
-#include <net/tcp.h>
-
-static size_t __scratch_size;
-struct sigpool_scratch {
- local_lock_t bh_lock;
- void __rcu *pad;
-};
-
-static DEFINE_PER_CPU(struct sigpool_scratch, sigpool_scratch) = {
- .bh_lock = INIT_LOCAL_LOCK(bh_lock),
-};
-
-struct sigpool_entry {
- struct crypto_ahash *hash;
- const char *alg;
- struct kref kref;
- uint16_t needs_key:1,
- reserved:15;
-};
-
-#define CPOOL_SIZE (PAGE_SIZE / sizeof(struct sigpool_entry))
-static struct sigpool_entry cpool[CPOOL_SIZE];
-static unsigned int cpool_populated;
-static DEFINE_MUTEX(cpool_mutex);
-
-/* Slow-path */
-struct scratches_to_free {
- struct rcu_head rcu;
- unsigned int cnt;
- void *scratches[];
-};
-
-static void free_old_scratches(struct rcu_head *head)
-{
- struct scratches_to_free *stf;
-
- stf = container_of(head, struct scratches_to_free, rcu);
- while (stf->cnt--)
- kfree(stf->scratches[stf->cnt]);
- kfree(stf);
-}
-
-/**
- * sigpool_reserve_scratch - re-allocates scratch buffer, slow-path
- * @size: request size for the scratch/temp buffer
- */
-static int sigpool_reserve_scratch(size_t size)
-{
- struct scratches_to_free *stf;
- size_t stf_sz = struct_size(stf, scratches, num_possible_cpus());
- int cpu, err = 0;
-
- lockdep_assert_held(&cpool_mutex);
- if (__scratch_size >= size)
- return 0;
-
- stf = kmalloc(stf_sz, GFP_KERNEL);
- if (!stf)
- return -ENOMEM;
- stf->cnt = 0;
-
- size = max(size, __scratch_size);
- cpus_read_lock();
- for_each_possible_cpu(cpu) {
- void *scratch, *old_scratch;
-
- scratch = kmalloc_node(size, GFP_KERNEL, cpu_to_node(cpu));
- if (!scratch) {
- err = -ENOMEM;
- break;
- }
-
- old_scratch = rcu_replace_pointer(per_cpu(sigpool_scratch.pad, cpu),
- scratch, lockdep_is_held(&cpool_mutex));
- if (!cpu_online(cpu) || !old_scratch) {
- kfree(old_scratch);
- continue;
- }
- stf->scratches[stf->cnt++] = old_scratch;
- }
- cpus_read_unlock();
- if (!err)
- __scratch_size = size;
-
- call_rcu(&stf->rcu, free_old_scratches);
- return err;
-}
-
-static void sigpool_scratch_free(void)
-{
- int cpu;
-
- for_each_possible_cpu(cpu)
- kfree(rcu_replace_pointer(per_cpu(sigpool_scratch.pad, cpu),
- NULL, lockdep_is_held(&cpool_mutex)));
- __scratch_size = 0;
-}
-
-static int __cpool_try_clone(struct crypto_ahash *hash)
-{
- struct crypto_ahash *tmp;
-
- tmp = crypto_clone_ahash(hash);
- if (IS_ERR(tmp))
- return PTR_ERR(tmp);
-
- crypto_free_ahash(tmp);
- return 0;
-}
-
-static int __cpool_alloc_ahash(struct sigpool_entry *e, const char *alg)
-{
- struct crypto_ahash *cpu0_hash;
- int ret;
-
- e->alg = kstrdup(alg, GFP_KERNEL);
- if (!e->alg)
- return -ENOMEM;
-
- cpu0_hash = crypto_alloc_ahash(alg, 0, CRYPTO_ALG_ASYNC);
- if (IS_ERR(cpu0_hash)) {
- ret = PTR_ERR(cpu0_hash);
- goto out_free_alg;
- }
-
- e->needs_key = crypto_ahash_get_flags(cpu0_hash) & CRYPTO_TFM_NEED_KEY;
-
- ret = __cpool_try_clone(cpu0_hash);
- if (ret)
- goto out_free_cpu0_hash;
- e->hash = cpu0_hash;
- kref_init(&e->kref);
- return 0;
-
-out_free_cpu0_hash:
- crypto_free_ahash(cpu0_hash);
-out_free_alg:
- kfree(e->alg);
- e->alg = NULL;
- return ret;
-}
-
-/**
- * tcp_sigpool_alloc_ahash - allocates pool for ahash requests
- * @alg: name of async hash algorithm
- * @scratch_size: reserve a tcp_sigpool::scratch buffer of this size
- */
-int tcp_sigpool_alloc_ahash(const char *alg, size_t scratch_size)
-{
- int i, ret;
-
- /* slow-path */
- mutex_lock(&cpool_mutex);
- ret = sigpool_reserve_scratch(scratch_size);
- if (ret)
- goto out;
- for (i = 0; i < cpool_populated; i++) {
- if (!cpool[i].alg)
- continue;
- if (strcmp(cpool[i].alg, alg))
- continue;
-
- /* pairs with tcp_sigpool_release() */
- if (!kref_get_unless_zero(&cpool[i].kref))
- kref_init(&cpool[i].kref);
- ret = i;
- goto out;
- }
-
- for (i = 0; i < cpool_populated; i++) {
- if (!cpool[i].alg)
- break;
- }
- if (i >= CPOOL_SIZE) {
- ret = -ENOSPC;
- goto out;
- }
-
- ret = __cpool_alloc_ahash(&cpool[i], alg);
- if (!ret) {
- ret = i;
- if (i == cpool_populated)
- cpool_populated++;
- }
-out:
- mutex_unlock(&cpool_mutex);
- return ret;
-}
-EXPORT_SYMBOL_GPL(tcp_sigpool_alloc_ahash);
-
-static void __cpool_free_entry(struct sigpool_entry *e)
-{
- crypto_free_ahash(e->hash);
- kfree(e->alg);
- memset(e, 0, sizeof(*e));
-}
-
-static void cpool_cleanup_work_cb(struct work_struct *work)
-{
- bool free_scratch = true;
- unsigned int i;
-
- mutex_lock(&cpool_mutex);
- for (i = 0; i < cpool_populated; i++) {
- if (kref_read(&cpool[i].kref) > 0) {
- free_scratch = false;
- continue;
- }
- if (!cpool[i].alg)
- continue;
- __cpool_free_entry(&cpool[i]);
- }
- if (free_scratch)
- sigpool_scratch_free();
- mutex_unlock(&cpool_mutex);
-}
-
-static DECLARE_WORK(cpool_cleanup_work, cpool_cleanup_work_cb);
-static void cpool_schedule_cleanup(struct kref *kref)
-{
- schedule_work(&cpool_cleanup_work);
-}
-
-/**
- * tcp_sigpool_release - decreases number of users for a pool. If it was
- * the last user of the pool, releases any memory that was consumed.
