Page MenuHomeFreeBSD
Files F137899005

D20340.diff
No OneTemporary
Actions

D20340.diff
View Options

Index: head/sys/netipsec/xform_ah.c
===================================================================
--- head/sys/netipsec/xform_ah.c
+++ head/sys/netipsec/xform_ah.c
@@ -108,6 +108,8 @@
#endif
static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */
+static struct timeval md5warn, ripewarn, kpdkmd5warn, kpdksha1warn;
+static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 };
static int ah_input_cb(struct cryptop*);
static int ah_output_cb(struct cryptop*);
@@ -184,6 +186,26 @@
__func__, sav->alg_auth));
return EINVAL;
}
+
+ switch (sav->alg_auth) {
+ case SADB_AALG_MD5HMAC:
+ if (ratecheck(&md5warn, &warninterval))
+ gone_in(13, "MD5-HMAC authenticator for IPsec");
+ break;
+ case SADB_X_AALG_RIPEMD160HMAC:
+ if (ratecheck(&ripewarn, &warninterval))
+ gone_in(13, "RIPEMD160-HMAC authenticator for IPsec");
+ break;
+ case SADB_X_AALG_MD5:
+ if (ratecheck(&kpdkmd5warn, &warninterval))
+ gone_in(13, "Keyed-MD5 authenticator for IPsec");
+ break;
+ case SADB_X_AALG_SHA:
+ if (ratecheck(&kpdksha1warn, &warninterval))
+ gone_in(13, "Keyed-SHA1 authenticator for IPsec");
+ break;
+ }
+
/*
* Verify the replay state block allocation is consistent with
* the protocol type. We check here so we can make assumptions
Index: head/sys/netipsec/xform_esp.c
===================================================================
--- head/sys/netipsec/xform_esp.c
+++ head/sys/netipsec/xform_esp.c
@@ -94,6 +94,9 @@
struct espstat, espstat,
"ESP statistics (struct espstat, netipsec/esp_var.h");
+static struct timeval deswarn, blfwarn, castwarn, camelliawarn;
+static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 };
+
static int esp_input_cb(struct cryptop *op);
static int esp_output_cb(struct cryptop *crp);
@@ -156,6 +159,26 @@
__func__));
return EINVAL;
}
+
+ switch (sav->alg_enc) {
+ case SADB_EALG_DESCBC:
+ if (ratecheck(&deswarn, &warninterval))
+ gone_in(13, "DES cipher for IPsec");
+ break;
+ case SADB_X_EALG_BLOWFISHCBC:
+ if (ratecheck(&blfwarn, &warninterval))
+ gone_in(13, "Blowfish cipher for IPsec");
+ break;
+ case SADB_X_EALG_CAST128CBC:
+ if (ratecheck(&castwarn, &warninterval))
+ gone_in(13, "CAST cipher for IPsec");
+ break;
+ case SADB_X_EALG_CAMELLIACBC:
+ if (ratecheck(&camelliawarn, &warninterval))
+ gone_in(13, "Camellia cipher for IPsec");
+ break;
+ }
+
/* subtract off the salt, RFC4106, 8.1 and RFC3686, 5.1 */
keylen = _KEYLEN(sav->key_enc) - SAV_ISCTRORGCM(sav) * 4;
if (txform->minkey > keylen || keylen > txform->maxkey) {

File Metadata

Mime Type
text/plain
Expires
Fri, Nov 28, 12:36 AM (3 h, 17 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
26212921
Default Alt Text
D20340.diff (2 KB)

Event Timeline