From e27a9ad8e6b0587e4ba5d6a6410d8b458974032f Mon Sep 17 00:00:00 2001 From: John Baldwin Date: Wed, 22 Apr 2020 19:44:33 +0000 Subject: Deprecate 3des support in IPsec for FreeBSD 13. RFC 8221 does not outright ban 3des as the algorithms deprecated for 13 in r348205, but it is listed as a SHOULD NOT and will likely be a MUST NOT by the time 13 ships. Discussed with: bjk MFC after: 1 week Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D24341 --- sys/netipsec/xform_esp.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'sys/netipsec') diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index 6e3f2ece5acb..fb7d5beeb380 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -94,7 +94,7 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, stats, struct espstat, espstat, "ESP statistics (struct espstat, netipsec/esp_var.h"); -static struct timeval deswarn, blfwarn, castwarn, camelliawarn; +static struct timeval deswarn, blfwarn, castwarn, camelliawarn, tdeswarn; static int esp_input_cb(struct cryptop *op); static int esp_output_cb(struct cryptop *crp); @@ -164,6 +164,10 @@ esp_init(struct secasvar *sav, struct xformsw *xsp) if (ratecheck(&deswarn, &ipsec_warn_interval)) gone_in(13, "DES cipher for IPsec"); break; + case SADB_EALG_3DESCBC: + if (ratecheck(&tdeswarn, &ipsec_warn_interval)) + gone_in(13, "DES cipher for IPsec"); + break; case SADB_X_EALG_BLOWFISHCBC: if (ratecheck(&blfwarn, &ipsec_warn_interval)) gone_in(13, "Blowfish cipher for IPsec"); -- cgit v1.2.3