> Author: jhb > Date: Thu May 23 22:06:57 2019 > New Revision: 348205 > URL: https://svnweb.freebsd.org/changeset/base/348205 > > Log: > Add deprecation warnings for IPsec algorithms deprecated in RFC 8221. > > All of these algorithms are either explicitly marked MUST NOT, or they > are implicitly MUST NOTs by virtue of not being included in IETF's > list of protocols at all despite having assignments from IANA.
Can you provide me these specific ones and I'll investigate the Ietf datatracker and IANA documents and see if I can get the long story. Ie what IANA assignments are you refering to that do not appear in RFC, it may simply be the case there is a final RFC that says "new foo are assigned numbers by IANA and no RFC is needed" That is how port numbers and other such things just are, there is not a RFC for everything! > Specifically, this adds warnings for the following ciphers: > - des-cbc > - blowfish-cbc > - cast128-cbc > - des-deriv > - des-32iv > - camellia-cbc > > Warnings for the following authentication algorithms are also added: > - hmac-md5 > - keyed-md5 > - keyed-sha1 > - hmac-ripemd160 > > Reviewed by: cem, gnn > MFC after: 3 days > Sponsored by: Chelsio Communications > Differential Revision: https://reviews.freebsd.org/D20340 > > Modified: > head/sys/netipsec/xform_ah.c > head/sys/netipsec/xform_esp.c > > Modified: head/sys/netipsec/xform_ah.c > ============================================================================== > --- head/sys/netipsec/xform_ah.c Thu May 23 22:01:05 2019 > (r348204) > +++ head/sys/netipsec/xform_ah.c Thu May 23 22:06:57 2019 > (r348205) > @@ -108,6 +108,8 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, sta > #endif > > static unsigned char ipseczeroes[256]; /* larger than an ip6 extension > hdr */ > +static struct timeval md5warn, ripewarn, kpdkmd5warn, kpdksha1warn; > +static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 }; > > static int ah_input_cb(struct cryptop*); > static int ah_output_cb(struct cryptop*); > @@ -184,6 +186,26 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, st > __func__, sav->alg_auth)); > return EINVAL; > } > + > + switch (sav->alg_auth) { > + case SADB_AALG_MD5HMAC: > + if (ratecheck(&md5warn, &warninterval)) > + gone_in(13, "MD5-HMAC authenticator for IPsec"); > + break; > + case SADB_X_AALG_RIPEMD160HMAC: > + if (ratecheck(&ripewarn, &warninterval)) > + gone_in(13, "RIPEMD160-HMAC authenticator for IPsec"); > + break; > + case SADB_X_AALG_MD5: > + if (ratecheck(&kpdkmd5warn, &warninterval)) > + gone_in(13, "Keyed-MD5 authenticator for IPsec"); > + break; > + case SADB_X_AALG_SHA: > + if (ratecheck(&kpdksha1warn, &warninterval)) > + gone_in(13, "Keyed-SHA1 authenticator for IPsec"); > + break; > + } > + > /* > * Verify the replay state block allocation is consistent with > * the protocol type. We check here so we can make assumptions > > Modified: head/sys/netipsec/xform_esp.c > ============================================================================== > --- head/sys/netipsec/xform_esp.c Thu May 23 22:01:05 2019 > (r348204) > +++ head/sys/netipsec/xform_esp.c Thu May 23 22:06:57 2019 > (r348205) > @@ -94,6 +94,9 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, st > struct espstat, espstat, > "ESP statistics (struct espstat, netipsec/esp_var.h"); > > +static struct timeval deswarn, blfwarn, castwarn, camelliawarn; > +static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 }; > + > static int esp_input_cb(struct cryptop *op); > static int esp_output_cb(struct cryptop *crp); > > @@ -156,6 +159,26 @@ esp_init(struct secasvar *sav, struct xformsw *xsp) > __func__)); > return EINVAL; > } > + > + switch (sav->alg_enc) { > + case SADB_EALG_DESCBC: > + if (ratecheck(&deswarn, &warninterval)) > + gone_in(13, "DES cipher for IPsec"); > + break; > + case SADB_X_EALG_BLOWFISHCBC: > + if (ratecheck(&blfwarn, &warninterval)) > + gone_in(13, "Blowfish cipher for IPsec"); > + break; > + case SADB_X_EALG_CAST128CBC: > + if (ratecheck(&castwarn, &warninterval)) > + gone_in(13, "CAST cipher for IPsec"); > + break; > + case SADB_X_EALG_CAMELLIACBC: > + if (ratecheck(&camelliawarn, &warninterval)) > + gone_in(13, "Camellia cipher for IPsec"); > + break; > + } > + > /* subtract off the salt, RFC4106, 8.1 and RFC3686, 5.1 */ > keylen = _KEYLEN(sav->key_enc) - SAV_ISCTRORGCM(sav) * 4; > if (txform->minkey > keylen || keylen > txform->maxkey) { > > -- Rod Grimes rgri...@freebsd.org _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