- * @id: tcp_sigpool that was previously allocated by tcp_sigpool_alloc_ahash()
- */
-void tcp_sigpool_release(unsigned int id)
-{
- if (WARN_ON_ONCE(id >= cpool_populated || !cpool[id].alg))
- return;
-
- /* slow-path */
- kref_put(&cpool[id].kref, cpool_schedule_cleanup);
-}
-EXPORT_SYMBOL_GPL(tcp_sigpool_release);
-
-/**
- * tcp_sigpool_get - increases number of users (refcounter) for a pool
- * @id: tcp_sigpool that was previously allocated by tcp_sigpool_alloc_ahash()
- */
-void tcp_sigpool_get(unsigned int id)
-{
- if (WARN_ON_ONCE(id >= cpool_populated || !cpool[id].alg))
- return;
- kref_get(&cpool[id].kref);
-}
-EXPORT_SYMBOL_GPL(tcp_sigpool_get);
-
-int tcp_sigpool_start(unsigned int id, struct tcp_sigpool *c) __cond_acquires(0, RCU_BH)
-{
- struct crypto_ahash *hash;
-
- rcu_read_lock_bh();
- if (WARN_ON_ONCE(id >= cpool_populated || !cpool[id].alg)) {
- rcu_read_unlock_bh();
- return -EINVAL;
- }
-
- hash = crypto_clone_ahash(cpool[id].hash);
- if (IS_ERR(hash)) {
- rcu_read_unlock_bh();
- return PTR_ERR(hash);
- }
-
- c->req = ahash_request_alloc(hash, GFP_ATOMIC);
- if (!c->req) {
- crypto_free_ahash(hash);
- rcu_read_unlock_bh();
- return -ENOMEM;
- }
- ahash_request_set_callback(c->req, 0, NULL, NULL);
-
- /* Pairs with tcp_sigpool_reserve_scratch(), scratch area is
- * valid (allocated) until tcp_sigpool_end().
- */
- local_lock_nested_bh(&sigpool_scratch.bh_lock);
- c->scratch = rcu_dereference_bh(*this_cpu_ptr(&sigpool_scratch.pad));
- return 0;
-}
-EXPORT_SYMBOL_GPL(tcp_sigpool_start);
-
-void tcp_sigpool_end(struct tcp_sigpool *c) __releases(RCU_BH)
-{
- struct crypto_ahash *hash = crypto_ahash_reqtfm(c->req);
-
- local_unlock_nested_bh(&sigpool_scratch.bh_lock);
- rcu_read_unlock_bh();
- ahash_request_free(c->req);
- crypto_free_ahash(hash);
-}
-EXPORT_SYMBOL_GPL(tcp_sigpool_end);
-
-/**
- * tcp_sigpool_algo - return algorithm of tcp_sigpool
- * @id: tcp_sigpool that was previously allocated by tcp_sigpool_alloc_ahash()
- * @buf: buffer to return name of algorithm
- * @buf_len: size of @buf
- */
-size_t tcp_sigpool_algo(unsigned int id, char *buf, size_t buf_len)
-{
- if (WARN_ON_ONCE(id >= cpool_populated || !cpool[id].alg))
- return -EINVAL;
-
- return strscpy(buf, cpool[id].alg, buf_len);
-}
-EXPORT_SYMBOL_GPL(tcp_sigpool_algo);
-
-/**
- * tcp_sigpool_hash_skb_data - hash data in skb with initialized tcp_sigpool
- * @hp: tcp_sigpool pointer
- * @skb: buffer to add sign for
- * @header_len: TCP header length for this segment
- */
-int tcp_sigpool_hash_skb_data(struct tcp_sigpool *hp,
- const struct sk_buff *skb,
- unsigned int header_len)
-{
- const unsigned int head_data_len = skb_headlen(skb) > header_len ?
- skb_headlen(skb) - header_len : 0;
- const struct skb_shared_info *shi = skb_shinfo(skb);
- const struct tcphdr *tp = tcp_hdr(skb);
- struct ahash_request *req = hp->req;
- struct sk_buff *frag_iter;
- struct scatterlist sg;
- unsigned int i;
-
- sg_init_table(&sg, 1);
-
- sg_set_buf(&sg, ((u8 *)tp) + header_len, head_data_len);
- ahash_request_set_crypt(req, &sg, NULL, head_data_len);
- if (crypto_ahash_update(req))
- return 1;
-
- for (i = 0; i < shi->nr_frags; ++i) {
- const skb_frag_t *f = &shi->frags[i];
- unsigned int offset = skb_frag_off(f);
- struct page *page;
-
- page = skb_frag_page(f) + (offset >> PAGE_SHIFT);
- sg_set_page(&sg, page, skb_frag_size(f), offset_in_page(offset));
- ahash_request_set_crypt(req, &sg, NULL, skb_frag_size(f));
- if (crypto_ahash_update(req))
- return 1;
- }
-
- skb_walk_frags(skb, frag_iter)
- if (tcp_sigpool_hash_skb_data(hp, frag_iter, 0))
- return 1;
-
- return 0;
-}
-EXPORT_SYMBOL(tcp_sigpool_hash_skb_data);
-
-MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("Per-CPU pool of crypto requests");
--
2.53.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [RFC PATCH 6/8] crypto: hash - Remove support for cloning hash tfms
2026-03-07 22:43 [RFC PATCH 0/8] Reimplement TCP-AO using crypto library Eric Biggers
` (4 preceding siblings ...)
2026-03-07 22:43 ` [RFC PATCH 5/8] net/tcp: Remove tcp_sigpool Eric Biggers
@ 2026-03-07 22:43 ` Eric Biggers
2026-03-07 22:43 ` [RFC PATCH 7/8] crypto: cipher - Remove support for cloning cipher tfms Eric Biggers
` (3 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Eric Biggers @ 2026-03-07 22:43 UTC (permalink / raw)
To: netdev
Cc: linux-crypto, linux-kernel, Eric Dumazet, Neal Cardwell,
Kuniyuki Iwashima, David S . Miller, David Ahern, Jakub Kicinski,
Paolo Abeni, Simon Horman, Ard Biesheuvel, Jason A . Donenfeld,
Herbert Xu, Dmitry Safonov, Eric Biggers
Hash transformation cloning no longer has a user, and there's a good
chance no new one will appear because the library API solves the problem
in a much simpler and more efficient way. Remove support for it.
