lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <59755b49-fb81-41bf-8875-17e0215f1d8e@kernel.org>
Date: Sun, 16 Nov 2025 10:45:47 -0700
From: David Ahern <dsahern@...nel.org>
To: Eric Biggers <ebiggers@...nel.org>,
 Stephen Hemminger <stephen@...workplumber.org>
Cc: linux-crypto@...r.kernel.org, Ard Biesheuvel <ardb@...nel.org>,
 netdev@...r.kernel.org, bpf@...r.kernel.org
Subject: Re: [PATCH iproute2-next v2] lib/bpf_legacy: Use userspace SHA-1 code
 instead of AF_ALG

On 11/11/25 9:07 PM, Eric Biggers wrote:
> [Adding David Ahern.  I overlooked that iproute2 has separate
> maintainers for the main tree and the next tree.]
> 
> On Mon, Sep 29, 2025 at 12:46:48PM -0700, Eric Biggers wrote:
>> Add a basic SHA-1 implementation to lib/, and make lib/bpf_legacy.c use
>> it to calculate SHA-1 digests instead of the previous AF_ALG-based code.
>>
>> This eliminates the dependency on AF_ALG, specifically the kernel config
>> options CONFIG_CRYPTO_USER_API_HASH and CONFIG_CRYPTO_SHA1.
>>
>> Over the years AF_ALG has been very problematic, and it is also not
>> supported on all kernels.  Escalating to the kernel's privileged
>> execution context merely to calculate software algorithms, which can be
>> done in userspace instead, is not something that should have ever been
>> supported.  Even on kernels that support it, the syscall overhead of
>> AF_ALG means that it is often slower than userspace code.
>>
>> Let's do the right thing here, and allow people to disable AF_ALG
>> support (or not enable it) on systems where iproute2 is the only user.
>>
>> Acked-by: Ard Biesheuvel <ardb@...nel.org>
>> Signed-off-by: Eric Biggers <ebiggers@...nel.org>
> 
> Stephen and David, any interest in applying this patch?
> 
> - Eric

I do not have a strong opinion in either direction.

If we are going to entertain removing AF_ALG code, we should apply the
patch to iproute2-next at the beginning of a dev cycle to give maximum
time for testing before it rolls out.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