Quoth ipsec.conf(5): Use of DES as an encryption algorithm is considered to be insecure since brute force attacks are practical due its short key length.
The attached patch removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, iked(8), ipsecctl(8), and isakmpd(8). Note this is plain DES, *not* 3DES. RFC2409 (November 1998) says that DES support is a "MUST" for IKEv1, but I think we _must_ ignore this. Next I intend to remove DES from the kernel crypto framework. Index: sys/net/pfkeyv2.c =================================================================== RCS file: /cvs/src/sys/net/pfkeyv2.c,v retrieving revision 1.145 diff -u -p -r1.145 pfkeyv2.c --- sys/net/pfkeyv2.c 17 Jul 2015 18:31:08 -0000 1.145 +++ sys/net/pfkeyv2.c 2 Dec 2015 22:13:21 -0000 @@ -103,7 +103,6 @@ static int npromisc = 0; static const struct sadb_alg ealgs[] = { { SADB_EALG_NULL, 0, 0, 0 }, - { SADB_EALG_DESCBC, 64, 64, 64 }, { SADB_EALG_3DESCBC, 64, 192, 192 }, { SADB_X_EALG_BLF, 64, 40, BLF_MAXKEYLEN * 8}, { SADB_X_EALG_CAST, 64, 40, 128}, @@ -1848,11 +1847,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo sadb_comb->sadb_comb_encrypt = SADB_EALG_3DESCBC; sadb_comb->sadb_comb_encrypt_minbits = 192; sadb_comb->sadb_comb_encrypt_maxbits = 192; - } else if (!strncasecmp(ipsec_def_enc, "des", - sizeof("des"))) { - sadb_comb->sadb_comb_encrypt = SADB_EALG_DESCBC; - sadb_comb->sadb_comb_encrypt_minbits = 64; - sadb_comb->sadb_comb_encrypt_maxbits = 64; } else if (!strncasecmp(ipsec_def_enc, "blowfish", sizeof("blowfish"))) { sadb_comb->sadb_comb_encrypt = SADB_X_EALG_BLF; Index: sys/net/pfkeyv2.h =================================================================== RCS file: /cvs/src/sys/net/pfkeyv2.h,v retrieving revision 1.71 diff -u -p -r1.71 pfkeyv2.h --- sys/net/pfkeyv2.h 2 Dec 2015 12:43:59 -0000 1.71 +++ sys/net/pfkeyv2.h 2 Dec 2015 22:11:46 -0000 @@ -296,7 +296,6 @@ struct sadb_x_tap { #define SADB_AALG_MAX 12 #define SADB_EALG_NONE 0 -#define SADB_EALG_DESCBC 2 #define SADB_EALG_3DESCBC 3 #define SADB_X_EALG_CAST 6 #define SADB_X_EALG_BLF 7 Index: sys/net/pfkeyv2_convert.c =================================================================== RCS file: /cvs/src/sys/net/pfkeyv2_convert.c,v retrieving revision 1.56 diff -u -p -r1.56 pfkeyv2_convert.c --- sys/net/pfkeyv2_convert.c 3 Nov 2015 01:50:36 -0000 1.56 +++ sys/net/pfkeyv2_convert.c 2 Dec 2015 22:12:19 -0000 @@ -228,10 +228,6 @@ export_sa(void **p, struct tdb *tdb) sadb_sa->sadb_sa_encrypt = SADB_EALG_NULL; break; - case CRYPTO_DES_CBC: - sadb_sa->sadb_sa_encrypt = SADB_EALG_DESCBC; - break; - case CRYPTO_3DES_CBC: sadb_sa->sadb_sa_encrypt = SADB_EALG_3DESCBC; break; Index: sys/netinet/ip_esp.c =================================================================== RCS file: /cvs/src/sys/netinet/ip_esp.c,v