diff options
| author | Eric Biggers <ebiggers@kernel.org> | 2026-04-04 18:15:13 -0700 |
|---|---|---|
| committer | Steffen Klassert <steffen.klassert@secunet.com> | 2026-04-07 10:47:58 +0200 |
| commit | 05d42dc8ab92aa54aaeb1c033927c88fd2accba4 (patch) | |
| tree | 321896f1c490c99872e736edc249f5af3bd433e4 /net/xfrm | |
| parent | be14d13625c9b070c33c423026b598ed65695225 (diff) | |
| download | lwn-05d42dc8ab92aa54aaeb1c033927c88fd2accba4.tar.gz lwn-05d42dc8ab92aa54aaeb1c033927c88fd2accba4.zip | |
xfrm: Drop support for HMAC-RIPEMD-160
Drop support for HMAC-RIPEMD-160 from IPsec to reduce the UAPI surface
and simplify future maintenance. It's almost certainly unused.
RIPEMD-160 received some attention in the early 2000s when SHA-* weren't
quite as well established. But it never received much adoption outside
of certain niches such as Bitcoin.
It's actually unclear that Linux + IPsec + HMAC-RIPEMD-160 has *ever*
been used, even historically. When support for it was added in 2003, it
was done so in a "cleanup" commit without any justification [1]. It
didn't actually work until someone happened to fix it 5 years later [2].
That person didn't use or test it either [3]. Finally, also note that
"hmac(rmd160)" is by far the slowest of the algorithms in aalg_list[].
Of course, today IPsec is usually used with an AEAD, such as AES-GCM.
But even for IPsec users still using a dedicated auth algorithm, they
almost certainly aren't using, and shouldn't use, HMAC-RIPEMD-160.
Thus, let's just drop support for it. Note: no kconfig update is
needed, since CRYPTO_RMD160 wasn't actually being selected anyway.
References:
[1] linux-history commit d462985fc1941a47
("[IPSEC]: Clean up key manager algorithm handling.")
[2] linux commit a13366c632132bb9
("xfrm: xfrm_algo: correct usage of RIPEMD-160")
[3] https://lore.kernel.org/all/1212340578-15574-1-git-send-email-rueegsegger@swiss-it.ch
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/xfrm')
| -rw-r--r-- | net/xfrm/xfrm_algo.c | 20 |
1 files changed, 0 insertions, 20 deletions
diff --git a/net/xfrm/xfrm_algo.c b/net/xfrm/xfrm_algo.c index 749011e031c0..70434495f23f 100644 --- a/net/xfrm/xfrm_algo.c +++ b/net/xfrm/xfrm_algo.c @@ -291,26 +291,6 @@ static struct xfrm_algo_desc aalg_list[] = { } }, { - .name = "hmac(rmd160)", - .compat = "rmd160", - - .uinfo = { - .auth = { - .icv_truncbits = 96, - .icv_fullbits = 160, - } - }, - - .pfkey_supported = 1, - - .desc = { - .sadb_alg_id = SADB_X_AALG_RIPEMD160HMAC, - .sadb_alg_ivlen = 0, - .sadb_alg_minbits = 160, - .sadb_alg_maxbits = 160 - } -}, -{ .name = "xcbc(aes)", .uinfo = { |