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
crypto/ahash.c | 70 -------------------------------------------
crypto/cmac.c | 16 ----------
crypto/cryptd.c | 16 ----------
crypto/hmac.c | 31 -------------------
crypto/shash.c | 37 -----------------------
include/crypto/hash.h | 8 -----
6 files changed, 178 deletions(-)
diff --git a/crypto/ahash.c b/crypto/ahash.c
index 7a730324c50e2..85dcd120de3ee 100644
--- a/crypto/ahash.c
+++ b/crypto/ahash.c
@@ -860,80 +860,10 @@ bool crypto_hash_alg_has_setkey(struct hash_alg_common *halg)
return __crypto_ahash_alg(alg)->setkey != ahash_nosetkey;
}
EXPORT_SYMBOL_GPL(crypto_hash_alg_has_setkey);
-struct crypto_ahash *crypto_clone_ahash(struct crypto_ahash *hash)
-{
- struct hash_alg_common *halg = crypto_hash_alg_common(hash);
- struct crypto_tfm *tfm = crypto_ahash_tfm(hash);
- struct crypto_ahash *fb = NULL;
- struct crypto_ahash *nhash;
- struct ahash_alg *alg;
- int err;
-
- if (!crypto_hash_alg_has_setkey(halg)) {
- tfm = crypto_tfm_get(tfm);
- if (IS_ERR(tfm))
- return ERR_CAST(tfm);
-
- return hash;
- }
-
- nhash = crypto_clone_tfm(&crypto_ahash_type, tfm);
-
- if (IS_ERR(nhash))
- return nhash;
-
- nhash->reqsize = hash->reqsize;
- nhash->statesize = hash->statesize;
-
- if (likely(hash->using_shash)) {
- struct crypto_shash **nctx = crypto_ahash_ctx(nhash);
- struct crypto_shash *shash;
-
- shash = crypto_clone_shash(ahash_to_shash(hash));
- if (IS_ERR(shash)) {
- err = PTR_ERR(shash);
- goto out_free_nhash;
- }
- crypto_ahash_tfm(nhash)->exit = crypto_exit_ahash_using_shash;
- nhash->using_shash = true;
- *nctx = shash;
- return nhash;
- }
-
- if (crypto_ahash_need_fallback(hash)) {
- fb = crypto_clone_ahash(crypto_ahash_fb(hash));
- err = PTR_ERR(fb);
- if (IS_ERR(fb))
- goto out_free_nhash;
-
- crypto_ahash_tfm(nhash)->fb = crypto_ahash_tfm(fb);
- }
-
- err = -ENOSYS;
- alg = crypto_ahash_alg(hash);
- if (!alg->clone_tfm)
- goto out_free_fb;
-
- err = alg->clone_tfm(nhash, hash);
- if (err)
- goto out_free_fb;
-
- crypto_ahash_tfm(nhash)->exit = crypto_ahash_exit_tfm;
-
- return nhash;
-
-out_free_fb:
- crypto_free_ahash(fb);
-out_free_nhash:
- crypto_free_ahash(nhash);
- return ERR_PTR(err);
-}
-EXPORT_SYMBOL_GPL(crypto_clone_ahash);
-
static int ahash_default_export_core(struct ahash_request *req, void *out)
{
return -ENOSYS;
}
diff --git a/crypto/cmac.c b/crypto/cmac.c
index 1b03964abe007..83e58937f0136 100644
--- a/crypto/cmac.c
+++ b/crypto/cmac.c
@@ -149,25 +149,10 @@ static int cmac_init_tfm(struct crypto_shash *tfm)
ctx->child = cipher;
return 0;
}
-static int cmac_clone_tfm(struct crypto_shash *tfm, struct crypto_shash *otfm)
-{
- struct cmac_tfm_ctx *octx = crypto_shash_ctx(otfm);
- struct cmac_tfm_ctx *ctx = crypto_shash_ctx(tfm);
- struct crypto_cipher *cipher;
-
- cipher = crypto_clone_cipher(octx->child);
- if (IS_ERR(cipher))
- return PTR_ERR(cipher);
-
- ctx->child = cipher;
-
- return 0;
-}
-
static void cmac_exit_tfm(struct crypto_shash *tfm)
{
struct cmac_tfm_ctx *ctx = crypto_shash_ctx(tfm);
crypto_free_cipher(ctx->child);
}
@@ -220,11 +205,10 @@ static int cmac_create(struct crypto_template *tmpl, struct rtattr **tb)
inst->alg.init = crypto_cmac_digest_init;
inst->alg.update = crypto_cmac_digest_update;
inst->alg.finup = crypto_cmac_digest_finup;
inst->alg.setkey = crypto_cmac_digest_setkey;
inst->alg.init_tfm = cmac_init_tfm;
- inst->alg.clone_tfm = cmac_clone_tfm;
inst->alg.exit_tfm = cmac_exit_tfm;
inst->free = shash_free_singlespawn_instance;
err = shash_register_instance(tmpl, inst);
diff --git a/crypto/cryptd.c b/crypto/cryptd.c
index cd38f46761767..e2958020f1ae4 100644
--- a/crypto/cryptd.c
+++ b/crypto/cryptd.c
@@ -450,25 +450,10 @@ static int cryptd_hash_init_tfm(struct crypto_ahash *tfm)
sizeof(struct cryptd_hash_request_ctx) +
crypto_shash_descsize(hash));
return 0;
}
-static int cryptd_hash_clone_tfm(struct crypto_ahash *ntfm,
- struct crypto_ahash *tfm)
-{
- struct cryptd_hash_ctx *nctx = crypto_ahash_ctx(ntfm);
- struct cryptd_hash_ctx *ctx = crypto_ahash_ctx(tfm);
- struct crypto_shash *hash;
-
- hash = crypto_clone_shash(ctx->child);
- if (IS_ERR(hash))
- return PTR_ERR(hash);
-
- nctx->child = hash;
- return 0;
-}
-
static void cryptd_hash_exit_tfm(struct crypto_ahash *tfm)
{
struct cryptd_hash_ctx *ctx = crypto_ahash_ctx(tfm);
crypto_free_shash(ctx->child);
@@ -697,11 +682,10 @@ static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,
inst->alg.halg.digestsize = alg->digestsize;
inst->alg.halg.statesize = alg->statesize;
inst->alg.halg.base.cra_ctxsize = sizeof(struct cryptd_hash_ctx);
inst->alg.init_tfm = cryptd_hash_init_tfm;
- inst->alg.clone_tfm = cryptd_hash_clone_tfm;
inst->alg.exit_tfm = cryptd_hash_exit_tfm;
inst->alg.init = cryptd_hash_init_enqueue;
inst->alg.update = cryptd_hash_update_enqueue;
