mike tancsa
2019-Aug-21 15:21 UTC
svn commit: r351246 - in stable: 11/sys/opencrypto 12/sys/opencrypto
On a busy server, I am getting a lot of these spewing to dmesg Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via /dev/crypto Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via /dev/crypto Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via /dev/crypto Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via /dev/crypto What is the best way to try and track down what apps are triggering that ? ??? ---Mike On 8/19/2019 9:30 PM, John Baldwin wrote:> Author: jhb > Date: Tue Aug 20 01:30:35 2019 > New Revision: 351246 > URL: https://svnweb.freebsd.org/changeset/base/351246 > > Log: > MFC 348876: Add warnings to /dev/crypto for deprecated algorithms. > > These algorithms are deprecated algorithms that will have no in-kernel > consumers in FreeBSD 13. Specifically, deprecate the following > algorithms: > - ARC4 > - Blowfish > - CAST128 > - DES > - 3DES > - MD5-HMAC > - Skipjack > > Relnotes: yes > > Modified: > stable/11/sys/opencrypto/cryptodev.c > Directory Properties: > stable/11/ (props changed) > > Changes in other areas also in this revision: > Modified: > stable/12/sys/opencrypto/cryptodev.c > Directory Properties: > stable/12/ (props changed) > > Modified: stable/11/sys/opencrypto/cryptodev.c > =============================================================================> --- stable/11/sys/opencrypto/cryptodev.c Tue Aug 20 01:26:02 2019 (r351245) > +++ stable/11/sys/opencrypto/cryptodev.c Tue Aug 20 01:30:35 2019 (r351246) > @@ -388,6 +388,9 @@ cryptof_ioctl( > struct crypt_op copc; > struct crypt_kop kopc; > #endif > + static struct timeval arc4warn, blfwarn, castwarn, deswarn, md5warn; > + static struct timeval skipwarn, tdeswarn; > + static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 }; > > switch (cmd) { > case CIOCGSESSION: > @@ -408,18 +411,28 @@ cryptof_ioctl( > case 0: > break; > case CRYPTO_DES_CBC: > + if (ratecheck(&deswarn, &warninterval)) > + gone_in(13, "DES cipher via /dev/crypto"); > txform = &enc_xform_des; > break; > case CRYPTO_3DES_CBC: > + if (ratecheck(&tdeswarn, &warninterval)) > + gone_in(13, "3DES cipher via /dev/crypto"); > txform = &enc_xform_3des; > break; > case CRYPTO_BLF_CBC: > + if (ratecheck(&blfwarn, &warninterval)) > + gone_in(13, "Blowfish cipher via /dev/crypto"); > txform = &enc_xform_blf; > break; > case CRYPTO_CAST_CBC: > + if (ratecheck(&castwarn, &warninterval)) > + gone_in(13, "CAST128 cipher via /dev/crypto"); > txform = &enc_xform_cast5; > break; > case CRYPTO_SKIPJACK_CBC: > + if (ratecheck(&skipwarn, &warninterval)) > + gone_in(13, "Skipjack cipher via /dev/crypto"); > txform = &enc_xform_skipjack; > break; > case CRYPTO_AES_CBC: > @@ -432,6 +445,8 @@ cryptof_ioctl( > txform = &enc_xform_null; > break; > case CRYPTO_ARC4: > + if (ratecheck(&arc4warn, &warninterval)) > + gone_in(13, "ARC4 cipher via /dev/crypto"); > txform = &enc_xform_arc4; > break; > case CRYPTO_CAMELLIA_CBC: > @@ -454,6 +469,9 @@ cryptof_ioctl( > case 0: > break; > case CRYPTO_MD5_HMAC: > + if (ratecheck(&md5warn, &warninterval)) > + gone_in(13, > + "MD5-HMAC authenticator via /dev/crypto"); > thash = &auth_hash_hmac_md5; > break; > case CRYPTO_SHA1_HMAC: > _______________________________________________ > svn-src-stable-11 at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11 > To unsubscribe, send any mail to "svn-src-stable-11-unsubscribe at freebsd.org" >
John Baldwin
2019-Aug-21 16:00 UTC
svn commit: r351246 - in stable: 11/sys/opencrypto 12/sys/opencrypto
