Page MenuHomeFreeBSD
Differential D24691

Deprecate ubsec(4) for FreeBSD 13.0.
ClosedPublic
Actions

Authored by jhb on May 4 2020, 8:54 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Apr 29, 7:44 AM
Unknown Object (File)
Feb 7 2024, 12:41 AM
Unknown Object (File)
Jan 10 2024, 1:45 AM
Unknown Object (File)
Dec 21 2023, 11:05 PM
Unknown Object (File)
Oct 24 2023, 10:14 PM
Unknown Object (File)
Jun 12 2023, 8:37 AM
Unknown Object (File)
Jan 10 2023, 8:39 AM
Unknown Object (File)
Jan 6 2023, 5:48 AM
View All 9 Files
Subscribers
imp

Details

Reviewers
cem
Group Reviewers
manpages
Commits
rS360710: Deprecate ubsec(4) for FreeBSD 13.0.
Summary

With the removal of in-tree consumers of DES, Triple DES, and
MD5-HMAC, the only algorithm this driver still supports is
SHA1-HMAC. This is not very useful as a standalone algorithm
(e.g. IPsec only uses SHA1-HMAC in combination with AES-CBC).

Test Plan
  • amd64 GENERIC build

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb requested review of this revision.May 4 2020, 8:54 PM
jhb created this revision.
Harbormaster completed remote builds in B30902: Diff 71384.May 4 2020, 8:54 PM
jhb added a comment.May 4 2020, 8:56 PM

Some of these cards also have a PRNG, but given RDRAND on most(?) modern x86 CPUs, that doesn't seem worth keeping this driver around for either.

cem accepted this revision.May 4 2020, 10:41 PM

SHA1-HMAC is not completely obsolete, but I don't know how old this hardware is / how extensively it is used. If nothing would use the acceleration (even OpenSSL?), sure, kill it. I guess the gone_in() gives us time to find out if there are still users of accelerated SHA1-HMAC. (I'd guess anything with AESNI SHA extensions is probably faster than this?)

This revision is now accepted and ready to land.May 4 2020, 10:41 PM
jhb added a comment.May 4 2020, 11:40 PM

OpenSSL's engine doesn't use plain digests since we don't let you do it piecemeal via /dev/crypto, and even when OpenSSL does, it doesn't offload HMAC, but just the plain digests like SHA1, etc. The only in-kernel configuration that would use SHA1 HMAC is if someone ran IPsec with AH only (so on encryption, only auth) with SHA1 (geli requires a cipher, and even if I add TLS 1.0/1.1 it will require AES-CBC). It's not impossible, but seems highly unlikely. The alternative is that I have to gut much of this driver when I remove DES. I guess it also supports the async stuff, but that also isn't used by anything (modern OpenSSL doesn't try to use it because it isn't documented). The newest part (BCM5825) supported by the current driver was released in 2005. There is a newer OpenBSD driver that adds AES-CBC support, but not AES-CTR. If someone really has the hardware, I've at least converted the driver to the new framework as a starting point they can dig out of SCM.

cem added a comment.May 4 2020, 11:51 PM

You had me at 2005. Let it burn.

Closed by commit rS360710: Deprecate ubsec(4) for FreeBSD 13.0. (authored by jhb). · Explain WhyMay 6 2020, 10:15 PM
This revision was automatically updated to reflect the committed changes.
jhb added a commit: rS360710: Deprecate ubsec(4) for FreeBSD 13.0..
Herald added a reviewer: manpages. · View Herald TranscriptMay 6 2020, 10:15 PM
Herald added a subscriber: imp. · View Herald Transcript

Revision Contents
Changeset List

PathSize
head/
share/
man/
man4/
9 lines
sys/
dev/
ubsec/
1 line

Diff 71474

View Options

head/share/man/man4/ubsec.4

Loading...
View Options

head/sys/dev/ubsec/ubsec.c

Loading...