inst->alg.final = cryptd_hash_final_enqueue;
diff --git a/crypto/hmac.c b/crypto/hmac.c
index 148af460ae974..807e08b252c55 100644
--- a/crypto/hmac.c
+++ b/crypto/hmac.c
@@ -156,24 +156,10 @@ static int hmac_init_tfm(struct crypto_shash *parent)
tctx->hash = hash;
return 0;
}
-static int hmac_clone_tfm(struct crypto_shash *dst, struct crypto_shash *src)
-{
- struct hmac_ctx *sctx = crypto_shash_ctx(src);
- struct hmac_ctx *dctx = crypto_shash_ctx(dst);
- struct crypto_shash *hash;
-
- hash = crypto_clone_shash(sctx->hash);
- if (IS_ERR(hash))
- return PTR_ERR(hash);
-
- dctx->hash = hash;
- return 0;
-}
-
static void hmac_exit_tfm(struct crypto_shash *parent)
{
struct hmac_ctx *tctx = crypto_shash_ctx(parent);
crypto_free_shash(tctx->hash);
@@ -233,11 +219,10 @@ static int __hmac_create_shash(struct crypto_template *tmpl,
inst->alg.import = hmac_import;
inst->alg.export_core = hmac_export_core;
inst->alg.import_core = hmac_import_core;
inst->alg.setkey = hmac_setkey;
inst->alg.init_tfm = hmac_init_tfm;
- inst->alg.clone_tfm = hmac_clone_tfm;
inst->alg.exit_tfm = hmac_exit_tfm;
inst->free = shash_free_singlespawn_instance;
err = shash_register_instance(tmpl, inst);
@@ -421,25 +406,10 @@ static int hmac_init_ahash_tfm(struct crypto_ahash *parent)
tctx->hash = hash;
return 0;
}
-static int hmac_clone_ahash_tfm(struct crypto_ahash *dst,
- struct crypto_ahash *src)
-{
- struct ahash_hmac_ctx *sctx = crypto_ahash_ctx(src);
- struct ahash_hmac_ctx *dctx = crypto_ahash_ctx(dst);
- struct crypto_ahash *hash;
-
- hash = crypto_clone_ahash(sctx->hash);
- if (IS_ERR(hash))
- return PTR_ERR(hash);
-
- dctx->hash = hash;
- return 0;
-}
-
static void hmac_exit_ahash_tfm(struct crypto_ahash *parent)
{
struct ahash_hmac_ctx *tctx = crypto_ahash_ctx(parent);
crypto_free_ahash(tctx->hash);
@@ -501,11 +471,10 @@ static int hmac_create_ahash(struct crypto_template *tmpl, struct rtattr **tb,
inst->alg.import = hmac_import_ahash;
inst->alg.export_core = hmac_export_core_ahash;
inst->alg.import_core = hmac_import_core_ahash;
inst->alg.setkey = hmac_setkey_ahash;
inst->alg.init_tfm = hmac_init_ahash_tfm;
- inst->alg.clone_tfm = hmac_clone_ahash_tfm;
inst->alg.exit_tfm = hmac_exit_ahash_tfm;
inst->free = ahash_free_singlespawn_instance;
err = ahash_register_instance(tmpl, inst);
diff --git a/crypto/shash.c b/crypto/shash.c
index 2f07d0bd1f61b..351cba3c11070 100644
--- a/crypto/shash.c
+++ b/crypto/shash.c
@@ -393,47 +393,10 @@ int crypto_has_shash(const char *alg_name, u32 type, u32 mask)
{
return crypto_type_has_alg(alg_name, &crypto_shash_type, type, mask);
}
EXPORT_SYMBOL_GPL(crypto_has_shash);
-struct crypto_shash *crypto_clone_shash(struct crypto_shash *hash)
-{
- struct crypto_tfm *tfm = crypto_shash_tfm(hash);
- struct shash_alg *alg = crypto_shash_alg(hash);
- struct crypto_shash *nhash;
- int err;
-
- if (!crypto_shash_alg_has_setkey(alg)) {
- tfm = crypto_tfm_get(tfm);
- if (IS_ERR(tfm))
- return ERR_CAST(tfm);
-
- return hash;
- }
-
- if (!alg->clone_tfm && (alg->init_tfm || alg->base.cra_init))
- return ERR_PTR(-ENOSYS);
-
- nhash = crypto_clone_tfm(&crypto_shash_type, tfm);
- if (IS_ERR(nhash))
- return nhash;
-
- if (alg->clone_tfm) {
- err = alg->clone_tfm(nhash, hash);
- if (err) {
- crypto_free_shash(nhash);
- return ERR_PTR(err);
- }
- }
-
- if (alg->exit_tfm)
- crypto_shash_tfm(nhash)->exit = crypto_shash_exit_tfm;
-
- return nhash;
-}
-EXPORT_SYMBOL_GPL(crypto_clone_shash);
-
int hash_prepare_alg(struct hash_alg_common *alg)
{
struct crypto_alg *base = &alg->base;
if (alg->digestsize > HASH_MAX_DIGESTSIZE)
diff --git a/include/crypto/hash.h b/include/crypto/hash.h
index 586700332c731..e474f8461ea19 100644
--- a/include/crypto/hash.h
+++ b/include/crypto/hash.h
@@ -146,11 +146,10 @@ struct ahash_request {
* requirement of the transformation and put any software
* fallbacks in place.
* @exit_tfm: Deinitialize the cryptographic transformation object.
* This is a counterpart to @init_tfm, used to remove
* various changes set in @init_tfm.
- * @clone_tfm: Copy transform into new object, may allocate memory.
* @halg: see struct hash_alg_common
*/
struct ahash_alg {
int (*init)(struct ahash_request *req);
int (*update)(struct ahash_request *req);
@@ -163,11 +162,10 @@ struct ahash_alg {
int (*import_core)(struct ahash_request *req, const void *in);
int (*setkey)(struct crypto_ahash *tfm, const u8 *key,
unsigned int keylen);
int (*init_tfm)(struct crypto_ahash *tfm);
void (*exit_tfm)(struct crypto_ahash *tfm);
- int (*clone_tfm)(struct crypto_ahash *dst, struct crypto_ahash *src);
struct hash_alg_common halg;
};
struct shash_desc {
@@ -237,11 +235,10 @@ struct shash_desc {
* requirement of the transformation and put any software
* fallbacks in place.
* @exit_tfm: Deinitialize the cryptographic transformation object.
