Differential D20555

Make the warning intervals for deprecated crypto algorithms tunable.
ClosedPublic
Actions

Authored by jhb on Jun 7 2019, 9:18 PM.

Details

Reviewers

cem
bjk
jmg

Group Reviewers

manpages

Commits

rS348970: Make the warning intervals for deprecated crypto algorithms tunable.

Summary

New sysctl/tunables can now set the interval (in seconds) between
rate-limited crypto warnings. The new sysctls are:

kern.cryptodev_warn_interval for /dev/crypto
net.inet.ipsec.crypto_warn_interval for IPsec
kern.kgssapi_warn_interval for KGSSAPI

Test Plan

tested that the sysctl worked for both cryptodev and IPsec by changing the interval and verifying warnings did or didn't fire when triggering use of a deprecated algorithm
did not test kgssapi, but given how identical the code is I expect it to also work

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

jhb created this revision.Jun 7 2019, 9:18 PM

Herald added a subscriber: ae. · View Herald TranscriptJun 7 2019, 9:18 PM

Harbormaster completed remote builds in B24763: Diff 58381.Jun 7 2019, 9:18 PM

Unrelated to this is the fact that the current warning intervals are a bit of a random hodge-podge, IPsec is 1 second, KGSSAPI is 1 hour, /dev/crypto is 1 minute. I am open to suggestions on picking something more sensible for all three.

cem accepted this revision.Jun 8 2019, 4:15 AM

This revision is now accepted and ready to land.Jun 8 2019, 4:15 AM