From owner-freebsd-stable@freebsd.org  Wed Aug 21 15:21:06 2019
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 836F3CB514
 for <freebsd-stable@mailman.nyi.freebsd.org>;
 Wed, 21 Aug 2019 15:21:06 +0000 (UTC) (envelope-from mike@sentex.net)
Received: from pyroxene.sentex.ca (unknown [IPv6:2607:f3e0:0:3::18])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "pyroxene.sentex.ca",
 Issuer "Let's Encrypt Authority X3" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46DBFY5tYJz44PQ;
 Wed, 21 Aug 2019 15:21:05 +0000 (UTC) (envelope-from mike@sentex.net)
Received: from [IPv6:2607:f3e0:0:4:158b:d10c:25ba:353d]
 ([IPv6:2607:f3e0:0:4:158b:d10c:25ba:353d])
 by pyroxene.sentex.ca (8.15.2/8.15.2) with ESMTPS id x7LFL2lF041745
 (version=TLSv1.2 cipher=AES128-SHA bits=128 verify=NO);
 Wed, 21 Aug 2019 11:21:03 -0400 (EDT) (envelope-from mike@sentex.net)
Subject: Re: svn commit: r351246 - in stable: 11/sys/opencrypto
 12/sys/opencrypto
To: John Baldwin <jhb@FreeBSD.org>, freebsd-stable@freebsd.org
References: <201908200130.x7K1UajV079446@repo.freebsd.org>
From: mike tancsa <mike@sentex.net>
Message-ID: <c31bca3a-dd62-d828-5f57-30b4e210f084@sentex.net>
Date: Wed, 21 Aug 2019 11:21:03 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <201908200130.x7K1UajV079446@repo.freebsd.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Rspamd-Queue-Id: 46DBFY5tYJz44PQ
X-Spamd-Bar: -
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates
 2607:f3e0:0:3::18 as permitted sender) smtp.mailfrom=mike@sentex.net
X-Spamd-Result: default: False [-1.48 / 15.00]; ARC_NA(0.00)[];
 RDNS_NONE(1.00)[]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[sentex.net]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 IP_SCORE(-1.72)[ipnet: 2607:f3e0::/32(-4.94), asn: 11647(-3.57), country:
 CA(-0.09)]; NEURAL_HAM_SHORT(-0.96)[-0.963,0];
 RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA];
 HFILTER_HOSTNAME_UNKNOWN(2.50)[]; MID_RHS_MATCH_FROM(0.00)[];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2019 15:21:06 -0000

On a busy server, I am getting a lot of these spewing to dmesg

Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto
Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto
Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto
Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via
/dev/crypto
Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via
/dev/crypto
Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto
Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto
Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto
Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via
/dev/crypto
Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via
/dev/crypto


What is the best way to try and track down what apps are triggering that ?

    ---Mike

On 8/19/2019 9:30 PM, John Baldwin wrote:
> Author: jhb
> Date: Tue Aug 20 01:30:35 2019
> New Revision: 351246
> URL: https://svnweb.freebsd.org/changeset/base/351246
>
> Log:
>   MFC 348876: Add warnings to /dev/crypto for deprecated algorithms.
>   
>   These algorithms are deprecated algorithms that will have no in-kernel
>   consumers in FreeBSD 13.  Specifically, deprecate the following
>   algorithms:
>   - ARC4
>   - Blowfish
>   - CAST128
>   - DES
>   - 3DES
>   - MD5-HMAC
>   - Skipjack
>   
>   Relnotes:	yes
>
> Modified:
>   stable/11/sys/opencrypto/cryptodev.c
> Directory Properties:
>   stable/11/   (props changed)
>
> Changes in other areas also in this revision:
> Modified:
>   stable/12/sys/opencrypto/cryptodev.c
> Directory Properties:
>   stable/12/   (props changed)
>
> Modified: stable/11/sys/opencrypto/cryptodev.c
> ==============================================================================
> --- stable/11/sys/opencrypto/cryptodev.c	Tue Aug 20 01:26:02 2019	(r351245)
> +++ stable/11/sys/opencrypto/cryptodev.c	Tue Aug 20 01:30:35 2019	(r351246)
> @@ -388,6 +388,9 @@ cryptof_ioctl(
>  	struct crypt_op copc;
>  	struct crypt_kop kopc;
>  #endif
> +	static struct timeval arc4warn, blfwarn, castwarn, deswarn, md5warn;
> +	static struct timeval skipwarn, tdeswarn;
> +	static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 };
>  
>  	switch (cmd) {
>  	case CIOCGSESSION:
> @@ -408,18 +411,28 @@ cryptof_ioctl(
>  		case 0:
>  			break;
>  		case CRYPTO_DES_CBC:
> +			if (ratecheck(&deswarn, &warninterval))
> +				gone_in(13, "DES cipher via /dev/crypto");
>  			txform = &enc_xform_des;
>  			break;
>  		case CRYPTO_3DES_CBC:
> +			if (ratecheck(&tdeswarn, &warninterval))
> +				gone_in(13, "3DES cipher via /dev/crypto");
>  			txform = &enc_xform_3des;
>  			break;
>  		case CRYPTO_BLF_CBC:
> +			if (ratecheck(&blfwarn, &warninterval))
> +				gone_in(13, "Blowfish cipher via /dev/crypto");
>  			txform = &enc_xform_blf;
>  			break;
>  		case CRYPTO_CAST_CBC:
> +			if (ratecheck(&castwarn, &warninterval))
> +				gone_in(13, "CAST128 cipher via /dev/crypto");
>  			txform = &enc_xform_cast5;
>  			break;
>  		case CRYPTO_SKIPJACK_CBC:
> +			if (ratecheck(&skipwarn, &warninterval))
> +				gone_in(13, "Skipjack cipher via /dev/crypto");
>  			txform = &enc_xform_skipjack;
>  			break;
>  		case CRYPTO_AES_CBC:
> @@ -432,6 +445,8 @@ cryptof_ioctl(
>  			txform = &enc_xform_null;
>  			break;
>  		case CRYPTO_ARC4:
> +			if (ratecheck(&arc4warn, &warninterval))
> +				gone_in(13, "ARC4 cipher via /dev/crypto");
>  			txform = &enc_xform_arc4;
>  			break;
>   		case CRYPTO_CAMELLIA_CBC:
> @@ -454,6 +469,9 @@ cryptof_ioctl(
>  		case 0:
>  			break;
>  		case CRYPTO_MD5_HMAC:
> +			if (ratecheck(&md5warn, &warninterval))
> +				gone_in(13,
> +				    "MD5-HMAC authenticator via /dev/crypto");
>  			thash = &auth_hash_hmac_md5;
>  			break;
>  		case CRYPTO_SHA1_HMAC:
> _______________________________________________
> svn-src-stable-11@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11
> To unsubscribe, send any mail to "svn-src-stable-11-unsubscribe@freebsd.org"
>