From d5a253702add0da3e1e19252ae2a251ee24b486d Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Mon, 18 Aug 2025 13:54:26 -0700 Subject: [PATCH] sctp: Stop accepting md5 and sha1 for net.sctp.cookie_hmac_alg The upgrade of the cookie authentication algorithm to HMAC-SHA256 kept some backwards compatibility for the net.sctp.cookie_hmac_alg sysctl by still accepting the values 'md5' and 'sha1'. Those algorithms are no longer actually used, but rather those values were just treated as requests to enable cookie authentication. As requested at https://lore.kernel.org/netdev/CADvbK_fmCRARc8VznH8cQa-QKaCOQZ6yFbF=1-VDK=zRqv_cXw@mail.gmail.com/ and https://lore.kernel.org/netdev/20250818084345.708ac796@kernel.org/ , go further and start rejecting 'md5' and 'sha1' completely. Signed-off-by: Eric Biggers Link: https://patch.msgid.link/20250818205426.30222-6-ebiggers@kernel.org Signed-off-by: Jakub Kicinski --- Documentation/networking/ip-sysctl.rst | 3 --- net/sctp/sysctl.c | 4 +--- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst index 3d6782683eee..43badb338d22 100644 --- a/Documentation/networking/ip-sysctl.rst +++ b/Documentation/networking/ip-sysctl.rst @@ -3511,9 +3511,6 @@ cookie_hmac_alg - STRING * sha256 * none - md5 and sha1 are also accepted for backwards compatibility, but cause - sha256 to be selected. - Default: sha256 rcvbuf_policy - INTEGER diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c index 19acc57c3ed9..15e7db9a3ab2 100644 --- a/net/sctp/sysctl.c +++ b/net/sctp/sysctl.c @@ -401,9 +401,7 @@ static int proc_sctp_do_hmac_alg(const struct ctl_table *ctl, int write, ret = proc_dostring(&tbl, 1, buffer, lenp, ppos); if (ret) return ret; - if (!strcmp(tmp, "sha256") || - /* for backwards compatibility */ - !strcmp(tmp, "md5") || !strcmp(tmp, "sha1")) { + if (!strcmp(tmp, "sha256")) { net->sctp.cookie_auth_enable = 1; return 0; } -- 2.51.0