Details

Reviewers

ae
cem
gnn

Group Reviewers

manpages

Commits

rS360557: Remove support for IPsec algorithms deprecated in r348205 and r360202.

Summary

Examples of depecrated algorithms in manual pages and sample configs
are updated where relevant. I removed the one example of combining
ESP and AH (vs using a cipher and auth in ESP) as RFC 8221 says this
combination is NOT RECOMMENDED.

Specifically, this removes support for the following ciphers:

des-cbc
3des-cbc
blowfish-cbc
cast128-cbc
des-deriv
des-32iv
camellia-cbc

This also removes support for the following authentication algorithms:

hmac-md5
keyed-md5
keyed-sha1
hmac-ripemd160

Test Plan

make tinderbox passes

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 30642
Build 28379: arc lint + arc unit

Event Timeline

jhb created this revision.Apr 8 2020, 10:02 PM

Herald added a subscriber: melifaro. · View Herald TranscriptApr 8 2020, 10:02 PM

Harbormaster completed remote builds in B30378: Diff 70356.Apr 8 2020, 10:02 PM

jhb added a parent revision: D24341: Deprecate 3des support in IPsec for FreeBSD 13..Apr 8 2020, 10:02 PM

jhb added inline comments.Apr 8 2020, 10:04 PM

sys/net/pfkeyv2.h
362	I'm not sure if it is better to just remove these outright vs #if 0.

Seems fine, but I am not especially familiar with ipsec. Pleased to see broken crypto being excised, though.

lib/libipsec/pfkey_dump.c
139	If we're getting rid of broken authentication algorithms, null jumps out as pretty broken. Ditto whatever tcp-md5 is.
165–167	twofish?!

This revision is now accepted and ready to land.Apr 9 2020, 2:58 AM

A couple of brief comments above, but overall the patch is good and should be integrated.

lib/libipsec/pfkey_dump.c
139	We should keep NULL for testing the framework's speed without any encryption algorithms in the way.
sbin/setkey/sample.cf
190	Elide?
sys/net/pfkeyv2.h
362	Remove it, we have a VCS.

Now removes 3des as well.

This revision now requires review to proceed.Apr 20 2020, 11:46 PM

Harbormaster completed remote builds in B30642: Diff 70825.Apr 20 2020, 11:46 PM

gnn accepted this revision.Apr 21 2020, 1:35 AM

This revision is now accepted and ready to land.Apr 21 2020, 1:35 AM

Rebase and add 3des removal.

This revision now requires review to proceed.Apr 22 2020, 8:51 PM

Harbormaster completed remote builds in B30673: Diff 70895.Apr 22 2020, 8:51 PM

jhb retitled this revision from Remove support for IPsec algorithms deprecated in r348205. to Remove support for IPsec algorithms deprecated in r348205 and r360202..Apr 22 2020, 8:54 PM

jhb edited the summary of this revision. (Show Details)

exa-run requested in bug 245834

lib/libipsec/pfkey_dump.c
165–167	We don't define the constant, so this is dead code anyway.
sbin/setkey/sample.cf
190	I think the comment means "these are cases we don't have nice examples for above" so is still relevant.
sys/net/pfkeyv2.h
362	I need to run this through an exp-run first to make sure we don't have to leave the constants around for some reason.

jhb added inline comments.May 1 2020, 9:36 PM

sys/net/pfkeyv2.h
362	Turns out this breaks multiple ports, so I will be updating this to leave the old constants around. Any ports that try to use a removed algorithm will get a runtime error and hopefully they will report that error to the user.

Rebase.
Drop pfkeyv2.h diffs.

Harbormaster completed remote builds in B30854: Diff 71256.May 1 2020, 9:46 PM

This revision was not accepted when it landed; it landed in state Needs Review.May 2 2020, 12:07 AM

Closed by commit rS360557: Remove support for IPsec algorithms deprecated in r348205 and r360202. (authored by jhb). · Explain Why

This revision was automatically updated to reflect the committed changes.

jhb added a commit: rS360557: Remove support for IPsec algorithms deprecated in r348205 and r360202..

Herald added a reviewer: manpages. · View Herald TranscriptMay 2 2020, 12:07 AM

Herald added a subscriber: imp. · View Herald Transcript

Remove support for IPsec algorithms deprecated in r348205 and r360202.
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 70825

lib/libipsec/pfkey_dump.c

sbin/setkey/sample.cf

sbin/setkey/setkey.8

sbin/setkey/test-pfkey.c

sbin/setkey/token.l

sys/net/pfkeyv2.h

sys/netipsec/ipsec.h

sys/netipsec/ipsec.c

sys/netipsec/key.c

sys/netipsec/xform_ah.c

sys/netipsec/xform_esp.c

usr.bin/netstat/ipsec.c

Remove support for IPsec algorithms deprecated in r348205 and r360202.ClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 70825

lib/libipsec/pfkey_dump.c

sbin/setkey/sample.cf

sbin/setkey/setkey.8

sbin/setkey/test-pfkey.c

sbin/setkey/token.l

sys/net/pfkeyv2.h

sys/netipsec/ipsec.h

sys/netipsec/ipsec.c

sys/netipsec/key.c

sys/netipsec/xform_ah.c

sys/netipsec/xform_esp.c

usr.bin/netstat/ipsec.c

Remove support for IPsec algorithms deprecated in r348205 and r360202.
ClosedPublic
Actions

Revision Contents
Changeset List