Page MenuHomeFreeBSD

Remove support for IPsec algorithms deprecated in r348205 and r360202.
ClosedPublic

Authored by jhb on Apr 8 2020, 10:02 PM.

Details

Summary

Examples of depecrated algorithms in manual pages and sample configs
are updated where relevant. I removed the one example of combining
ESP and AH (vs using a cipher and auth in ESP) as RFC 8221 says this
combination is NOT RECOMMENDED.

Specifically, this removes support for the following ciphers:

  • des-cbc
  • 3des-cbc
  • blowfish-cbc
  • cast128-cbc
  • des-deriv
  • des-32iv
  • camellia-cbc

This also removes support for the following authentication algorithms:

  • hmac-md5
  • keyed-md5
  • keyed-sha1
  • hmac-ripemd160
Test Plan
  • make tinderbox passes

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

sys/net/pfkeyv2.h
362 ↗(On Diff #70356)

I'm not sure if it is better to just remove these outright vs #if 0.

Seems fine, but I am not especially familiar with ipsec. Pleased to see broken crypto being excised, though.

lib/libipsec/pfkey_dump.c
139 ↗(On Diff #70356)

If we're getting rid of broken authentication algorithms, null jumps out as pretty broken. Ditto whatever tcp-md5 is.

166–168 ↗(On Diff #70356)

twofish?!

This revision is now accepted and ready to land.Apr 9 2020, 2:58 AM
gnn added a subscriber: gnn.

A couple of brief comments above, but overall the patch is good and should be integrated.

lib/libipsec/pfkey_dump.c
139 ↗(On Diff #70356)

We should keep NULL for testing the framework's speed without any encryption algorithms in the way.

sbin/setkey/sample.cf
190 ↗(On Diff #70356)

Elide?

sys/net/pfkeyv2.h
362 ↗(On Diff #70356)

Remove it, we have a VCS.

  • Now removes 3des as well.
This revision now requires review to proceed.Apr 20 2020, 11:46 PM
This revision is now accepted and ready to land.Apr 21 2020, 1:35 AM
  • Rebase and add 3des removal.
This revision now requires review to proceed.Apr 22 2020, 8:51 PM
jhb retitled this revision from Remove support for IPsec algorithms deprecated in r348205. to Remove support for IPsec algorithms deprecated in r348205 and r360202..Apr 22 2020, 8:54 PM
jhb edited the summary of this revision. (Show Details)

exa-run requested in bug 245834

lib/libipsec/pfkey_dump.c
166–168 ↗(On Diff #70356)

We don't define the constant, so this is dead code anyway.

sbin/setkey/sample.cf
190 ↗(On Diff #70356)

I think the comment means "these are cases we don't have nice examples for above" so is still relevant.

sys/net/pfkeyv2.h
362 ↗(On Diff #70356)

I need to run this through an exp-run first to make sure we don't have to leave the constants around for some reason.

sys/net/pfkeyv2.h
362 ↗(On Diff #70356)

Turns out this breaks multiple ports, so I will be updating this to leave the old constants around. Any ports that try to use a removed algorithm will get a runtime error and hopefully they will report that error to the user.

  • Rebase.
  • Drop pfkeyv2.h diffs.
This revision was not accepted when it landed; it landed in state Needs Review.May 2 2020, 12:07 AM
This revision was automatically updated to reflect the committed changes.