ipsec-next-2026-04-08

-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEH7ZpcWbFyOOp6OJbrB3Eaf9PW7cFAmnWIe8ACgkQrB3Eaf9P W7dDqRAAho59mSQlQAaoj6lkPlBCR8/TZrEHWXeTZvWzzyILiE8GJGdkMoUOk47S QR2YJ7xTg/eAALJFFPCKj82k5GOt2CjOo30BS901zdBhSZbN/H+tW57QfYRegR3o BFZ0eBCDc5FHQYRl8QbCi2XtF4Sqr8erLIvNwfaOiuoPCZmoehD2kyMpPhb/w9qQ DD0OsYWjZuhBP+MwHGCsmtMBoesVKI/86HV0LpeyH7uU+928Tf+TcACJzkLMrUcE AwrvTL3Mvp2ljsm9mw6mElyiAqemQHM87yg8BrR7NoXlahAEOJx8UWchKpAgGXv5 bO8ng0Y8lNcuG+tN7rVk4/KeyjGNSW6ubRKfZbast6aoj5LfUhOIxxMTyYOEU5rH wKbIX00ilONs8S+kK/S4D0/1EdszOB/WVUTN5yEH1+FxkpvMGs3LUfhEjzfk9Lnz sT1ZF65YNwR0qa1SaIU4kYM543mlr/CrFgoPx5VOu0+jG+xCVWiC8fy+/SD688ht VTQGf8Y6gGX0yRMYJeauHHCBeMwbF7WEu7MYSi+4+7uUCYexh700QpOjaYLrTpgS NLpT9JPvuyWQ389DjJ+h5cpTqIsLrNs6+SXo+mZ6nkubGe+HRKZnLFwXj+41p3hE tUv+EcZTKDa+YVGymVcjORC5JjqvJXXklqQFeROuoamdJF0M96c= =0E3L -----END PGP SIGNATURE----- Merge tag 'ipsec-next-2026-04-08' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next Steffen Klassert says: ==================== pull request (net-next): ipsec-next 2026-04-08 1) Update outdated comment in xfrm_dst_check(). From kexinsun. 2) Drop support for HMAC-RIPEMD-160 from IPsec. From Eric Biggers. * tag 'ipsec-next-2026-04-08' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next: xfrm: Drop support for HMAC-RIPEMD-160 xfrm: update outdated comment ==================== Link: https://patch.msgid.link/20260408094258.148555-1-steffen.klassert@secunet.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-12 16:18:45 +02:00 · 2026-04-08 18:51:54 -07:00 · 2026-04-08 18:51:54 -07:00 · ea0f90d1ed
commit ea0f90d1ed
parent b3e69fc319 05d42dc8ab
3 changed files with 3 additions and 27 deletions
--- a/net/xfrm/xfrm_algo.c
+++ b/net/xfrm/xfrm_algo.c
@ -290,26 +290,6 @@ static struct xfrm_algo_desc aalg_list[] = {
 		.sadb_alg_maxbits = 512
 	}
 },
-{
-	.name = "hmac(rmd160)",
-	.compat = "rmd160",
-
-	.uinfo = {
-		.auth = {
-			.icv_truncbits = 96,
-			.icv_fullbits = 160,
-		}
-	},
-
-	.pfkey_supported = 1,
-
-	.desc = {
-		.sadb_alg_id = SADB_X_AALG_RIPEMD160HMAC,
-		.sadb_alg_ivlen = 0,
-		.sadb_alg_minbits = 160,
-		.sadb_alg_maxbits = 160
-	}
-},
 {
 	.name = "xcbc(aes)",

--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@ -3917,7 +3917,7 @@ EXPORT_SYMBOL(__xfrm_route_forward);

 static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
 {
-	/* Code (such as __xfrm4_bundle_create()) sets dst->obsolete
+	/* Code (such as xfrm_bundle_create()) sets dst->obsolete
 	 * to DST_OBSOLETE_FORCE_CHK to force all XFRM destinations to
 	 * get validated by dst_ops->check on every use.  We do this
 	 * because when a normal route referenced by an XFRM dst is
--- a/tools/testing/selftests/net/ipsec.c
+++ b/tools/testing/selftests/net/ipsec.c
@ -62,8 +62,6 @@
 #define VETH_FMT	"ktst-%d"
 #define VETH_LEN	12

-#define XFRM_ALGO_NR_KEYS 29
-
 static int nsfd_parent	= -1;
 static int nsfd_childa	= -1;
 static int nsfd_childb	= -1;
@ -96,7 +94,6 @@ struct xfrm_key_entry xfrm_key_entries[] = {
 	{"cbc(cast5)", 128},
 	{"cbc(serpent)", 128},
 	{"hmac(sha1)", 160},
-	{"hmac(rmd160)", 160},
 	{"cbc(des3_ede)", 192},
 	{"hmac(sha256)", 256},
 	{"cbc(aes)", 256},
@ -813,7 +810,7 @@ static int xfrm_fill_key(char *name, char *buf,
 {
 	int i;

-	for (i = 0; i < XFRM_ALGO_NR_KEYS; i++) {
+	for (i = 0; i < ARRAY_SIZE(xfrm_key_entries); i++) {
 		if (strncmp(name, xfrm_key_entries[i].algo_name, ALGO_LEN) == 0)
 			*key_len = xfrm_key_entries[i].key_len;
 	}
@ -2061,8 +2058,7 @@ static int write_desc(int proto, int test_desc_fd,
 int proto_list[] = { IPPROTO_AH, IPPROTO_COMP, IPPROTO_ESP };
 char *ah_list[] = {
 	"digest_null", "hmac(md5)", "hmac(sha1)", "hmac(sha256)",
-	"hmac(sha384)", "hmac(sha512)", "hmac(rmd160)",
-	"xcbc(aes)", "cmac(aes)"
+	"hmac(sha384)", "hmac(sha512)", "xcbc(aes)", "cmac(aes)"
 };
 char *comp_list[] = {
 	"deflate",