John Baldwin
2019-Aug-21 16:00 UTC
svn commit: r351246 - in stable: 11/sys/opencrypto 12/sys/opencrypto
On 8/21/19 8:21 AM, mike tancsa wrote:> On a busy server, I am getting a lot of these spewing to dmesgI have a change staged for MFC that lets you adjust the warning intervals so you can tone down the spam.> Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto > Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto > Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto > Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via > /dev/crypto > Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via > /dev/crypto > Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto > Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto > Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto > Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via > /dev/crypto > Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via > /dev/crypto > > > What is the best way to try and track down what apps are triggering that ?One might be to use 'procstat -af' to see which processes have crypto file descriptors open (file descriptor type 'c'). The other approach would be to use dtrace with the fbt::_gone_in:entry trace maybe building a count of process names or some such, something like: dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count()' Let that run and then Ctrl-C after you see some warnings.> ??? ---Mike > > On 8/19/2019 9:30 PM, John Baldwin wrote: >> Author: jhb >> Date: Tue Aug 20 01:30:35 2019 >> New Revision: 351246 >> URL: https://svnweb.freebsd.org/changeset/base/351246 >> >> Log: >> MFC 348876: Add warnings to /dev/crypto for deprecated algorithms. >> >> These algorithms are deprecated algorithms that will have no in-kernel >> consumers in FreeBSD 13. Specifically, deprecate the following >> algorithms: >> - ARC4 >> - Blowfish >> - CAST128 >> - DES >> - 3DES >> - MD5-HMAC >> - Skipjack >> >> Relnotes: yes >> >> Modified: >> stable/11/sys/opencrypto/cryptodev.c >> Directory Properties: >> stable/11/ (props changed) >> >> Changes in other areas also in this revision: >> Modified: >> stable/12/sys/opencrypto/cryptodev.c >> Directory Properties: >> stable/12/ (props changed) >> >> Modified: stable/11/sys/opencrypto/cryptodev.c >> =============================================================================>> --- stable/11/sys/opencrypto/cryptodev.c Tue Aug 20 01:26:02 2019 (r351245) >> +++ stable/11/sys/opencrypto/cryptodev.c Tue Aug 20 01:30:35 2019 (r351246) >> @@ -388,6 +388,9 @@ cryptof_ioctl( >> struct crypt_op copc; >> struct crypt_kop kopc; >> #endif >> + static struct timeval arc4warn, blfwarn, castwarn, deswarn, md5warn; >> + static struct timeval skipwarn, tdeswarn; >> + static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 }; >> >> switch (cmd) { >> case CIOCGSESSION: >> @@ -408,18 +411,28 @@ cryptof_ioctl( >> case 0: >> break; >> case CRYPTO_DES_CBC: >> + if (ratecheck(&deswarn, &warninterval)) >> + gone_in(13, "DES cipher via /dev/crypto"); >> txform = &enc_xform_des; >> break; >> case CRYPTO_3DES_CBC: >> + if (ratecheck(&tdeswarn, &warninterval)) >> + gone_in(13, "3DES cipher via /dev/crypto"); >> txform = &enc_xform_3des; >> break; >> case CRYPTO_BLF_CBC: >> + if (ratecheck(&blfwarn, &warninterval)) >> + gone_in(13, "Blowfish cipher via /dev/crypto"); >> txform = &enc_xform_blf; >> break; >> case CRYPTO_CAST_CBC: >> + if (ratecheck(&castwarn, &warninterval)) >> + gone_in(13, "CAST128 cipher via /dev/crypto"); >> txform = &enc_xform_cast5; >> break; >> case CRYPTO_SKIPJACK_CBC: >> + if (ratecheck(&skipwarn, &warninterval)) >> + gone_in(13, "Skipjack cipher via /dev/crypto"); >> txform = &enc_xform_skipjack; >> break; >> case CRYPTO_AES_CBC: >> @@ -432,6 +445,8 @@ cryptof_ioctl( >> txform = &enc_xform_null; >> break; >> case CRYPTO_ARC4: >> + if (ratecheck(&arc4warn, &warninterval)) >> + gone_in(13, "ARC4 cipher via /dev/crypto"); >> txform = &enc_xform_arc4; >> break; >> case CRYPTO_CAMELLIA_CBC: >> @@ -454,6 +469,9 @@ cryptof_ioctl( >> case 0: >> break; >> case CRYPTO_MD5_HMAC: >> + if (ratecheck(&md5warn, &warninterval)) >> + gone_in(13, >> + "MD5-HMAC authenticator via /dev/crypto"); >> thash = &auth_hash_hmac_md5; >> break; >> case CRYPTO_SHA1_HMAC: >> _______________________________________________ >> svn-src-stable-11 at freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11 >> To unsubscribe, send any mail to "svn-src-stable-11-unsubscribe at freebsd.org" >>-- John Baldwin
mike tancsa
2019-Aug-21 16:08 UTC
svn commit: r351246 - in stable: 11/sys/opencrypto 12/sys/opencrypto
On 8/21/2019 12:00 PM, John Baldwin wrote:> dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count()'Thanks, I am not familiar with dtrace at all. This command gives a syntax error 0(cage)# dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count()' dtrace: invalid probe specifier fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count(): syntax error near end of input 1(cage)#