[Adding David Ahern.  I overlooked that iproute2 has separate
maintainers for the main tree and the next tree.]

On Mon, Sep 29, 2025 at 12:46:48PM -0700, Eric Biggers wrote:

Add a basic SHA-1 implementation to lib/, and make lib/bpf_legacy.c use
it to calculate SHA-1 digests instead of the previous AF_ALG-based code.

This eliminates the dependency on AF_ALG, specifically the kernel config
options CONFIG_CRYPTO_USER_API_HASH and CONFIG_CRYPTO_SHA1.

Over the years AF_ALG has been very problematic, and it is also not
supported on all kernels.  Escalating to the kernel's privileged
execution context merely to calculate software algorithms, which can be
done in userspace instead, is not something that should have ever been
supported.  Even on kernels that support it, the syscall overhead of
AF_ALG means that it is often slower than userspace code.

Let's do the right thing here, and allow people to disable AF_ALG
support (or not enable it) on systems where iproute2 is the only user.

Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Eric Biggers <ebiggers@kernel.org>

Stephen and David, any interest in applying this patch?

- Eric