aboutsummaryrefslogtreecommitdiff
path: root/sys/netipsec
diff options
context:
space:
mode:
authorJohn Baldwin <jhb@FreeBSD.org>2020-04-22 19:44:33 +0000
committerJohn Baldwin <jhb@FreeBSD.org>2020-04-22 19:44:33 +0000
commite27a9ad8e6b0587e4ba5d6a6410d8b458974032f (patch)
tree49adf707f54a4578aecbf06f11042567ea396afc /sys/netipsec
parent62af2dc3fbb213db3bd221b28ceb726106d6150a (diff)
downloadsrc-e27a9ad8e6b0587e4ba5d6a6410d8b458974032f.tar.gz
src-e27a9ad8e6b0587e4ba5d6a6410d8b458974032f.zip
Deprecate 3des support in IPsec for FreeBSD 13.
RFC 8221 does not outright ban 3des as the algorithms deprecated for 13 in r348205, but it is listed as a SHOULD NOT and will likely be a MUST NOT by the time 13 ships. Discussed with: bjk MFC after: 1 week Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D24341
Notes
Notes: svn path=/head/; revision=360202
Diffstat (limited to 'sys/netipsec')
-rw-r--r--sys/netipsec/xform_esp.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 6e3f2ece5acb..fb7d5beeb380 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -94,7 +94,7 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, stats,
struct espstat, espstat,
"ESP statistics (struct espstat, netipsec/esp_var.h");
-static struct timeval deswarn, blfwarn, castwarn, camelliawarn;
+static struct timeval deswarn, blfwarn, castwarn, camelliawarn, tdeswarn;
static int esp_input_cb(struct cryptop *op);
static int esp_output_cb(struct cryptop *crp);
@@ -164,6 +164,10 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
if (ratecheck(&deswarn, &ipsec_warn_interval))
gone_in(13, "DES cipher for IPsec");
break;
+ case SADB_EALG_3DESCBC:
+ if (ratecheck(&tdeswarn, &ipsec_warn_interval))
+ gone_in(13, "DES cipher for IPsec");
+ break;
case SADB_X_EALG_BLOWFISHCBC:
if (ratecheck(&blfwarn, &ipsec_warn_interval))
gone_in(13, "Blowfish cipher for IPsec");