* This is a counterpart to @init_tfm, used to remove
* various changes set in @init_tfm.
- * @clone_tfm: Copy transform into new object, may allocate memory.
* @descsize: Size of the operational state for the message digest. This state
* size is the memory size that needs to be allocated for
* shash_desc.__ctx
* @halg: see struct hash_alg_common
* @HASH_ALG_COMMON: see struct hash_alg_common
@@ -261,11 +258,10 @@ struct shash_alg {
int (*import_core)(struct shash_desc *desc, const void *in);
int (*setkey)(struct crypto_shash *tfm, const u8 *key,
unsigned int keylen);
int (*init_tfm)(struct crypto_shash *tfm);
void (*exit_tfm)(struct crypto_shash *tfm);
- int (*clone_tfm)(struct crypto_shash *dst, struct crypto_shash *src);
unsigned int descsize;
union {
struct HASH_ALG_COMMON;
@@ -320,12 +316,10 @@ static inline struct crypto_ahash *__crypto_ahash_cast(struct crypto_tfm *tfm)
* of an error, PTR_ERR() returns the error code.
*/
struct crypto_ahash *crypto_alloc_ahash(const char *alg_name, u32 type,
u32 mask);
-struct crypto_ahash *crypto_clone_ahash(struct crypto_ahash *tfm);
-
static inline struct crypto_tfm *crypto_ahash_tfm(struct crypto_ahash *tfm)
{
return &tfm->base;
}
@@ -757,12 +751,10 @@ static inline void ahash_request_set_virt(struct ahash_request *req,
* of an error, PTR_ERR() returns the error code.
*/
struct crypto_shash *crypto_alloc_shash(const char *alg_name, u32 type,
u32 mask);
-struct crypto_shash *crypto_clone_shash(struct crypto_shash *tfm);
-
int crypto_has_shash(const char *alg_name, u32 type, u32 mask);
static inline struct crypto_tfm *crypto_shash_tfm(struct crypto_shash *tfm)
{
return &tfm->base;
--
2.53.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [RFC PATCH 7/8] crypto: cipher - Remove support for cloning cipher tfms
2026-03-07 22:43 [RFC PATCH 0/8] Reimplement TCP-AO using crypto library Eric Biggers
` (5 preceding siblings ...)
2026-03-07 22:43 ` [RFC PATCH 6/8] crypto: hash - Remove support for cloning hash tfms Eric Biggers
@ 2026-03-07 22:43 ` Eric Biggers
2026-03-07 22:43 ` [RFC PATCH 8/8] crypto: api - Remove core support for cloning tfms Eric Biggers
` (2 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Eric Biggers @ 2026-03-07 22:43 UTC (permalink / raw)
To: netdev
Cc: linux-crypto, linux-kernel, Eric Dumazet, Neal Cardwell,
Kuniyuki Iwashima, David S . Miller, David Ahern, Jakub Kicinski,
Paolo Abeni, Simon Horman, Ard Biesheuvel, Jason A . Donenfeld,
Herbert Xu, Dmitry Safonov, Eric Biggers
Since the only caller of crypto_clone_cipher() was cmac_clone_tfm()
which has been removed, remove crypto_clone_cipher() as well.
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
crypto/cipher.c | 28 ----------------------------
include/crypto/internal/cipher.h | 2 --
2 files changed, 30 deletions(-)
diff --git a/crypto/cipher.c b/crypto/cipher.c
index 1fe62bf79656b..c9dab656a622e 100644
--- a/crypto/cipher.c
+++ b/crypto/cipher.c
@@ -87,33 +87,5 @@ void crypto_cipher_decrypt_one(struct crypto_cipher *tfm,
u8 *dst, const u8 *src)
{
cipher_crypt_one(tfm, dst, src, false);
}
EXPORT_SYMBOL_NS_GPL(crypto_cipher_decrypt_one, "CRYPTO_INTERNAL");
-
-struct crypto_cipher *crypto_clone_cipher(struct crypto_cipher *cipher)
-{
- struct crypto_tfm *tfm = crypto_cipher_tfm(cipher);
- struct crypto_alg *alg = tfm->__crt_alg;
- struct crypto_cipher *ncipher;
- struct crypto_tfm *ntfm;
-
- if (alg->cra_init)
- return ERR_PTR(-ENOSYS);
-
- if (unlikely(!crypto_mod_get(alg)))
- return ERR_PTR(-ESTALE);
-
- ntfm = __crypto_alloc_tfmgfp(alg, CRYPTO_ALG_TYPE_CIPHER,
- CRYPTO_ALG_TYPE_MASK, GFP_ATOMIC);
- if (IS_ERR(ntfm)) {
- crypto_mod_put(alg);
- return ERR_CAST(ntfm);
- }
-
- ntfm->crt_flags = tfm->crt_flags;
-
- ncipher = __crypto_cipher_cast(ntfm);
-
- return ncipher;
-}
-EXPORT_SYMBOL_GPL(crypto_clone_cipher);
diff --git a/include/crypto/internal/cipher.h b/include/crypto/internal/cipher.h
index 5030f6d2df315..a9174ba902500 100644
--- a/include/crypto/internal/cipher.h
+++ b/include/crypto/internal/cipher.h
@@ -174,12 +174,10 @@ void crypto_cipher_encrypt_one(struct crypto_cipher *tfm,
* the plaintext and ciphertext buffers are at least one block in size.
*/
void crypto_cipher_decrypt_one(struct crypto_cipher *tfm,
u8 *dst, const u8 *src);
-struct crypto_cipher *crypto_clone_cipher(struct crypto_cipher *cipher);
-
struct crypto_cipher_spawn {
struct crypto_spawn base;
};
static inline int crypto_grab_cipher(struct crypto_cipher_spawn *spawn,
--
2.53.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [RFC PATCH 8/8] crypto: api - Remove core support for cloning tfms
2026-03-07 22:43 [RFC PATCH 0/8] Reimplement TCP-AO using crypto library Eric Biggers
` (6 preceding siblings ...)
2026-03-07 22:43 ` [RFC PATCH 7/8] crypto: cipher - Remove support for cloning cipher tfms Eric Biggers
@ 2026-03-07 22:43 ` Eric Biggers
2026-03-09 8:17 ` [RFC PATCH 0/8] Reimplement TCP-AO using crypto library Ard Biesheuvel
2026-03-09 22:33 ` Dmitry Safonov
9 siblings, 0 replies; 13+ messages in thread
From: Eric Biggers @ 2026-03-07 22:43 UTC (permalink / raw)
To: netdev
Cc: linux-crypto, linux-kernel, Eric Dumazet, Neal Cardwell,
Kuniyuki Iwashima, David S . Miller, David Ahern, Jakub Kicinski,
Paolo Abeni, Simon Horman, Ard Biesheuvel, Jason A . Donenfeld,
Herbert Xu, Dmitry Safonov, Eric Biggers
Since all callers of crypto_clone_tfm() have been removed, remove it.
