Mark asymmetric cryptography via OCF deprecated for 14.0.

Only one MIPS-specific driver implements support for one of the asymmetric operations. There are no in-kernel users besides /dev/crypto. The only known user of the /dev/crypto interface was the engine in OpenSSL releases before 1.1.0. 1.1.0 includes a rewritten engine that does not use the asymmetric operations due to lack of documentation. Reviewed by: cem, markj MFC after: 1 week Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D26810
2020-10-19 18:21:41 +00:00 · 2020-10-19 18:21:41 +00:00 · d06b97bc31
commit d06b97bc31
parent 2d76d56e8d
3 changed files with 21 additions and 1 deletions
--- a/share/man/man4/crypto.4
+++ b/share/man/man4/crypto.4
@ -60,7 +60,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd May 11, 2020
+.Dd October 19, 2020
 .Dt CRYPTO 4
 .Os
 .Sh NAME
@ -108,6 +108,11 @@ both asymmetric-key (public-key/private-key) requests and
 modular arithmetic (for Diffie-Hellman key exchange and other
 cryptographic protocols).
 The two modes are described separately below.
+.Sh DEPRECATION NOTICE
+The asymmetric-key operations supported by this interface will not be
+present in
+.Fx 14.0
+and later.
 .Sh THEORY OF OPERATION
 Regardless of whether symmetric-key or asymmetric-key operations are
 to be performed, use of the device requires a basic series of steps:
--- a/sys/opencrypto/crypto.c
+++ b/sys/opencrypto/crypto.c
@ -1142,6 +1142,7 @@ crypto_kregister(u_int32_t driverid, int kalg, u_int32_t flags)
 				, kalg
 				, flags
 			);
+		gone_in_dev(cap->cc_dev, 14, "asymmetric crypto");
 		err = 0;
 	} else
 		err = EINVAL;
--- a/sys/opencrypto/cryptodev.c
+++ b/sys/opencrypto/cryptodev.c
@ -346,6 +346,11 @@ SYSCTL_BOOL(_kern_crypto, OID_AUTO, cryptodev_separate_aad, CTLFLAG_RW,
    &use_separate_aad, 0,
    "Use separate AAD buffer for /dev/crypto requests.");

+static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 };
+SYSCTL_TIMEVAL_SEC(_kern, OID_AUTO, cryptodev_warn_interval, CTLFLAG_RW,
+    &warninterval,
+    "Delay in seconds between warnings of deprecated /dev/crypto algorithms");
+
 static	int cryptof_ioctl(struct file *, u_long, void *,
 		    struct ucred *, struct thread *);
 static	int cryptof_stat(struct file *, struct stat *,
@ -419,6 +424,7 @@ cryptof_ioctl(
 	struct ucred *active_cred,
 	struct thread *td)
 {
+	static struct timeval keywarn, featwarn;
 	struct crypto_session_params csp;
 	struct fcrypt *fcr = fp->f_data;
 	struct csession *cse;
@ -818,6 +824,10 @@ cryptof_ioctl(
 		break;
 	case CIOCKEY:
 	case CIOCKEY2:
+		if (ratecheck(&keywarn, &warninterval))
+			gone_in(14,
+			    "Asymmetric crypto operations via /dev/crypto");
+
 		if (!crypto_userasymcrypto) {
 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
 			return (EPERM);		/* XXX compat? */
@ -833,6 +843,10 @@ cryptof_ioctl(
 		mtx_unlock(&Giant);
 		break;
 	case CIOCASYMFEAT:
+		if (ratecheck(&featwarn, &warninterval))
+			gone_in(14,
+			    "Asymmetric crypto features via /dev/crypto");
+
 		if (!crypto_userasymcrypto) {
 			/*
 			 * NB: if user asym crypto operations are