aboutsummaryrefslogtreecommitdiff
path: root/sys/netipsec
diff options
context:
space:
mode:
authorJohn Baldwin <jhb@FreeBSD.org>2019-06-11 23:00:55 +0000
committerJohn Baldwin <jhb@FreeBSD.org>2019-06-11 23:00:55 +0000
commit0f70218343affd8d51ee11177833bacad1bb4563 (patch)
treed8782897fe6f8f3e39090a3353af1d75baa36bcd /sys/netipsec
parent574b98cbd9a9a3b59e5b272f3dce5e54bc2e8939 (diff)
downloadsrc-0f70218343affd8d51ee11177833bacad1bb4563.tar.gz
src-0f70218343affd8d51ee11177833bacad1bb4563.zip
Make the warning intervals for deprecated crypto algorithms tunable.
New sysctl/tunables can now set the interval (in seconds) between rate-limited crypto warnings. The new sysctls are: - kern.cryptodev_warn_interval for /dev/crypto - net.inet.ipsec.crypto_warn_interval for IPsec - kern.kgssapi_warn_interval for KGSSAPI Reviewed by: cem MFC after: 1 month Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D20555
Notes
Notes: svn path=/head/; revision=348970
Diffstat (limited to 'sys/netipsec')
-rw-r--r--sys/netipsec/ipsec.c5
-rw-r--r--sys/netipsec/ipsec.h2
-rw-r--r--sys/netipsec/xform_ah.c9
-rw-r--r--sys/netipsec/xform_esp.c9
4 files changed, 15 insertions, 10 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index 8d3e16723925..245feb1bdca9 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -216,6 +216,11 @@ SYSCTL_INT(_net_inet_ipsec, OID_AUTO, filtertunnel,
SYSCTL_VNET_PCPUSTAT(_net_inet_ipsec, OID_AUTO, ipsecstats, struct ipsecstat,
ipsec4stat, "IPsec IPv4 statistics.");
+struct timeval ipsec_warn_interval = { .tv_sec = 1, .tv_usec = 0 };
+SYSCTL_TIMEVAL_SEC(_net_inet_ipsec, OID_AUTO, crypto_warn_interval, CTLFLAG_RW,
+ &ipsec_warn_interval,
+ "Delay in seconds between warnings of deprecated IPsec crypto algorithms.");
+
#ifdef REGRESSION
/*
* When set to 1, IPsec will send packets with the same sequence number.
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
index 0124b12c20cd..345faa3618c8 100644
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -287,6 +287,8 @@ VNET_DECLARE(int, crypto_support);
VNET_DECLARE(int, async_crypto);
VNET_DECLARE(int, natt_cksum_policy);
+extern struct timeval ipsec_warn_interval;
+
#define IPSECSTAT_INC(name) \
VNET_PCPUSTAT_ADD(struct ipsecstat, ipsec4stat, name, 1)
#define V_ip4_esp_trans_deflev VNET(ip4_esp_trans_deflev)
diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c
index bd6ee7d22a19..eddc682d772b 100644
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@@ -109,7 +109,6 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, stats, struct ahstat,
static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */
static struct timeval md5warn, ripewarn, kpdkmd5warn, kpdksha1warn;
-static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 };
static int ah_input_cb(struct cryptop*);
static int ah_output_cb(struct cryptop*);
@@ -189,19 +188,19 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
switch (sav->alg_auth) {
case SADB_AALG_MD5HMAC:
- if (ratecheck(&md5warn, &warninterval))
+ if (ratecheck(&md5warn, &ipsec_warn_interval))
gone_in(13, "MD5-HMAC authenticator for IPsec");
break;
case SADB_X_AALG_RIPEMD160HMAC:
- if (ratecheck(&ripewarn, &warninterval))
+ if (ratecheck(&ripewarn, &ipsec_warn_interval))
gone_in(13, "RIPEMD160-HMAC authenticator for IPsec");
break;
case SADB_X_AALG_MD5:
- if (ratecheck(&kpdkmd5warn, &warninterval))
+ if (ratecheck(&kpdkmd5warn, &ipsec_warn_interval))
gone_in(13, "Keyed-MD5 authenticator for IPsec");
break;
case SADB_X_AALG_SHA:
- if (ratecheck(&kpdksha1warn, &warninterval))
+ if (ratecheck(&kpdksha1warn, &ipsec_warn_interval))
gone_in(13, "Keyed-SHA1 authenticator for IPsec");
break;
}
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index dc5a10bacc63..18bd926c5b5f 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -95,7 +95,6 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, stats,
"ESP statistics (struct espstat, netipsec/esp_var.h");
static struct timeval deswarn, blfwarn, castwarn, camelliawarn;
-static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 };
static int esp_input_cb(struct cryptop *op);
static int esp_output_cb(struct cryptop *crp);
@@ -162,19 +161,19 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
switch (sav->alg_enc) {
case SADB_EALG_DESCBC:
- if (ratecheck(&deswarn, &warninterval))
+ if (ratecheck(&deswarn, &ipsec_warn_interval))
gone_in(13, "DES cipher for IPsec");
break;
case SADB_X_EALG_BLOWFISHCBC:
- if (ratecheck(&blfwarn, &warninterval))
+ if (ratecheck(&blfwarn, &ipsec_warn_interval))
gone_in(13, "Blowfish cipher for IPsec");
break;
case SADB_X_EALG_CAST128CBC:
- if (ratecheck(&castwarn, &warninterval))
+ if (ratecheck(&castwarn, &ipsec_warn_interval))
gone_in(13, "CAST cipher for IPsec");
break;
case SADB_X_EALG_CAMELLIACBC:
- if (ratecheck(&camelliawarn, &warninterval))
+ if (ratecheck(&camelliawarn, &ipsec_warn_interval))
gone_in(13, "Camellia cipher for IPsec");
break;
}