On 8/21/19 8:21 AM, mike tancsa wrote:> On a busy server, I am getting a lot of these spewing to dmesgI have a change staged for MFC that lets you adjust the warning intervals so you can tone down the spam.> Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto > Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto > Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto > Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via > /dev/crypto > Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via > /dev/crypto > Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto > Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto > Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto > Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via > /dev/crypto > Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via > /dev/crypto > > > What is the best way to try and track down what apps are triggering that ?One might be to use 'procstat -af' to see which processes have crypto file descriptors open (file descriptor type 'c'). The other approach would be to use dtrace with the fbt::_gone_in:entry trace maybe building a count of process names or some such, something like: dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count()' Let that run and then Ctrl-C after you see some warnings.> ??? ---Mike > > On 8/19/2019 9:30 PM, John Baldwin wrote: >> Author: jhb >> Date: Tue Aug 20 01:30:35 2019 >> New Revision: 351246 >> URL: https://svnweb.freebsd.org/changeset/base/351246 >> >> Log: >> MFC 348876: Add warnings to /dev/crypto for deprecated algorithms. >> >> These algorithms are deprecated algorithms that will have no in-kernel >> consumers in FreeBSD 13. Specifically, deprecate the following >> algorithms: >> - ARC4 >> - Blowfish >> - CAST128 >> - DES >> - 3DES >> - MD5-HMAC >> - Skipjack >> >> Relnotes: yes >> >> Modified: >> stable/11/sys/opencrypto/cryptodev.c >> Directory Properties: >> stable/11/ (props changed) >> >> Changes in other areas also in this revision: >> Modified: >> stable/12/sys/opencrypto/cryptodev.c >> Directory Properties: >> stable/12/ (props changed) >> >> Modified: stable/11/sys/opencrypto/cryptodev.c >> =============================================================================>> --- stable/11/sys/opencrypto/cryptodev.c Tue Aug 20 01:26:02 2019 (r351245) >> +++ stable/11/sys/opencrypto/cryptodev.c Tue Aug 20 01:30:35 2019 (r351246) >> @@ -388,6 +388,9 @@ cryptof_ioctl( >> struct crypt_op copc; >> struct crypt_kop kopc; >> #endif >> + static struct timeval arc4warn, blfwarn, castwarn, deswarn, md5warn; >> + static struct timeval skipwarn, tdeswarn; >> + static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 }; >> >> switch (cmd) { >> case CIOCGSESSION: >> @@ -408,18 +411,28 @@ cryptof_ioctl( >> case 0: >> break; >> case CRYPTO_DES_CBC: >> + if (ratecheck(&deswarn, &warninterval)) >> + gone_in(13, "DES cipher via /dev/crypto"); >> txform = &enc_xform_des; >> break; >> case CRYPTO_3DES_CBC: >> + if (ratecheck(&tdeswarn, &warninterval)) >> + gone_in(13, "3DES cipher via /dev/crypto"); >> txform = &enc_xform_3des; >> break; >> case CRYPTO_BLF_CBC: >> + if (ratecheck(&blfwarn, &warninterval)) >> + gone_in(13, "Blowfish cipher via /dev/crypto"); >> txform = &enc_xform_blf; >> break; >> case CRYPTO_CAST_CBC: >> + if (ratecheck(&castwarn, &warninterval)) >> + gone_in(13, "CAST128 cipher via /dev/crypto"); >> txform = &enc_xform_cast5; >> break; >> case CRYPTO_SKIPJACK_CBC: >> + if (ratecheck(&skipwarn, &warninterval)) >> + gone_in(13, "Skipjack cipher via /dev/crypto"); >> txform = &enc_xform_skipjack; >> break; >> case CRYPTO_AES_CBC: >> @@ -432,6 +445,8 @@ cryptof_ioctl( >> txform = &enc_xform_null; >> break; >> case CRYPTO_ARC4: >> + if (ratecheck(&arc4warn, &warninterval)) >> + gone_in(13, "ARC4 cipher via /dev/crypto"); >> txform = &enc_xform_arc4; >> break; >> case CRYPTO_CAMELLIA_CBC: >> @@ -454,6 +469,9 @@ cryptof_ioctl( >> case 0: >> break; >> case CRYPTO_MD5_HMAC: >> + if (ratecheck(&md5warn, &warninterval)) >> + gone_in(13, >> + "MD5-HMAC authenticator via /dev/crypto"); >> thash = &auth_hash_hmac_md5; >> break; >> case CRYPTO_SHA1_HMAC: >> _______________________________________________ >> svn-src-stable-11 at freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11 >> To unsubscribe, send any mail to "svn-src-stable-11-unsubscribe at freebsd.org" >>-- John Baldwin