Skip to content

Commit

Permalink
Deprecate 3des support in IPsec for FreeBSD 13.
Browse files Browse the repository at this point in the history 
RFC 8221 does not outright ban 3des as the algorithms deprecated for
13 in r348205, but it is listed as a SHOULD NOT and will likely be a
MUST NOT by the time 13 ships.

Discussed with:	bjk
MFC after:	1 week
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D24341
  • Loading branch information
@bsdjhb
bsdjhb committed Apr 22, 2020
1 parent 62af2dc commit e27a9ad
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion sys/netipsec/xform_esp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, stats,
struct espstat, espstat,
"ESP statistics (struct espstat, netipsec/esp_var.h");

static struct timeval deswarn, blfwarn, castwarn, camelliawarn;
static struct timeval deswarn, blfwarn, castwarn, camelliawarn, tdeswarn;

static int esp_input_cb(struct cryptop *op);
static int esp_output_cb(struct cryptop *crp);
Expand Down Expand Up @@ -164,6 +164,10 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
if (ratecheck(&deswarn, &ipsec_warn_interval))
gone_in(13, "DES cipher for IPsec");
break;
case SADB_EALG_3DESCBC:
if (ratecheck(&tdeswarn, &ipsec_warn_interval))
gone_in(13, "DES cipher for IPsec");
break;
case SADB_X_EALG_BLOWFISHCBC:
if (ratecheck(&blfwarn, &ipsec_warn_interval))
gone_in(13, "Blowfish cipher for IPsec");
Expand Down

0 comments on commit e27a9ad

Please sign in to comment.