Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 2 May 2020 14:20:32 +0000 (UTC)
From:      John Baldwin <jhb@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r360562 - in head: sys/opencrypto tests/sys/opencrypto
Message-ID:  <202005021420.042EKW3d029502@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jhb
Date: Sat May  2 14:20:32 2020
New Revision: 360562
URL: https://svnweb.freebsd.org/changeset/base/360562

Log:
  Remove support for the algorithms deprecated in r348876.
  
  This removes support for the following algorithms:
  - ARC4
  - Blowfish
  - CAST128
  - DES
  - 3DES
  - MD5-HMAC
  - Skipjack
  
  Since /dev/crypto no longer supports 3DES, stop testing the 3DES KAT
  vectors in cryptotest.py.
  
  Reviewed by:	cem (previous version)
  Relnotes:	yes
  Sponsored by:	Chelsio Communications
  Differential Revision:	https://reviews.freebsd.org/D24346

Modified:
  head/sys/opencrypto/cryptodev.c
  head/tests/sys/opencrypto/cryptotest.py

Modified: head/sys/opencrypto/cryptodev.c
==============================================================================
--- head/sys/opencrypto/cryptodev.c	Sat May  2 13:42:03 2020	(r360561)
+++ head/sys/opencrypto/cryptodev.c	Sat May  2 14:20:32 2020	(r360562)
@@ -291,11 +291,6 @@ struct fcrypt {
 	struct mtx	lock;
 };
 
-static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 };
-SYSCTL_TIMEVAL_SEC(_kern, OID_AUTO, cryptodev_warn_interval, CTLFLAG_RW,
-    &warninterval,
-    "Delay in seconds between warnings of deprecated /dev/crypto algorithms");
-
 static	int cryptof_ioctl(struct file *, u_long, void *,
 		    struct ucred *, struct thread *);
 static	int cryptof_stat(struct file *, struct stat *,
@@ -408,21 +403,9 @@ cryptof_ioctl(
 		switch (sop->cipher) {
 		case 0:
 			break;
-		case CRYPTO_DES_CBC:
-			txform = &enc_xform_des;
-			break;
 		case CRYPTO_3DES_CBC:
 			txform = &enc_xform_3des;
 			break;
-		case CRYPTO_BLF_CBC:
-			txform = &enc_xform_blf;
-			break;
-		case CRYPTO_CAST_CBC:
-			txform = &enc_xform_cast5;
-			break;
-		case CRYPTO_SKIPJACK_CBC:
-			txform = &enc_xform_skipjack;
-			break;
 		case CRYPTO_AES_CBC:
 			txform = &enc_xform_rijndael128;
 			break;
@@ -432,9 +415,6 @@ cryptof_ioctl(
 		case CRYPTO_NULL_CBC:
 			txform = &enc_xform_null;
 			break;
-		case CRYPTO_ARC4:
-			txform = &enc_xform_arc4;
-			break;
  		case CRYPTO_CAMELLIA_CBC:
  			txform = &enc_xform_camellia;
  			break;
@@ -460,9 +440,6 @@ cryptof_ioctl(
 		switch (sop->mac) {
 		case 0:
 			break;
-		case CRYPTO_MD5_HMAC:
-			thash = &auth_hash_hmac_md5;
-			break;
 		case CRYPTO_POLY1305:
 			thash = &auth_hash_poly1305;
 			break;
@@ -847,49 +824,6 @@ cod_free(struct cryptop_data *cod)
 	free(cod, M_XDATA);
 }
 
