| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250310165857.3584612-5-nstange@suse.de>
Date: Mon, 10 Mar 2025 17:58:57 +0100
From: Nicolai Stange <nstange@...e.de>
To: "David S. Miller" <davem@...emloft.net>,
David Ahern <dsahern@...nel.org>
Cc: Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
Simon Horman <horms@...nel.org>,
netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
Nicolai Stange <nstange@...e.de>
Subject: [PATCH v1 4/4] ipv6: sr: continue initialization at ENOENT HMAC instantiation failures
As it currently stands, the IPv6 SR HMAC __init, and thus the IPv6
subsystem's __init, would fail to come up if any of the HMAC algo
instantiations failed.
This used to be fine, as they usually don't. However, that situation will
change, because NIST announced to sunset SHA1 by 2030, and then at latest
instantiations thereof through the cryptomgr will have to made to fail with
-ENOENT when booted in FIPS mode. Note that the sunset date has
implications on certificates' lifetimes for those issued today already, so
distributions might be eager to disable SHA1 in FIPS mode downstream
starting now.
Make seg6_hmac_init_algos() to ignore ENOENT HMAC algo instantiation
errors. Note that in this case, a failed algo will have its ->tfms == NULL,
and __hmac_get_algo() would filter such ones already.
Signed-off-by: Nicolai Stange <nstange@...e.de>
---
net/ipv6/seg6_hmac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c
index 85e90d8d8050..4a63ee4dbf7e 100644
--- a/net/ipv6/seg6_hmac.c
+++ b/net/ipv6/seg6_hmac.c
@@ -433,7 +433,7 @@ static int seg6_hmac_init_algos(void)
alg_count = ARRAY_SIZE(hmac_algos);
for (i = 0; i < alg_count; i++) {
ret = seg6_hmac_init_algo(&hmac_algos[i]);
- if (ret)
+ if (ret && ret != -ENOENT)
goto error_out;
}
--
2.47.1
Powered by blists - more mailing lists