sctp: Stop accepting md5 and sha1 for net.sctp.cookie_hmac_alg

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The upgrade of the cookie authentication algorithm to HMAC-SHA256 kept
some backwards compatibility for the net.sctp.cookie_hmac_alg sysctl by
still accepting the values 'md5' and 'sha1'. Those algorithms are no
longer actually used, but rather those values were just treated as
requests to enable cookie authentication.

As requested at
https://lore.kernel.org/netdev/CADvbK_fmCRARc8VznH8cQa-QKaCOQZ6yFbF=1-VDK=zRqv_cXw@mail.gmail.com/
and https://lore.kernel.org/netdev/20250818084345.708ac796@kernel.org/ ,
go further and start rejecting 'md5' and 'sha1' completely.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Link: https://patch.msgid.link/20250818205426.30222-6-ebiggers@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Eric Biggers and committed by

Jakub Kicinski 7 months ago d5a25370 2f3dd6ec

+1 -6

2 changed files

expand all

Documentation

networking

ip-sysctl.rst

net

sctp

sysctl.c

-3

Documentation/networking/ip-sysctl.rst

··· 3511 3511 * sha256 3512 3512 * none 3513 3513 3514 - md5 and sha1 are also accepted for backwards compatibility, but cause 3515 - sha256 to be selected. 3516 - 3517 3514 Default: sha256 3518 3515 3519 3516 rcvbuf_policy - INTEGER

+1 -3

net/sctp/sysctl.c

··· 401 401 ret = proc_dostring(&tbl, 1, buffer, lenp, ppos); 402 402 if (ret) 403 403 return ret; 404 - if (!strcmp(tmp, "sha256") || 405 - /* for backwards compatibility */ 406 - !strcmp(tmp, "md5") || !strcmp(tmp, "sha1")) { 404 + if (!strcmp(tmp, "sha256")) { 407 405 net->sctp.cookie_auth_enable = 1; 408 406 return 0; 409 407 }