d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Deprecate 3des support in IPsec for FreeBSD 13.

Browse Source 
RFC 8221 does not outright ban 3des as the algorithms deprecated for
13 in r348205, but it is listed as a SHOULD NOT and will likely be a
MUST NOT by the time 13 ships.

Discussed with:	bjk
MFC after:	1 week
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D24341
This commit is contained in:
jhb 2020-04-22 19:44:33 +00:00
parent 25623b16dd
commit 82b955909a
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
sys/netipsec/xform_esp.c
View File

@ -94,7 +94,7 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, stats,
struct espstat, espstat,
"ESP statistics (struct espstat, netipsec/esp_var.h");
static struct timeval deswarn, blfwarn, castwarn, camelliawarn;
static struct timeval deswarn, blfwarn, castwarn, camelliawarn, tdeswarn;
static int esp_input_cb(struct cryptop *op);
static int esp_output_cb(struct cryptop *crp);
@ -164,6 +164,10 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
if (ratecheck(&deswarn, &ipsec_warn_interval))
gone_in(13, "DES cipher for IPsec");
break;
case SADB_EALG_3DESCBC:
if (ratecheck(&tdeswarn, &ipsec_warn_interval))
gone_in(13, "DES cipher for IPsec");
break;
case SADB_X_EALG_BLOWFISHCBC:
if (ratecheck(&blfwarn, &ipsec_warn_interval))
gone_in(13, "Blowfish cipher for IPsec");