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
crypto/api.c | 26 --------------------------
crypto/internal.h | 2 --
2 files changed, 28 deletions(-)
diff --git a/crypto/api.c b/crypto/api.c
index 74e17d5049c99..d019d1979857d 100644
--- a/crypto/api.c
+++ b/crypto/api.c
@@ -558,36 +558,10 @@ void *crypto_create_tfm_node(struct crypto_alg *alg,
out:
return mem;
}
EXPORT_SYMBOL_GPL(crypto_create_tfm_node);
-void *crypto_clone_tfm(const struct crypto_type *frontend,
- struct crypto_tfm *otfm)
-{
- struct crypto_alg *alg = otfm->__crt_alg;
- struct crypto_tfm *tfm;
- char *mem;
-
- mem = ERR_PTR(-ESTALE);
- if (unlikely(!crypto_mod_get(alg)))
- goto out;
-
- mem = crypto_alloc_tfmmem(alg, frontend, otfm->node, GFP_ATOMIC);
- if (IS_ERR(mem)) {
- crypto_mod_put(alg);
- goto out;
- }
-
- tfm = (struct crypto_tfm *)(mem + frontend->tfmsize);
- tfm->crt_flags = otfm->crt_flags;
- tfm->fb = tfm;
-
-out:
- return mem;
-}
-EXPORT_SYMBOL_GPL(crypto_clone_tfm);
-
struct crypto_alg *crypto_find_alg(const char *alg_name,
const struct crypto_type *frontend,
u32 type, u32 mask)
{
if (frontend) {
diff --git a/crypto/internal.h b/crypto/internal.h
index 8fbe0226d48e2..96f84abfac91e 100644
--- a/crypto/internal.h
+++ b/crypto/internal.h
@@ -124,12 +124,10 @@ struct crypto_tfm *__crypto_alloc_tfmgfp(struct crypto_alg *alg, u32 type,
u32 mask, gfp_t gfp);
struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type,
u32 mask);
void *crypto_create_tfm_node(struct crypto_alg *alg,
const struct crypto_type *frontend, int node);
-void *crypto_clone_tfm(const struct crypto_type *frontend,
- struct crypto_tfm *otfm);
static inline void *crypto_create_tfm(struct crypto_alg *alg,
const struct crypto_type *frontend)
{
return crypto_create_tfm_node(alg, frontend, NUMA_NO_NODE);
--
2.53.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [RFC PATCH 0/8] Reimplement TCP-AO using crypto library
2026-03-07 22:43 [RFC PATCH 0/8] Reimplement TCP-AO using crypto library Eric Biggers
` (7 preceding siblings ...)
2026-03-07 22:43 ` [RFC PATCH 8/8] crypto: api - Remove core support for cloning tfms Eric Biggers
@ 2026-03-09 8:17 ` Ard Biesheuvel
2026-03-09 22:33 ` Dmitry Safonov
9 siblings, 0 replies; 13+ messages in thread
From: Ard Biesheuvel @ 2026-03-09 8:17 UTC (permalink / raw)
To: Eric Biggers, netdev
Cc: linux-crypto, linux-kernel, Eric Dumazet, Neal Cardwell,
Kuniyuki Iwashima, David S . Miller, David Ahern, Jakub Kicinski,
Paolo Abeni, Simon Horman, Jason A . Donenfeld, Herbert Xu,
Dmitry Safonov
On Sat, 7 Mar 2026, at 23:43, Eric Biggers wrote:
> This series can also be retrieved from:
>
> git fetch
> https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git
> tcp-ao-v1
>
> For now this series is an RFC, since it depends on the AES-CMAC library
> API that is queued in libcrypto-next for 7.1. So, the soonest that this
> could be applied to net-next is 7.2. I'm sending it out now in case
> anyone has any early feedback.
>
> This series refactors the TCP-AO (TCP Authentication Option) code to do
> MAC and KDF computations using lib/crypto/ instead of crypto_ahash.
> This greatly simplifies the code and makes it much more efficient. The
> entire tcp_sigpool and crypto_ahash cloning mechanisms become
> unnecessary and are removed, as the problems they were designed to solve
> don't exist with the library APIs.
>
> To make this possible, this series also restricts the supported
> algorithms to a reasonable set, rather than supporting arbitrary
> algorithms that don't make sense and are very likely not being used.
> Specifically, this series leaves in place the support for AES-128-CMAC
> and HMAC-SHA1 which are the only algorithms that actually have an RFC
> specifying their use in TCP-AO, along with HMAC-SHA256 which is a
> reasonable algorithm to continue supporting as a Linux extension.
>
> This passes the tcp_ao selftests (tools/testing/selftests/net/tcp_ao).
>
> To get a sense for how much more efficient this makes the TCP-AO code,
> here's a microbenchmark for tcp_ao_hash_skb() with skb->len == 128:
>
> Algorithm Avg cycles (before) Avg cycles (after)
> --------- ------------------- ------------------
> HMAC-SHA1 3319 1256
> HMAC-SHA256 3311 1344
> AES-128-CMAC 2720 1107
>
> Eric Biggers (8):
> net/tcp-ao: Drop support for most non-RFC-specified algorithms
> net/tcp-ao: Use crypto library API instead of crypto_ahash
> net/tcp-ao: Use stack-allocated MAC and traffic_key buffers
> net/tcp-ao: Return void from functions that can no longer fail
> net/tcp: Remove tcp_sigpool
> crypto: hash - Remove support for cloning hash tfms
> crypto: cipher - Remove support for cloning cipher tfms
> crypto: api - Remove core support for cloning tfms
>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
I wonder how widely this is being used, given that there are much cheaper options than CMAC or HMAC, and nobody bothered to ratify the HMAC-SHA256 draft.
Anybody have any insights?
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [RFC PATCH 0/8] Reimplement TCP-AO using crypto library
2026-03-07 22:43 [RFC PATCH 0/8] Reimplement TCP-AO using crypto library Eric Biggers
` (8 preceding siblings ...)
