svn commit: r351246 - in stable: 11/sys/opencrypto 12/sys/opencrypto
John Baldwin
jhb at FreeBSD.org
Wed Aug 21 16:00:29 UTC 2019
On 8/21/19 8:21 AM, mike tancsa wrote:
> On a busy server, I am getting a lot of these spewing to dmesg
I have a change staged for MFC that lets you adjust the warning intervals
so you can tone down the spam.
> Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via
> /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via
> /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via
> /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via
> /dev/crypto
>
>
> What is the best way to try and track down what apps are triggering that ?
One might be to use 'procstat -af' to see which processes have crypto file
descriptors open (file descriptor type 'c').
The other approach would be to use dtrace with the fbt::_gone_in:entry
trace maybe building a count of process names or some such, something like:
dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count()'
Let that run and then Ctrl-C after you see some warnings.
> ---Mike
>
> On 8/19/2019 9:30 PM, John Baldwin wrote:
>> Author: jhb
>> Date: Tue Aug 20 01:30:35 2019
>> New Revision: 351246
>> URL: https://svnweb.freebsd.org/changeset/base/351246
>>
>> Log:
>> MFC 348876: Add warnings to /dev/crypto for deprecated algorithms.
>>
>> These algorithms are deprecated algorithms that will have no in-kernel
>> consumers in FreeBSD 13. Specifically, deprecate the following
>> algorithms:
>> - ARC4
>> - Blowfish
>> - CAST128
>> - DES
>> - 3DES
>> - MD5-HMAC
>> - Skipjack
>>
>> Relnotes: yes
>>
>> Modified:
>> stable/11/sys/opencrypto/cryptodev.c
>> Directory Properties:
>> stable/11/ (props changed)
>>
>> Changes in other areas also in this revision:
>> Modified:
>> stable/12/sys/opencrypto/cryptodev.c
>> Directory Properties:
>> stable/12/ (props changed)
>>
>> Modified: stable/11/sys/opencrypto/cryptodev.c
>> ==============================================================================
>> --- stable/11/sys/opencrypto/cryptodev.c Tue Aug 20 01:26:02 2019 (r351245)
>> +++ stable/11/sys/opencrypto/cryptodev.c Tue Aug 20 01:30:35 2019 (r351246)
>> @@ -388,6 +388,9 @@ cryptof_ioctl(
>> struct crypt_op copc;
>> struct crypt_kop kopc;
>> #endif
>> + static struct timeval arc4warn, blfwarn, castwarn, deswarn, md5warn;
>> + static struct timeval skipwarn, tdeswarn;
>> + static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 };
>>
>> switch (cmd) {
>> case CIOCGSESSION:
>> @@ -408,18 +411,28 @@ cryptof_ioctl(
>> case 0:
>> break;
>> case CRYPTO_DES_CBC:
>> + if (ratecheck(&deswarn, &warninterval))
>> + gone_in(13, "DES cipher via /dev/crypto");
>> txform = &enc_xform_des;
>> break;
>> case CRYPTO_3DES_CBC:
>> + if (ratecheck(&tdeswarn, &warninterval))
>> + gone_in(13, "3DES cipher via /dev/crypto");
>> txform = &enc_xform_3des;
>> break;
>> case CRYPTO_BLF_CBC:
>> + if (ratecheck(&blfwarn, &warninterval))
>> + gone_in(13, "Blowfish cipher via /dev/crypto");
>> txform = &enc_xform_blf;
>> break;
>> case CRYPTO_CAST_CBC:
>> + if (ratecheck(&castwarn, &warninterval))
>> + gone_in(13, "CAST128 cipher via /dev/crypto");
>> txform = &enc_xform_cast5;
>> break;
>> case CRYPTO_SKIPJACK_CBC:
>> + if (ratecheck(&skipwarn, &warninterval))
>> + gone_in(13, "Skipjack cipher via /dev/crypto");
>> txform = &enc_xform_skipjack;
>> break;
>> case CRYPTO_AES_CBC:
>> @@ -432,6 +445,8 @@ cryptof_ioctl(
>> txform = &enc_xform_null;
>> break;
>> case CRYPTO_ARC4:
>> + if (ratecheck(&arc4warn, &warninterval))
>> + gone_in(13, "ARC4 cipher via /dev/crypto");
>> txform = &enc_xform_arc4;
>> break;
>> case CRYPTO_CAMELLIA_CBC:
>> @@ -454,6 +469,9 @@ cryptof_ioctl(
>> case 0:
>> break;
>> case CRYPTO_MD5_HMAC:
>> + if (ratecheck(&md5warn, &warninterval))
>> + gone_in(13,
>> + "MD5-HMAC authenticator via /dev/crypto");
>> thash = &auth_hash_hmac_md5;
>> break;
>> case CRYPTO_SHA1_HMAC:
>> _______________________________________________
>> svn-src-stable-11 at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11
>> To unsubscribe, send any mail to "svn-src-stable-11-unsubscribe at freebsd.org"
>>
--
John Baldwin
More information about the freebsd-stable
mailing list