-static void
-cryptodev_warn(struct csession *cse)
-{
-	static struct timeval arc4warn, blfwarn, castwarn, deswarn, md5warn;
-	static struct timeval skipwarn, tdeswarn;
-	const struct crypto_session_params *csp;
-
-	csp = crypto_get_params(cse->cses);
-	switch (csp->csp_cipher_alg) {
-	case CRYPTO_DES_CBC:
-		if (ratecheck(&deswarn, &warninterval))
-			gone_in(13, "DES cipher via /dev/crypto");
-		break;
-	case CRYPTO_3DES_CBC:
-		if (ratecheck(&tdeswarn, &warninterval))
-			gone_in(13, "3DES cipher via /dev/crypto");
-		break;
-	case CRYPTO_BLF_CBC:
-		if (ratecheck(&blfwarn, &warninterval))
-			gone_in(13, "Blowfish cipher via /dev/crypto");
-		break;
-	case CRYPTO_CAST_CBC:
-		if (ratecheck(&castwarn, &warninterval))
-			gone_in(13, "CAST128 cipher via /dev/crypto");
-		break;
-	case CRYPTO_SKIPJACK_CBC:
-		if (ratecheck(&skipwarn, &warninterval))
-			gone_in(13, "Skipjack cipher via /dev/crypto");
-		break;
-	case CRYPTO_ARC4:
-		if (ratecheck(&arc4warn, &warninterval))
-			gone_in(13, "ARC4 cipher via /dev/crypto");
-		break;
-	}
-
-	switch (csp->csp_auth_alg) {
-	case CRYPTO_MD5_HMAC:
-		if (ratecheck(&md5warn, &warninterval))
-			gone_in(13, "MD5-HMAC authenticator via /dev/crypto");
-		break;
-	}
-}
-
 static int
 cryptodev_op(
 	struct csession *cse,
@@ -1040,7 +974,6 @@ cryptodev_op(
 			goto bail;
 		}
 	}
-	cryptodev_warn(cse);
 again:
 	/*
 	 * Let the dispatch run unlocked, then, interlock against the
@@ -1231,7 +1164,6 @@ cryptodev_aead(
 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
 		goto bail;
 	}
-	cryptodev_warn(cse);
 again:
 	/*
 	 * Let the dispatch run unlocked, then, interlock against the

Modified: head/tests/sys/opencrypto/cryptotest.py
==============================================================================
--- head/tests/sys/opencrypto/cryptotest.py	Sat May  2 13:42:03 2020	(r360561)
+++ head/tests/sys/opencrypto/cryptotest.py	Sat May  2 14:20:32 2020	(r360562)
@@ -51,7 +51,6 @@ def katg(base, glob):
     return iglob(os.path.join(katdir, base, glob))
 
 aesmodules = [ 'cryptosoft0', 'aesni0', 'armv8crypto0', 'ccr0', 'ccp0' ]
-desmodules = [ 'cryptosoft0', ]
 shamodules = [ 'cryptosoft0', 'aesni0', 'armv8crypto0', 'ccr0', 'ccp0' ]
 
 def GenTestCase(cname):
@@ -331,46 +330,6 @@ def GenTestCase(cname):
                         " Actual: " + repr(binascii.hexlify(r)) + \
                         " Expected: " + repr(data) + \
                         " on " + cname)
-
-        ###############
-        ##### DES #####
-        ###############
-        @unittest.skipIf(cname not in desmodules, 'skipping DES on %s' % (cname))
-        def test_tdes(self):
-            for i in katg('KAT_TDES', 'TCBC[a-z]*.rsp'):
-                self.runTDES(i)
-
-        def runTDES(self, fname):
-            columns = [ 'COUNT', 'KEYs', 'IV', 'PLAINTEXT', 'CIPHERTEXT', ]
-            with cryptodev.KATParser(fname, columns) as parser:
-                self.runTDESWithParser(parser)
-
-        def runTDESWithParser(self, parser):
-            curfun = None
-            for mode, lines in next(parser):
-                if mode == 'ENCRYPT':
-                    swapptct = False
-                    curfun = Crypto.encrypt
-                elif mode == 'DECRYPT':
-                    swapptct = True
-                    curfun = Crypto.decrypt
-                else:
-                    raise RuntimeError('unknown mode: %r' % repr(mode))
-
-                for data in lines:
-                    curcnt = int(data['COUNT'])
-                    key = data['KEYs'] * 3
-                    cipherkey = binascii.unhexlify(key)
-                    iv = binascii.unhexlify(data['IV'])
-                    pt = binascii.unhexlify(data['PLAINTEXT'])
-                    ct = binascii.unhexlify(data['CIPHERTEXT'])
-
-                    if swapptct:
-                        pt, ct = ct, pt
-                    # run the fun
-                    c = Crypto(cryptodev.CRYPTO_3DES_CBC, cipherkey, crid=crid)
-                    r = curfun(c, pt, iv)
-                    self.assertEqual(r, ct)
 
         ###############
         ##### SHA #####



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202005021420.042EKW3d029502>