2026-03-09 8:17 ` [RFC PATCH 0/8] Reimplement TCP-AO using crypto library Ard Biesheuvel
@ 2026-03-09 22:33 ` Dmitry Safonov
2026-03-09 23:30 ` Eric Biggers
9 siblings, 1 reply; 13+ messages in thread
From: Dmitry Safonov @ 2026-03-09 22:33 UTC (permalink / raw)
To: Eric Biggers
Cc: netdev, linux-crypto, linux-kernel, Eric Dumazet, Neal Cardwell,
Kuniyuki Iwashima, David S . Miller, David Ahern, Jakub Kicinski,
Paolo Abeni, Simon Horman, Ard Biesheuvel, Jason A . Donenfeld,
Herbert Xu
Hi Eric,
On Sat, 7 Mar 2026 at 22:46, Eric Biggers <ebiggers@kernel.org> wrote:
[..]
> This series refactors the TCP-AO (TCP Authentication Option) code to do
> MAC and KDF computations using lib/crypto/ instead of crypto_ahash.
> This greatly simplifies the code and makes it much more efficient. The
> entire tcp_sigpool and crypto_ahash cloning mechanisms become
> unnecessary and are removed, as the problems they were designed to solve
> don't exist with the library APIs.
>
> To make this possible, this series also restricts the supported
> algorithms to a reasonable set, rather than supporting arbitrary
> algorithms that don't make sense and are very likely not being used.
> Specifically, this series leaves in place the support for AES-128-CMAC
> and HMAC-SHA1 which are the only algorithms that actually have an RFC
> specifying their use in TCP-AO, along with HMAC-SHA256 which is a
> reasonable algorithm to continue supporting as a Linux extension.
>
> This passes the tcp_ao selftests (tools/testing/selftests/net/tcp_ao).
>
> To get a sense for how much more efficient this makes the TCP-AO code,
> here's a microbenchmark for tcp_ao_hash_skb() with skb->len == 128:
>
> Algorithm Avg cycles (before) Avg cycles (after)
> --------- ------------------- ------------------
> HMAC-SHA1 3319 1256
> HMAC-SHA256 3311 1344
> AES-128-CMAC 2720 1107
I like the numbers that you achieved here and tcp_sigpool riddance.
If you want to measure the throughput difference, there are iperf
hacks I made at the time of upstreaming TCP-AO:
https://github.com/0x7f454c46/iperf/tree/tcp-md5-ao
We certainly have to support AES-128-CMAC, HMAC-SHA1 and HMAC-SHA2.
For the last one, we specifically had an RFE from a customer.
It's a little pity to go from ">> Additional algorithms, beyond those
mandated for TCP-AO, MAY be supported." back to "The
mandatory-to-implement MAC algorithms for use with TCP-AO are
described in a separate RFC [RFC5926]." as I've always enjoyed Linux
(and opensource in general) that provides more flexibility than just
strict mandatory required options - that's why I originally
intentionally gave a user options to use not only mandatory
algorithms. Well, that's sentimental, and yet I see that other BGP
implementations already allow these optional algorithms.
I.e.:
"Of course, TCP-AO key contains a shared secret key. It is specified
by the option secret as a text string or as a sequence of hexadecimal
digit pairs (bytestring).
Used cryptographic algorithm can be specified for each key with the
option algorithm. Possible values are: hmac md5, hmac sha1, hmac
sha224, hmac sha256, hmac sha384, hmac sha512, and cmac aes128.
Default value is hmac sha1." [1][2]
I guess that may cause a regression for an existing config.
So, I don't know, could we get your big speedup and yet let the user
choose what algorithm they want to use? Basically, making
tcp_ao_hash_skb() a callback with optional algorithms implementation
and a faster mandatory algorithms that will use
hmac_sha1_init_usingrawkey(), hmac_sha256_init_usingrawkey(),
aes_cmac_preparekey()?
[1] https://bird.nic.cz/doc/bird-3.2.0.html
[2] https://github.com/CZ-NIC/bird/blob/0ee9f93bd076c5cc425ceaec9acedbbb7c9021ec/sysdep/linux/sysio.h#L246
Thanks,
Dmitry
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [RFC PATCH 0/8] Reimplement TCP-AO using crypto library
2026-03-09 22:33 ` Dmitry Safonov
@ 2026-03-09 23:30 ` Eric Biggers
2026-03-10 7:42 ` Ard Biesheuvel
0 siblings, 1 reply; 13+ messages in thread
From: Eric Biggers @ 2026-03-09 23:30 UTC (permalink / raw)
To: Dmitry Safonov
Cc: netdev, linux-crypto, linux-kernel, Eric Dumazet, Neal Cardwell,
Kuniyuki Iwashima, David S . Miller, David Ahern, Jakub Kicinski,
Paolo Abeni, Simon Horman, Ard Biesheuvel, Jason A . Donenfeld,
Herbert Xu
On Mon, Mar 09, 2026 at 10:33:32PM +0000, Dmitry Safonov wrote:
> I like the numbers that you achieved here and tcp_sigpool riddance.
> If you want to measure the throughput difference, there are iperf
> hacks I made at the time of upstreaming TCP-AO:
> https://github.com/0x7f454c46/iperf/tree/tcp-md5-ao
>
> We certainly have to support AES-128-CMAC, HMAC-SHA1 and HMAC-SHA2.
> For the last one, we specifically had an RFE from a customer.
>
> It's a little pity to go from ">> Additional algorithms, beyond those
> mandated for TCP-AO, MAY be supported." back to "The
> mandatory-to-implement MAC algorithms for use with TCP-AO are
> described in a separate RFC [RFC5926]." as I've always enjoyed Linux
> (and opensource in general) that provides more flexibility than just
> strict mandatory required options
>
> I.e.:
> "Of course, TCP-AO key contains a shared secret key. It is specified
> by the option secret as a text string or as a sequence of hexadecimal
> digit pairs (bytestring).
> Used cryptographic algorithm can be specified for each key with the
> option algorithm. Possible values are: hmac md5, hmac sha1, hmac
> sha224, hmac sha256, hmac sha384, hmac sha512, and cmac aes128.
> Default value is hmac sha1." [1][2]
>
> I guess that may cause a regression for an existing config.
> So, I don't know, could we get your big speedup and yet let the user
> choose what algorithm they want to use? Basically, making
> tcp_ao_hash_skb() a callback with optional algorithms implementation
> and a faster mandatory algorithms that will use
> hmac_sha1_init_usingrawkey(), hmac_sha256_init_usingrawkey(),
> aes_cmac_preparekey()?
>
> [1] https://bird.nic.cz/doc/bird-3.2.0.html
> [2] https://github.com/CZ-NIC/bird/blob/0ee9f93bd076c5cc425ceaec9acedbbb7c9021ec/sysdep/linux/sysio.h#L246
This series already preserves the nonstandard but reasonable HMAC-SHA256
support as a Linux extension. And users retain a choice of algorithms.