retrieving revision 1.135 diff -u -p -r1.135 ip_esp.c --- sys/netinet/ip_esp.c 3 Nov 2015 01:50:36 -0000 1.135 +++ sys/netinet/ip_esp.c 2 Dec 2015 22:11:23 -0000 @@ -111,10 +111,6 @@ esp_init(struct tdb *tdbp, struct xforms txform = &enc_xform_null; break; - case SADB_EALG_DESCBC: - txform = &enc_xform_des; - break; - case SADB_EALG_3DESCBC: txform = &enc_xform_3des; break; Index: sbin/iked/iked.conf.5 =================================================================== RCS file: /cvs/src/sbin/iked/iked.conf.5,v retrieving revision 1.43 diff -u -p -r1.43 iked.conf.5 --- sbin/iked/iked.conf.5 4 Nov 2015 12:40:49 -0000 1.43 +++ sbin/iked/iked.conf.5 2 Dec 2015 21:38:05 -0000 @@ -757,7 +757,6 @@ The following cipher types are permitted keyword: .Bl -column "chacha20-poly1305" "Key Length" "[ESP only]" -offset indent .It Em "Cipher" Ta Em "Key Length" Ta "" -.It Li des Ta "56 bits" Ta "[ESP only]" .It Li 3des Ta "168 bits" Ta "" .It Li aes-128 Ta "128 bits" Ta "" .It Li aes-192 Ta "192 bits" Ta "" @@ -782,11 +781,7 @@ not encryption: .It Li null Ta "" Ta "[ESP only]" .El .Pp -Use of DES as an encryption algorithm is considered to be insecure -since brute force attacks are practical due its short key length. -.Pp -DES requires 8 bytes to form a 56-bit key and 3DES requires 24 bytes -to form its 168-bit key. +3DES requires 24 bytes to form its 168-bit key. This is because the most significant bit of each byte is used for parity. .Pp The keysize of AES-CTR is actually 128-bit. Index: sbin/iked/parse.y =================================================================== RCS file: /cvs/src/sbin/iked/parse.y,v retrieving revision 1.53 diff -u -p -r1.53 parse.y --- sbin/iked/parse.y 4 Nov 2015 12:40:49 -0000 1.53 +++ sbin/iked/parse.y 2 Dec 2015 18:15:18 -0000 @@ -177,7 +177,6 @@ const struct ipsec_xf ikeencxfs[] = { }; const struct ipsec_xf ipsecencxfs[] = { - { "des", IKEV2_XFORMENCR_DES, 8 }, { "3des", IKEV2_XFORMENCR_3DES, 24 }, { "3des-cbc", IKEV2_XFORMENCR_3DES, 24 }, { "aes-128", IKEV2_XFORMENCR_AES_CBC, 16, 16 }, Index: sbin/iked/pfkey.c =================================================================== RCS file: /cvs/src/sbin/iked/pfkey.c,v retrieving revision 1.48 diff -u -p -r1.48 pfkey.c --- sbin/iked/pfkey.c 2 Dec 2015 12:43:59 -0000 1.48 +++ sbin/iked/pfkey.c 2 Dec 2015 18:15:37 -0000 @@ -69,7 +69,6 @@ struct pfkey_constmap { }; static const struct pfkey_constmap pfkey_encr[] = { - { SADB_EALG_DESCBC, IKEV2_XFORMENCR_DES }, { SADB_EALG_3DESCBC, IKEV2_XFORMENCR_3DES }, { SADB_X_EALG_CAST, IKEV2_XFORMENCR_CAST }, { SADB_X_EALG_BLF, IKEV2_XFORMENCR_BLOWFISH }, Index: sbin/ipsecctl/ike.c =================================================================== RCS file: /cvs/src/sbin/ipsecctl/ike.c,v retrieving revision 1.80 diff -u -p -r1.80 ike.c --- sbin/ipsecctl/ike.c 25 May 2015 19:29:36 -0000 1.80 +++ sbin/ipsecctl/ike.c 2 Dec 2015 20:17:49 -0000 @@ -198,9 +198,6 @@ ike_section_p2(struct ipsec_rule *r, FIL case ENCXF_3DES_CBC: enc_alg = "3DES"; break; - case ENCXF_DES_CBC: - enc_alg = "DES"; - break; case ENCXF_AES: enc_alg = "AES"; key_length = "128,128:256"; @@ -440,9 +437,6 @@ ike_section_p1(struct ipsec_rule *r, FIL switch (r->p1xfs->encxf->id) { case ENCXF_3DES_CBC: enc_alg = "3DES"; - break; - case ENCXF_DES_CBC: - enc_alg = "DES"; break; case ENCXF_AES: enc_alg = "AES"; Index: sbin/ipsecctl/ipsec.conf.5 =================================================================== RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v retrieving revision 1.150 diff -u -p -r1.150 ipsec.conf.5 --- sbin/ipsecctl/ipsec.conf.5 1 Nov 2015 21:26:48 -0000 1.150 +++ sbin/ipsecctl/ipsec.conf.5 2 Dec 2015 21:38:38 -0000 @@ -624,7 +624,6 @@ The following cipher types are permitted keyword: .Bl -column "aes-128-gmac" "Key Length" "Description" -offset indent .It Em "Cipher" Ta Em "Key Length" Ta "" -.It Li des Ta "56 bits" Ta "" .It Li 3des Ta "168 bits" Ta "" .It Li aes Ta "128 bits" Ta "" .It Li aes-128 Ta "128 bits" Ta "" @@ -645,11 +644,7 @@ keyword: .It Li null Ta "(none)" Ta "[phase 2 only]" .El .Pp -Use of DES as an encryption algorithm is considered to be insecure -since brute force attacks are practical due its short key length. -.Pp -DES requires 8 bytes to form a 56-bit key and 3DES requires 24 bytes -to form its 168-bit key. +3DES requires 24 bytes to form its 168-bit key. This is because the most significant bit of each byte is used for parity. .Pp The keysize of AES-CTR can be 128, 192, or 256 bits. Index: sbin/ipsecctl/ipsecctl.h =================================================================== RCS file: /cvs/src/sbin/ipsecctl/ipsecctl.h,v retrieving revision 1.68 diff -u -p -r1.68 ipsecctl.h --- sbin/ipsecctl/ipsecctl.h 4 Nov 2015 12:46:13 -0000 1.68 +++ sbin/ipsecctl/ipsecctl.h 2 Dec 2015 20:17:20 -0000 @@ -62,7 +62,7 @@ enum { AUTHXF_HMAC_SHA2_512 }; enum { - ENCXF_UNKNOWN, ENCXF_NONE, ENCXF_3DES_CBC, ENCXF_DES_CBC, ENCXF_AES, + ENCXF_UNKNOWN, ENCXF_NONE, ENCXF_3DES_CBC, ENCXF_AES, ENCXF_AES_128, ENCXF_AES_192, ENCXF_AES_256, ENCXF_AESCTR, ENCXF_AES_128_CTR, ENCXF_AES_192_CTR, ENCXF_AES_256_CTR, ENCXF_AES_128_GCM, ENCXF_AES_192_GCM, ENCXF_AES_256_GCM, Index: sbin/ipsecctl/parse.y =================================================================== RCS file: /cvs/src/sbin/ipsecctl/parse.y,v retrieving revision 1.163 diff -u -p -r1.163 parse.y --- sbin/ipsecctl/parse.y 4 Nov 2015 12:46:13 -0000 1.163 +++ sbin/ipsecctl/parse.y 2 Dec 2015 20:16:57 -0000 @@ -105,7 +105,6 @@ const struct ipsec_xf encxfs[] = { { "unknown", ENCXF_UNKNOWN, 0, 0, 0, 0 }, { "none", ENCXF_NONE, 0, 0, 0, 0 }, { "3des-cbc", ENCXF_3DES_CBC, 24, 24, 0, 0 }, - { "des-cbc", ENCXF_DES_CBC, 8, 8, 0, 0 }, { "aes", ENCXF_AES, 16, 32, 0, 0 }, { "aes-128", ENCXF_AES_128, 16, 16, 0, 0 }, { "aes-192", ENCXF_AES_192, 24, 24, 0, 0 }, Index: sbin/ipsecctl/pfkdump.c =================================================================== RCS file: /cvs/src/sbin/ipsecctl/pfkdump.c,v retrieving revision 1.41 diff -u -p -r1.41 pfkdump.c --- sbin/ipsecctl/pfkdump.c 2 Dec 2015 12:43:59 -0000 1.41 +++ sbin/ipsecctl/pfkdump.c 2 Dec 2015 20:15:53 -0000 @@ -157,7 +157,6 @@ struct idname auth_types[] = { struct idname enc_types[] = { { SADB_EALG_NONE, "none", NULL }, { SADB_EALG_3DESCBC, "3des-cbc", NULL }, - { SADB_EALG_DESCBC, "des-cbc", NULL }, { SADB_X_EALG_AES, "aes", NULL }, { SADB_X_EALG_AESCTR, "aesctr", NULL }, { SADB_X_EALG_AESGCM16, "aes-gcm", NULL }, @@ -678,9 +677,6 @@ pfkey_print_sa(struct sadb_msg *msg, int switch (sa->sadb_sa_encrypt) { case SADB_EALG_3DESCBC: xfs.encxf = &encxfs[ENCXF_3DES_CBC]; - break; - case SADB_EALG_DESCBC: - xfs.encxf = &encxfs[ENCXF_DES_CBC]; break; case SADB_X_EALG_AES: switch (r.enckey->len) { Index: sbin/ipsecctl/pfkey.c =================================================================== RCS file: /cvs/src/sbin/ipsecctl/pfkey.c,v retrieving revision 1.55 diff -u -p -r1.55 pfkey.c --- sbin/ipsecctl/pfkey.c 18 Oct 2015 02:30:53 -0000 1.55 +++ sbin/ipsecctl/pfkey.c 2 Dec 2015 20:16:30 -0000 @@ -485,9 +485,6 @@ pfkey_sa(int sd, u_int8_t satype, u_int8 case ENCXF_3DES_CBC: sa.sadb_sa_encrypt = SADB_EALG_3DESCBC; break; - case ENCXF_DES_CBC: - sa.sadb_sa_encrypt = SADB_EALG_DESCBC; - break; case ENCXF_AES: case ENCXF_AES_128: case ENCXF_AES_192: Index: sbin/isakmpd/conf.c =================================================================== RCS file: /cvs/src/sbin/isakmpd/conf.c,v retrieving revision 1.104 diff -u -p -r1.104 conf.c --- sbin/isakmpd/conf.c 20 Aug 2015 22:02:21 -0000 1.104 +++ sbin/isakmpd/conf.c 2 Dec 2015 21:13:31 -0000 @@ -288,13 +288,13 @@ conf_parse(int trans, char *buf, size_t * * Resulting section names can be: * For main mode: - * {DES,BLF,3DES,CAST,AES,AES-{128,192,256}-{MD5,SHA,SHA2-{256,384,512}} \ + * {BLF,3DES,CAST,AES,AES-{128,192,256}-{MD5,SHA,SHA2-{256,384,512}} \ * [-GRP{1,2,5,14,15}][-{DSS,RSA_SIG}] * For quick mode: * QM-{proto}[-TRP]-{cipher}[-{hash}][-PFS[-{group}]]-SUITE * where * {proto} = ESP, AH - * {cipher} = DES, 3DES, CAST, BLF, AES, AES-{128,192,256}, AESCTR + * {cipher} = 3DES, CAST, BLF, AES, AES-{128,192,256}, AESCTR * {hash} = MD5, SHA, RIPEMD, SHA2-{256,384,512} * {group} = GRP1, GRP2, GRP5, GRP14, GRP15 * @@ -477,21 +477,21 @@ conf_load_defaults(int tr) 0}; char *mm_hash_p[] = {"-MD5", "-SHA", "-SHA2-256", "-SHA2-384", "-SHA2-512", "", 0 }; - char *mm_enc[] = {"DES_CBC", "BLOWFISH_CBC", "3DES_CBC", "CAST_CBC", + char *mm_enc[] = {"BLOWFISH_CBC", "3DES_CBC", "CAST_CBC", "AES_CBC", "AES_CBC", "AES_CBC", "AES_CBC", 0}; - char *mm_enc_p[] = {"DES", "BLF", "3DES", "CAST", "AES", "AES-128", + char *mm_enc_p[] = {"BLF", "3DES", "CAST", "AES", "AES-128", "AES-192", "AES-256", 0}; char *dhgroup[] = {"MODP_1024", "MODP_768", "MODP_1024", "MODP_1536", "MODP_2048", "MODP_3072", "MODP_4096", "MODP_6144", "MODP_8192", 0}; char *dhgroup_p[] = {"", "-GRP1", "-GRP2", "-GRP5", "-GRP14", "-GRP15", "-GRP16", "-GRP17", "-GRP18", 0}; - char *qm_enc[] = {"DES", "3DES", "CAST", "BLOWFISH", "AES", + char *qm_enc[] = {"3DES", "CAST", "BLOWFISH", "AES", "AES", "AES", "AES", "AES_CTR", "AES_CTR", "AES_CTR", "AES_CTR", "AES_GCM_16", "AES_GCM_16", "AES_GCM_16", "AES_GMAC", "AES_GMAC", "AES_GMAC", "NULL", "NONE", 0}; - char *qm_enc_p[] = {"-DES", "-3DES", "-CAST", "-BLF", "-AES", + char *qm_enc_p[] = {"-3DES", "-CAST", "-BLF", "-AES", "-AES-128", "-AES-192", "-AES-256", "-AESCTR", "-AESCTR-128", "-AESCTR-192", "-AESCTR-256", "-AESGCM-128", "-AESGCM-192", "-AESGCM-256", Index: sbin/isakmpd/crypto.c =================================================================== RCS file: /cvs/src/sbin/isakmpd/crypto.c,v retrieving revision 1.32 diff -u -p -r1.32 crypto.c --- sbin/isakmpd/crypto.c 21 Mar 2013 04:30:14 -0000 1.32 +++ sbin/isakmpd/crypto.c 2 Dec 2015 21:49:31 -0000 @@ -37,13 +37,10 @@ #include "crypto.h" #include "log.h" -enum cryptoerr des1_init(struct keystate *, u_int8_t *, u_int16_t); enum cryptoerr des3_init(struct keystate *, u_int8_t *, u_int16_t); enum cryptoerr blf_init(struct keystate *, u_int8_t *, u_int16_t); enum cryptoerr cast_init(struct keystate *, u_int8_t *, u_int16_t); enum cryptoerr aes_init(struct keystate *, u_int8_t *, u_int16_t); -void des1_encrypt(struct keystate *, u_int8_t *, u_int16_t); -void des1_decrypt(struct keystate *, u_int8_t *, u_int16_t); void des3_encrypt(struct keystate *, u_int8_t *, u_int16_t); void des3_decrypt(struct keystate *, u_int8_t *, u_int16_t); void blf_encrypt(struct keystate *, u_int8_t *, u_int16_t); @@ -55,12 +52,6 @@ void aes_decrypt(struct keyst struct crypto_xf transforms[] = { { - DES_CBC, "Data Encryption Standard (CBC-Mode)", 8, 8, - BLOCKSIZE, 0, - des1_init, - des1_encrypt, des1_decrypt - }, - { TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24, BLOCKSIZE, 0, des3_init, @@ -85,33 +76,6 @@ struct crypto_xf transforms[] = { aes_encrypt, aes_decrypt }, }; - -enum cryptoerr -des1_init(struct keystate *ks, u_int8_t *key, u_int16_t len) -{ - /* DES_set_key returns -1 for parity problems, and -2 for weak keys */ - DES_set_odd_parity((void *)key); - switch (DES_set_key((void *)key, &ks->ks_des[0])) { - case -2: - return EWEAKKEY; - default: - return EOKAY; - } -} - -void -des1_encrypt(struct keystate *ks, u_int8_t *d, u_int16_t len) -{ - DES_cbc_encrypt((void *)d, (void *)d, len, &ks->ks_des[0], (void *)ks->riv, - DES_ENCRYPT); -} - -void -des1_decrypt(struct keystate *ks, u_int8_t *d, u_int16_t len) -{ - DES_cbc_encrypt((void *)d, (void *)d, len, &ks->ks_des[0], (void *)ks->riv, - DES_DECRYPT); -} enum cryptoerr des3_init(struct keystate *ks, u_int8_t *key, u_int16_t len) Index: sbin/isakmpd/ipsec.c =================================================================== RCS file: /cvs/src/sbin/isakmpd/ipsec.c,v retrieving revision 1.144 diff -u -p -r1.144 ipsec.c --- sbin/isakmpd/ipsec.c 20 Aug 2015 22:02:21 -0000 1.144 +++ sbin/isakmpd/ipsec.c 2 Dec 2015 20:56:43 -0000 @@ -1822,10 +1822,6 @@ ipsec_esp_enckeylength(struct proto *pro /* Compute the keylength to use. */ switch (proto->id) { - case IPSEC_ESP_DES: - case IPSEC_ESP_DES_IV32: - case IPSEC_ESP_DES_IV64: - return 8; case IPSEC_ESP_3DES: return 24; case IPSEC_ESP_CAST: Index: sbin/isakmpd/isakmpd.conf.5 =================================================================== RCS file: /cvs/src/sbin/isakmpd/isakmpd.conf.5,v retrieving revision 1.131 diff -u -p -r1.131 isakmpd.conf.5 --- sbin/isakmpd/isakmpd.conf.5 16 Jan 2015 15:37:20 -0000 1.131 +++ sbin/isakmpd/isakmpd.conf.5 2 Dec 2015 21:33:56 -0000 @@ -96,7 +96,7 @@ For Main Mode: where: .Bl -tag -width "cipher" -offset indent -compact .It Ar cipher -is either DES, BLF, 3DES, CAST, AES, AES-128, AES-192 or AES-256 +is either BLF, 3DES, CAST, AES, AES-128, AES-192 or AES-256 .It Ar hash is either MD5, SHA, or SHA2-{256,384,512} .It Ar group @@ -121,7 +121,7 @@ where: .It Ar proto is either ESP or AH .It Ar cipher -is either DES, 3DES, CAST, BLF, AES, AES-128, AES-192, AES-256, AESCTR, +is either 3DES, CAST, BLF, AES, AES-128, AES-192, AES-256, AESCTR, AESCTR-128, AESCTR-192, AESCTR-256, AESGCM-128, AESGCM-192, AESGCM-256, AESGMAC-128, AESGMAC-192, AESGMAC-256 or NULL @@ -1005,22 +1005,6 @@ Transforms= 3DES-SHA # Main mode transforms ###################### -# DES - -[DES-MD5] -ENCRYPTION_ALGORITHM= DES_CBC -HASH_ALGORITHM= MD5 -AUTHENTICATION_METHOD= PRE_SHARED -GROUP_DESCRIPTION= MODP_1024 -Life= LIFE_MAIN_MODE - -[DES-SHA] -ENCRYPTION_ALGORITHM= DES_CBC -HASH_ALGORITHM= SHA -AUTHENTICATION_METHOD= PRE_SHARED -GROUP_DESCRIPTION= MODP_1024 -Life= LIFE_MAIN_MODE - # 3DES [3DES-SHA] @@ -1092,26 +1076,6 @@ Life= LIFE_MAIN_MODE # Quick mode protection suites ############################## -# DES - -[QM-ESP-DES-SUITE] -Protocols= QM-ESP-DES - -[QM-ESP-DES-PFS-SUITE] -Protocols= QM-ESP-DES-PFS - -[QM-ESP-DES-MD5-SUITE] -Protocols= QM-ESP-DES-MD5 - -[QM-ESP-DES-MD5-PFS-SUITE] -Protocols= QM-ESP-DES-MD5-PFS - -[QM-ESP-DES-SHA-SUITE] -Protocols= QM-ESP-DES-SHA - -[QM-ESP-DES-SHA-PFS-SUITE] -Protocols= QM-ESP-DES-SHA-PFS - # 3DES [QM-ESP-3DES-SHA-SUITE] @@ -1162,35 +1126,14 @@ Protocols= QM-AH-MD5-PFS # AH + ESP (non-default) -[QM-AH-MD5-ESP-DES-SUITE] -Protocols= QM-AH-MD5,QM-ESP-DES - -[QM-AH-MD5-ESP-DES-MD5-SUITE] -Protocols= QM-AH-MD5,QM-ESP-DES-MD5 +[QM-AH-MD5-ESP-3DES-SHA-SUITE] +Protocols= QM-AH-MD5,QM-ESP-3DES-SHA -[QM-ESP-DES-MD5-AH-MD5-SUITE] -Protocols= QM-ESP-DES-MD5,QM-AH-MD5 +[QM-ESP-3DES-SHA-AH-MD5-SUITE] +Protocols= QM-ESP-3DES-SHA,QM-AH-MD5 # Quick mode protocols -# DES - -[QM-ESP-DES] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-DES-XF - -[QM-ESP-DES-MD5] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-DES-MD5-XF - -[QM-ESP-DES-MD5-PFS] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-DES-MD5-PFS-XF - -[QM-ESP-DES-SHA] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-DES-SHA-XF - # 3DES [QM-ESP-3DES-SHA] @@ -1273,32 +1216,6 @@ PROTOCOL_ID= IPSEC_AH Transforms= QM-AH-MD5-PFS-XF # Quick mode transforms - -# ESP DES+MD5 - -[QM-ESP-DES-XF] -TRANSFORM_ID= DES -ENCAPSULATION_MODE= TUNNEL -Life= LIFE_QUICK_MODE - -[QM-ESP-DES-MD5-XF] -TRANSFORM_ID= DES -ENCAPSULATION_MODE= TUNNEL -AUTHENTICATION_ALGORITHM= HMAC_MD5 -Life= LIFE_QUICK_MODE - -[QM-ESP-DES-MD5-PFS-XF] -TRANSFORM_ID= DES -ENCAPSULATION_MODE= TUNNEL -GROUP_DESCRIPTION= MODP_1024 -AUTHENTICATION_ALGORITHM= HMAC_MD5 -Life= LIFE_QUICK_MODE - -[QM-ESP-DES-SHA-XF] -TRANSFORM_ID= DES -ENCAPSULATION_MODE= TUNNEL -AUTHENTICATION_ALGORITHM= HMAC_SHA -Life= LIFE_QUICK_MODE # 3DES Index: sbin/isakmpd/pf_key_v2.c =================================================================== RCS file: /cvs/src/sbin/isakmpd/pf_key_v2.c,v retrieving revision 1.195 diff -u -p -r1.195 pf_key_v2.c --- sbin/isakmpd/pf_key_v2.c 20 Aug 2015 22:02:21 -0000 1.195 +++ sbin/isakmpd/pf_key_v2.c 2 Dec 2015 20:55:55 -0000 @@ -901,12 +901,6 @@ pf_key_v2_set_spi(struct sa *sa, struct hashlen = ipsec_esp_authkeylength(proto); switch (proto->id) { - case IPSEC_ESP_DES: - case IPSEC_ESP_DES_IV32: - case IPSEC_ESP_DES_IV64: - ssa.sadb_sa_encrypt = SADB_EALG_DESCBC; - break; - case IPSEC_ESP_3DES: ssa.sadb_sa_encrypt = SADB_EALG_3DESCBC; break; Index: sbin/isakmpd/sa.c =================================================================== RCS file: /cvs/src/sbin/isakmpd/sa.c,v retrieving revision 1.122 diff -u -p -r1.122 sa.c --- sbin/isakmpd/sa.c 20 Aug 2015 22:02:21 -0000 1.122 +++ sbin/isakmpd/sa.c 2 Dec 2015 20:57:22 -0000 @@ -550,12 +550,6 @@ report_proto(FILE *fd, struct proto *pro fprintf(fd, "Encryption algorithm: "); switch (proto->id) { - case IPSEC_ESP_DES: - case IPSEC_ESP_DES_IV32: - case IPSEC_ESP_DES_IV64: - fprintf(fd, "DES\n"); - break; - case IPSEC_ESP_3DES: fprintf(fd, "3DES\n"); break; -- Christian "naddy" Weisgerber na...@mips.inka.de