svn commit: r351246 - in stable: 11/sys/opencrypto 12/sys/opencrypto

John Baldwin jhb at FreeBSD.org
Wed Aug 21 16:00:29 UTC 2019


On 8/21/19 8:21 AM, mike tancsa wrote:
> On a busy server, I am getting a lot of these spewing to dmesg

I have a change staged for MFC that lets you adjust the warning intervals
so you can tone down the spam.

> Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via
> /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via
> /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via
> /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via
> /dev/crypto
> 
> 
> What is the best way to try and track down what apps are triggering that ?

One might be to use 'procstat -af' to see which processes have crypto file
descriptors open (file descriptor type 'c').

The other approach would be to use dtrace with the fbt::_gone_in:entry
trace maybe building a count of process names or some such, something like:

dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count()'

Let that run and then Ctrl-C after you see some warnings.

>     ---Mike
> 
> On 8/19/2019 9:30 PM, John Baldwin wrote:
>> Author: jhb
>> Date: Tue Aug 20 01:30:35 2019
>> New Revision: 351246
>> URL: https://svnweb.freebsd.org/changeset/base/351246
>>
>> Log:
>>   MFC 348876: Add warnings to /dev/crypto for deprecated algorithms.
>>   
>>   These algorithms are deprecated algorithms that will have no in-kernel
>>   consumers in FreeBSD 13.  Specifically, deprecate the following
>>   algorithms:
>>   - ARC4
>>   - Blowfish
>>   - CAST128
>>   - DES
>>   - 3DES
>>   - MD5-HMAC
>>   - Skipjack
>>   
>>   Relnotes:	yes
>>
>> Modified:
>>   stable/11/sys/opencrypto/cryptodev.c
>> Directory Properties:
>>   stable/11/   (props changed)
>>
>> Changes in other areas also in this revision:
>> Modified:
>>   stable/12/sys/opencrypto/cryptodev.c
>> Directory Properties:
>>   stable/12/   (props changed)
>>
>> Modified: stable/11/sys/opencrypto/cryptodev.c
>> ==============================================================================
>> --- stable/11/sys/opencrypto/cryptodev.c	Tue Aug 20 01:26:02 2019	(r351245)
>> +++ stable/11/sys/opencrypto/cryptodev.c	Tue Aug 20 01:30:35 2019	(r351246)
>> @@ -388,6 +388,9 @@ cryptof_ioctl(
>>  	struct crypt_op copc;
>>  	struct crypt_kop kopc;
>>  #endif
>> +	static struct timeval arc4warn, blfwarn, castwarn, deswarn, md5warn;
>> +	static struct timeval skipwarn, tdeswarn;
>> +	static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 };
>>  
>>  	switch (cmd) {
>>  	case CIOCGSESSION:
>> @@ -408,18 +411,28 @@ cryptof_ioctl(
>>  		case 0:
>>  			break;
>>  		case CRYPTO_DES_CBC:
>> +			if (ratecheck(&deswarn, &warninterval))
>> +				gone_in(13, "DES cipher via /dev/crypto");
>>  			txform = &enc_xform_des;
>>  			break;
>>  		case CRYPTO_3DES_CBC:
>> +			if (ratecheck(&tdeswarn, &warninterval))
>> +				gone_in(13, "3DES cipher via /dev/crypto");
>>  			txform = &enc_xform_3des;
>>  			break;
>>  		case CRYPTO_BLF_CBC:
>> +			if (ratecheck(&blfwarn, &warninterval))
>> +				gone_in(13, "Blowfish cipher via /dev/crypto");
>>  			txform = &enc_xform_blf;
>>  			break;
>>  		case CRYPTO_CAST_CBC:
>> +			if (ratecheck(&castwarn, &warninterval))
>> +				gone_in(13, "CAST128 cipher via /dev/crypto");
>>  			txform = &enc_xform_cast5;
>>  			break;
>>  		case CRYPTO_SKIPJACK_CBC:
>> +			if (ratecheck(&skipwarn, &warninterval))
>> +				gone_in(13, "Skipjack cipher via /dev/crypto");
>>  			txform = &enc_xform_skipjack;
>>  			break;
>>  		case CRYPTO_AES_CBC:
>> @@ -432,6 +445,8 @@ cryptof_ioctl(
>>  			txform = &enc_xform_null;
>>  			break;
>>  		case CRYPTO_ARC4:
>> +			if (ratecheck(&arc4warn, &warninterval))
>> +				gone_in(13, "ARC4 cipher via /dev/crypto");
>>  			txform = &enc_xform_arc4;
>>  			break;
>>   		case CRYPTO_CAMELLIA_CBC:
>> @@ -454,6 +469,9 @@ cryptof_ioctl(
>>  		case 0:
>>  			break;
>>  		case CRYPTO_MD5_HMAC:
>> +			if (ratecheck(&md5warn, &warninterval))
>> +				gone_in(13,
>> +				    "MD5-HMAC authenticator via /dev/crypto");
>>  			thash = &auth_hash_hmac_md5;
>>  			break;
>>  		case CRYPTO_SHA1_HMAC:
>> _______________________________________________
>> svn-src-stable-11 at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11
>> To unsubscribe, send any mail to "svn-src-stable-11-unsubscribe at freebsd.org"
>>


-- 
John Baldwin


More information about the freebsd-stable mailing list