Maybe think of it as helping them make that choice by dropping things
that we know (but the user may not know) should not be chosen.
I mean, even CRC-32 was an option for the MAC. Really? That's
something that should be a CVE, not a "feature that demonstrates the
flexibility of open source software".
Offering all four variants of HMAC-SHA2 is also almost entirely
pointless here, given that TCP-AO MACs are limited to 20 bytes by the
TCP options space anyway.
If there are specific additional algorithm(s) that are actually needed
for backwards compatibility, then we can add them to the list of
algorithms that the new implementation supports. However, do you
actually know of any user using anything other than HMAC-SHA1,
HMAC-SHA256, or AES-128-CMAC? If so, what is their use case?
But let's not keep the crypto_ahash based implementation of TCP-AO
around as well, as there's a massive amount of complexity and
inefficiency in it. I think this series makes that very clear.
- Eric
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [RFC PATCH 0/8] Reimplement TCP-AO using crypto library
2026-03-09 23:30 ` Eric Biggers
@ 2026-03-10 7:42 ` Ard Biesheuvel
0 siblings, 0 replies; 13+ messages in thread
From: Ard Biesheuvel @ 2026-03-10 7:42 UTC (permalink / raw)
To: Eric Biggers, Dmitry Safonov
Cc: netdev, linux-crypto, linux-kernel, Eric Dumazet, Neal Cardwell,
Kuniyuki Iwashima, David S . Miller, David Ahern, Jakub Kicinski,
Paolo Abeni, Simon Horman, Jason A . Donenfeld, Herbert Xu
On Tue, 10 Mar 2026, at 00:30, Eric Biggers wrote:
> On Mon, Mar 09, 2026 at 10:33:32PM +0000, Dmitry Safonov wrote:
>> I like the numbers that you achieved here and tcp_sigpool riddance.
>> If you want to measure the throughput difference, there are iperf
>> hacks I made at the time of upstreaming TCP-AO:
>> https://github.com/0x7f454c46/iperf/tree/tcp-md5-ao
>>
>> We certainly have to support AES-128-CMAC, HMAC-SHA1 and HMAC-SHA2.
>> For the last one, we specifically had an RFE from a customer.
>>
>> It's a little pity to go from ">> Additional algorithms, beyond those
>> mandated for TCP-AO, MAY be supported." back to "The
>> mandatory-to-implement MAC algorithms for use with TCP-AO are
>> described in a separate RFC [RFC5926]." as I've always enjoyed Linux
>> (and opensource in general) that provides more flexibility than just
>> strict mandatory required options
>>
>> I.e.:
>> "Of course, TCP-AO key contains a shared secret key. It is specified
>> by the option secret as a text string or as a sequence of hexadecimal
>> digit pairs (bytestring).
>> Used cryptographic algorithm can be specified for each key with the
>> option algorithm. Possible values are: hmac md5, hmac sha1, hmac
>> sha224, hmac sha256, hmac sha384, hmac sha512, and cmac aes128.
>> Default value is hmac sha1." [1][2]
>>
>> I guess that may cause a regression for an existing config.
>> So, I don't know, could we get your big speedup and yet let the user
>> choose what algorithm they want to use? Basically, making
>> tcp_ao_hash_skb() a callback with optional algorithms implementation
>> and a faster mandatory algorithms that will use
>> hmac_sha1_init_usingrawkey(), hmac_sha256_init_usingrawkey(),
>> aes_cmac_preparekey()?
>>
>> [1] https://bird.nic.cz/doc/bird-3.2.0.html
>> [2] https://github.com/CZ-NIC/bird/blob/0ee9f93bd076c5cc425ceaec9acedbbb7c9021ec/sysdep/linux/sysio.h#L246
>
> This series already preserves the nonstandard but reasonable HMAC-SHA256
> support as a Linux extension. And users retain a choice of algorithms.
> Maybe think of it as helping them make that choice by dropping things
> that we know (but the user may not know) should not be chosen.
>
> I mean, even CRC-32 was an option for the MAC. Really? That's
> something that should be a CVE, not a "feature that demonstrates the
> flexibility of open source software".
>
> Offering all four variants of HMAC-SHA2 is also almost entirely
> pointless here, given that TCP-AO MACs are limited to 20 bytes by the
> TCP options space anyway.
>
> If there are specific additional algorithm(s) that are actually needed
> for backwards compatibility, then we can add them to the list of
> algorithms that the new implementation supports. However, do you
> actually know of any user using anything other than HMAC-SHA1,
> HMAC-SHA256, or AES-128-CMAC? If so, what is their use case?
>
> But let's not keep the crypto_ahash based implementation of TCP-AO
> around as well, as there's a massive amount of complexity and
> inefficiency in it. I think this series makes that very clear.
>
Agree that supporting arbitrary algorithms is a bug, not a feature, and if anyone does notice that a combination that actually makes /some/ sense no longer works, we can always add it back in library form (even though generating a 64-byte SHA-512 digest and truncating it to 20 bytes seems kind of pointless). But supporting CRC-32 or HMAC-MD5 is just ridiculous so let's not go there.
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2026-03-10 7:42 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-07 22:43 [RFC PATCH 0/8] Reimplement TCP-AO using crypto library Eric Biggers
2026-03-07 22:43 ` [RFC PATCH 1/8] net/tcp-ao: Drop support for most non-RFC-specified algorithms Eric Biggers
2026-03-07 22:43 ` [RFC PATCH 2/8] net/tcp-ao: Use crypto library API instead of crypto_ahash Eric Biggers
2026-03-07 22:43 ` [RFC PATCH 3/8] net/tcp-ao: Use stack-allocated MAC and traffic_key buffers Eric Biggers
2026-03-07 22:43 ` [RFC PATCH 4/8] net/tcp-ao: Return void from functions that can no longer fail Eric Biggers
2026-03-07 22:43 ` [RFC PATCH 5/8] net/tcp: Remove tcp_sigpool Eric Biggers
2026-03-07 22:43 ` [RFC PATCH 6/8] crypto: hash - Remove support for cloning hash tfms Eric Biggers
2026-03-07 22:43 ` [RFC PATCH 7/8] crypto: cipher - Remove support for cloning cipher tfms Eric Biggers
2026-03-07 22:43 ` [RFC PATCH 8/8] crypto: api - Remove core support for cloning tfms Eric Biggers
2026-03-09 8:17 ` [RFC PATCH 0/8] Reimplement TCP-AO using crypto library Ard Biesheuvel
2026-03-09 22:33 ` Dmitry Safonov
2026-03-09 23:30 ` Eric Biggers
2026-03-10 7:42 ` Ard Biesheuvel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox