Re: How to Enable support for IPsec deprecated algorithms: 3DES, MD5-HMAC

2022-10-07 Thread alfadev 


> You do not want to just restore the files as-is. You instead want to revert 
> some of the
> diffs from the first commit. The second commit for /dev/crypto doesn't matter 
> for IPsec
> and you can ignore it.
> 
> However, you will need to also partially revert commit 
> 0e00c709d7f1cdaeb584d244df9534bcdd0ac527
> which removes DES and 3DES from OCF itself. This is what removed 
> enc_xform_des for example.
> 
> --
> John Baldwin

Hi, I have limited knowledge i, tried to revert commit 
0e00c709d7f1cdaeb584d244df9534bcdd0ac527
but it returned fatal: bad object 0e00c709d...
Instead i changed all files before that commit but no luck i got too many  
build errors.

Could you help me at this point? How can i revert to that commit and enable 
3des support?

Re: How to Enable support for IPsec deprecated algorithms: 3DES, MD5-HMAC

2022-10-04 Thread John Baldwin 

On 10/4/22 1:53 AM, alfadev wrote:

Hi, i am trying to move my gateway from FreeBSD 11.0 to FreeBSD 14.0 to use
newly added ipfw table lookup for mac addresses 
(https://reviews.freebsd.org/D35103)

Also I have too many IPSec connections between fortigate, cisco etc.
And their operators use only 3DES algorithms and they have no intention to 
change it for me.
So, now i have to enable 3DES support for FreeBSD 14.0 .

To add 3DES support again i changed some files shown below.
I am not sure what i did any help welcomes.


You do not want to just restore the files as-is.  You instead want to revert 
some of the
diffs from the first commit.  The second commit for /dev/crypto doesn't matter 
for IPsec
and you can ignore it.

However, you will need to also partially revert commit 
0e00c709d7f1cdaeb584d244df9534bcdd0ac527
which removes DES and 3DES from OCF itself.  This is what removed enc_xform_des 
for example.

--
John Baldwin

How to Enable support for IPsec deprecated algorithms: 3DES, MD5-HMAC

2022-10-04 Thread alfadev 
Hi, i am trying to move my gateway from FreeBSD 11.0 to FreeBSD 14.0 to use
newly added ipfw table lookup for mac addresses 
(https://reviews.freebsd.org/D35103)

Also I have too many IPSec connections between fortigate, cisco etc.
And their operators use only 3DES algorithms and they have no intention to 
change it for me.
So, now i have to enable 3DES support for FreeBSD 14.0 .

To add 3DES support again i changed some files shown below.
I am not sure what i did any help welcomes.

i restored below files:

https://cgit.freebsd.org/src/commit/?id=16aabb761c0a

-rw-r--r--  
[lib/libipsec/pfkey_dump.c](https://cgit.freebsd.org/src/diff/lib/libipsec/pfkey_dump.c?id=16aabb761c0a)
25

-rw-r--r--  
[sbin/setkey/sample.cf](https://cgit.freebsd.org/src/diff/sbin/setkey/sample.cf?id=16aabb761c0a)
79

-rw-r--r--  
[sbin/setkey/setkey.8](https://cgit.freebsd.org/src/diff/sbin/setkey/setkey.8?id=16aabb761c0a)
  29

-rw-r--r--  
[sbin/setkey/test-pfkey.c](https://cgit.freebsd.org/src/diff/sbin/setkey/test-pfkey.c?id=16aabb761c0a)
  32

-rw-r--r--  
[sbin/setkey/token.l](https://cgit.freebsd.org/src/diff/sbin/setkey/token.l?id=16aabb761c0a)
11

-rw-r--r--  
[sys/netipsec/ipsec.c](https://cgit.freebsd.org/src/diff/sys/netipsec/ipsec.c?id=16aabb761c0a)
  5

-rw-r--r--  
[sys/netipsec/ipsec.h](https://cgit.freebsd.org/src/diff/sys/netipsec/ipsec.h?id=16aabb761c0a)
  2

-rw-r--r--  
[sys/netipsec/key.c](https://cgit.freebsd.org/src/diff/sys/netipsec/key.c?id=16aabb761c0a)
  12

-rw-r--r--  
[sys/netipsec/xform_ah.c](https://cgit.freebsd.org/src/diff/sys/netipsec/xform_ah.c?id=16aabb761c0a)
26

-rw-r--r--  
[sys/netipsec/xform_esp.c](https://cgit.freebsd.org/src/diff/sys/netipsec/xform_esp.c?id=16aabb761c0a)
  25

-rw-r--r--  
[usr.bin/netstat/ipsec.c](https://cgit.freebsd.org/src/diff/usr.bin/netstat/ipsec.c?id=16aabb761c0a)

https://cgit.freebsd.org/src/commit/?id=6c80c319ef88

-rw-r--r--  
[sys/opencrypto/cryptodev.c](https://cgit.freebsd.org/src/diff/sys/opencrypto/cryptodev.c?id=6c80c319ef88)
-rw-r--r--  
[sys/opencrypto/cryptodev.](https://cgit.freebsd.org/src/diff/sys/opencrypto/cryptodev.c?id=6c80c319ef88)h

Compiled New Kernel with this extra options:

# OWNKERNv1
include GENERICident OWNKERNv1

options IPFIREWALL
options DUMMYNET
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
options IPSEC
options IPSEC_SUPPORT
device crypto

cd /usr/src
make -j$(sysctl -n hw.ncpu) buildkernel KERNCONF=OWNKERNv1

But When i try to compile new kernel it gets too many errors.
any help will be appreciated at this point..

Part of Error Logs:
-- all_subdir_cryptodev ---
/usr/src/sys/opencrypto/cryptodev.c:314:16: error: incompatible function 
pointer types initializing 'fo_stat_t *' (aka 'int (*)(struct file *, struct 
stat *, struct ucred *)') with an expression of type 'int (struct file *, 
struct stat *, struct ucred *, struct thread *)' 
[-Werror,-Wincompatible-function-pointer-types]
.fo_stat = cryptof_stat,
^~~~
/usr/src/sys/opencrypto/cryptodev.c:412:14: error: use of undeclared identifier 
'enc_xform_des'; did you mean 'enc_xform_ccm'?
txform = _xform_des;
^
enc_xform_ccm
/usr/src/sys/opencrypto/xform_enc.h:105:31: note: 'enc_xform_ccm' declared here
extern const struct enc_xform enc_xform_ccm;
^
/usr/src/sys/opencrypto/cryptodev.c:415:14: error: use of undeclared identifier 
'enc_xform_3des'
txform = _xform_3des;
^...