| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250815180617.0bc1b974@kernel.org> Date: Fri, 15 Aug 2025 18:06:17 -0700 From: Jakub Kicinski <kuba@...nel.org> To: Eric Biggers <ebiggers@...nel.org> Cc: Xin Long <lucien.xin@...il.com>, Paolo Abeni <pabeni@...hat.com>, linux-sctp@...r.kernel.org, netdev@...r.kernel.org, Marcelo Ricardo Leitner <marcelo.leitner@...il.com>, linux-crypto@...r.kernel.org Subject: Re: [PATCH net-next v2 3/3] sctp: Convert cookie authentication to use HMAC-SHA256 On Fri, 15 Aug 2025 14:50:09 -0700 Eric Biggers wrote: > > > It'd be great to get an ack / review from SCTP maintainers, otherwise > > > we'll apply by Monday.. > > Other than that, LGTM. > > Sorry for the late reply, I was running some SCTP-auth related tests > > against the patchset. > > Ideally we'd just fail the write and remove the last mentions of md5 and > sha1 from the code. But I'm concerned there could be a case where > userspace is enabling cookie authentication by setting > cookie_hmac_alg=md5 or cookie_hmac_alg=sha1, and by just failing the > write the system would end up with cookie authentication not enabled. > > It would have been nice if this sysctl had just been a boolean toggle. > > A deprecation warning might be a good idea. How about the following on > top of this patch: No strong opinion but I find the deprecation warnings futile. Chances are we'll be printing this until the end of time. Either someone hard-cares and we'll need to revert, or nobody does and we can deprecate today.
Powered by blists - more mailing lists