Re: svn commit: r351246 - in stable: 11/sys/opencrypto 12/sys/opencrypto

Wed, 21 Aug 2019 09:02:12 -0700 

On 8/21/19 8:21 AM, mike tancsa wrote:
> On a busy server, I am getting a lot of these spewing to dmesg

I have a change staged for MFC that lets you adjust the warning intervals
so you can tone down the spam.

> Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via
> /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via
> /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via
> /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via
> /dev/crypto
> 
> 
> What is the best way to try and track down what apps are triggering that ?

One might be to use 'procstat -af' to see which processes have crypto file
descriptors open (file descriptor type 'c').

The other approach would be to use dtrace with the fbt::_gone_in:entry
trace maybe building a count of process names or some such, something like:

dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count()'

Let that run and then Ctrl-C after you see some warnings.

>     ---Mike
> 
> On 8/19/2019 9:30 PM, John Baldwin wrote:
>> Author: jhb
>> Date: Tue Aug 20 01:30:35 2019
>> New Revision: 351246
>> URL: https://svnweb.freebsd.org/changeset/base/351246
>>
>> Log:
>>   MFC 348876: Add warnings to /dev/crypto for deprecated algorithms.
>>   
>>   These algorithms are deprecated algorithms that will have no in-kernel
>>   consumers in FreeBSD 13.  Specifically, deprecate the following
>>   algorithms:
>>   - ARC4
>>   - Blowfish
>>   - CAST128
>>   - DES
>>   - 3DES
>>   - MD5-HMAC
>>   - Skipjack
>>   
>>   Relnotes:  yes
>>
>> Modified:
>>   stable/11/sys/opencrypto/cryptodev.c
>> Directory Properties:
>>   stable/11/   (props changed)
>>
>> Changes in other areas also in this revision:
>> Modified:
>>   stable/12/sys/opencrypto/cryptodev.c
>> Directory Properties:
>>   stable/12/   (props changed)
>>
>> Modified: stable/11/sys/opencrypto/cryptodev.c
>> ==============================================================================
>> --- stable/11/sys/opencrypto/cryptodev.c     Tue Aug 20 01:26:02 2019        
>> (r351245)
>> +++ stable/11/sys/opencrypto/cryptodev.c     Tue Aug 20 01:30:35 2019        
>> (r351246)
>> @@ -388,6 +388,9 @@ cryptof_ioctl(
>>      struct crypt_op copc;
>>      struct crypt_kop kopc;
>>  #endif
>> +    static struct timeval arc4warn, blfwarn, castwarn, deswarn, md5warn;
>> +    static struct timeval skipwarn, tdeswarn;
>> +    static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 };
>>  
>>      switch (cmd) {
>>      case CIOCGSESSION:
>> @@ -408,18 +411,28 @@ cryptof_ioctl(
>>              case 0:
>>                      break;
>>              case CRYPTO_DES_CBC:
>> +                    if (ratecheck(&deswarn, &warninterval))
>> +                            gone_in(13, "DES cipher via /dev/crypto");
>>                      txform = &enc_xform_des;
>>                      break;
>>              case CRYPTO_3DES_CBC:
>> +                    if (ratecheck(&tdeswarn, &warninterval))
>> +                            gone_in(13, "3DES cipher via /dev/crypto");
>>                      txform = &enc_xform_3des;
>>                      break;
>>              case CRYPTO_BLF_CBC:
>> +                    if (ratecheck(&blfwarn, &warninterval))
>> +                            gone_in(13, "Blowfish cipher via /dev/crypto");
>>                      txform = &enc_xform_blf;
>>                      break;
>>              case CRYPTO_CAST_CBC:
>> +                    if (ratecheck(&castwarn, &warninterval))
>> +                            gone_in(13, "CAST128 cipher via /dev/crypto");
>>                      txform = &enc_xform_cast5;
>>                      break;
>>              case CRYPTO_SKIPJACK_CBC:
>> +                    if (ratecheck(&skipwarn, &warninterval))
>> +                            gone_in(13, "Skipjack cipher via /dev/crypto");
>>                      txform = &enc_xform_skipjack;
>>                      break;
>>              case CRYPTO_AES_CBC:
>> @@ -432,6 +445,8 @@ cryptof_ioctl(
>>                      txform = &enc_xform_null;
>>                      break;
>>              case CRYPTO_ARC4:
>> +                    if (ratecheck(&arc4warn, &warninterval))
>> +                            gone_in(13, "ARC4 cipher via /dev/crypto");
>>                      txform = &enc_xform_arc4;
>>                      break;
>>              case CRYPTO_CAMELLIA_CBC:
>> @@ -454,6 +469,9 @@ cryptof_ioctl(
>>              case 0:
>>                      break;
>>              case CRYPTO_MD5_HMAC:
>> +                    if (ratecheck(&md5warn, &warninterval))
>> +                            gone_in(13,
>> +                                "MD5-HMAC authenticator via /dev/crypto");
>>                      thash = &auth_hash_hmac_md5;
>>                      break;
>>              case CRYPTO_SHA1_HMAC:
>> _______________________________________________
>> svn-src-stable...@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11
>> To unsubscribe, send any mail to "svn-src-stable-11-unsubscr...@freebsd.org"
>>


-- 
John Baldwin
_______________________________________________
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Reply via email to