From owner-svn-src-all@freebsd.org Sat May 2 14:20:32 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EAE4B2D0F62; Sat, 2 May 2020 14:20:32 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49Drr05y0yz4FYW; Sat, 2 May 2020 14:20:32 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C75A322F09; Sat, 2 May 2020 14:20:32 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 042EKWIx029504; Sat, 2 May 2020 14:20:32 GMT (envelope-from jhb@FreeBSD.org) Received: (from jhb@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 042EKW3d029502; Sat, 2 May 2020 14:20:32 GMT (envelope-from jhb@FreeBSD.org) Message-Id: <202005021420.042EKW3d029502@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jhb set sender to jhb@FreeBSD.org using -f From: John Baldwin Date: Sat, 2 May 2020 14:20:32 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r360562 - in head: sys/opencrypto tests/sys/opencrypto X-SVN-Group: head X-SVN-Commit-Author: jhb X-SVN-Commit-Paths: in head: sys/opencrypto tests/sys/opencrypto X-SVN-Commit-Revision: 360562 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 May 2020 14:20:33 -0000 Author: jhb Date: Sat May 2 14:20:32 2020 New Revision: 360562 URL: https://svnweb.freebsd.org/changeset/base/360562 Log: Remove support for the algorithms deprecated in r348876. This removes support for the following algorithms: - ARC4 - Blowfish - CAST128 - DES - 3DES - MD5-HMAC - Skipjack Since /dev/crypto no longer supports 3DES, stop testing the 3DES KAT vectors in cryptotest.py. Reviewed by: cem (previous version) Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D24346 Modified: head/sys/opencrypto/cryptodev.c head/tests/sys/opencrypto/cryptotest.py Modified: head/sys/opencrypto/cryptodev.c ============================================================================== --- head/sys/opencrypto/cryptodev.c Sat May 2 13:42:03 2020 (r360561) +++ head/sys/opencrypto/cryptodev.c Sat May 2 14:20:32 2020 (r360562) @@ -291,11 +291,6 @@ struct fcrypt { struct mtx lock; }; -static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 }; -SYSCTL_TIMEVAL_SEC(_kern, OID_AUTO, cryptodev_warn_interval, CTLFLAG_RW, - &warninterval, - "Delay in seconds between warnings of deprecated /dev/crypto algorithms"); - static int cryptof_ioctl(struct file *, u_long, void *, struct ucred *, struct thread *); static int cryptof_stat(struct file *, struct stat *, @@ -408,21 +403,9 @@ cryptof_ioctl( switch (sop->cipher) { case 0: break; - case CRYPTO_DES_CBC: - txform = &enc_xform_des; - break; case CRYPTO_3DES_CBC: txform = &enc_xform_3des; break; - case CRYPTO_BLF_CBC: - txform = &enc_xform_blf; - break; - case CRYPTO_CAST_CBC: - txform = &enc_xform_cast5; - break; - case CRYPTO_SKIPJACK_CBC: - txform = &enc_xform_skipjack; - break; case CRYPTO_AES_CBC: txform = &enc_xform_rijndael128; break; @@ -432,9 +415,6 @@ cryptof_ioctl( case CRYPTO_NULL_CBC: txform = &enc_xform_null; break; - case CRYPTO_ARC4: - txform = &enc_xform_arc4; - break; case CRYPTO_CAMELLIA_CBC: txform = &enc_xform_camellia; break; @@ -460,9 +440,6 @@ cryptof_ioctl( switch (sop->mac) { case 0: break; - case CRYPTO_MD5_HMAC: - thash = &auth_hash_hmac_md5; - break; case CRYPTO_POLY1305: thash = &auth_hash_poly1305; break; @@ -847,49 +824,6 @@ cod_free(struct cryptop_data *cod) free(cod, M_XDATA); } -static void -cryptodev_warn(struct csession *cse) -{ - static struct timeval arc4warn, blfwarn, castwarn, deswarn, md5warn; - static struct timeval skipwarn, tdeswarn; - const struct crypto_session_params *csp; - - csp = crypto_get_params(cse->cses); - switch (csp->csp_cipher_alg) { - case CRYPTO_DES_CBC: - if (ratecheck(&deswarn, &warninterval)) - gone_in(13, "DES cipher via /dev/crypto"); - break; - case CRYPTO_3DES_CBC: - if (ratecheck(&tdeswarn, &warninterval)) - gone_in(13, "3DES cipher via /dev/crypto"); - break; - case CRYPTO_BLF_CBC: - if (ratecheck(&blfwarn, &warninterval)) - gone_in(13, "Blowfish cipher via /dev/crypto"); - break; - case CRYPTO_CAST_CBC: - if (ratecheck(&castwarn, &warninterval)) - gone_in(13, "CAST128 cipher via /dev/crypto"); - break; - case CRYPTO_SKIPJACK_CBC: - if (ratecheck(&skipwarn, &warninterval)) - gone_in(13, "Skipjack cipher via /dev/crypto"); - break; - case CRYPTO_ARC4: - if (ratecheck(&arc4warn, &warninterval)) - gone_in(13, "ARC4 cipher via /dev/crypto"); - break; - } - - switch (csp->csp_auth_alg) { - case CRYPTO_MD5_HMAC: - if (ratecheck(&md5warn, &warninterval)) - gone_in(13, "MD5-HMAC authenticator via /dev/crypto"); - break; - } -} - static int cryptodev_op( struct csession *cse, @@ -1040,7 +974,6 @@ cryptodev_op( goto bail; } } - cryptodev_warn(cse); again: /* * Let the dispatch run unlocked, then, interlock against the @@ -1231,7 +1164,6 @@ cryptodev_aead( SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); goto bail; } - cryptodev_warn(cse); again: /* * Let the dispatch run unlocked, then, interlock against the Modified: head/tests/sys/opencrypto/cryptotest.py ============================================================================== --- head/tests/sys/opencrypto/cryptotest.py Sat May 2 13:42:03 2020 (r360561) +++ head/tests/sys/opencrypto/cryptotest.py Sat May 2 14:20:32 2020 (r360562) @@ -51,7 +51,6 @@ def katg(base, glob): return iglob(os.path.join(katdir, base, glob)) aesmodules = [ 'cryptosoft0', 'aesni0', 'armv8crypto0', 'ccr0', 'ccp0' ] -desmodules = [ 'cryptosoft0', ] shamodules = [ 'cryptosoft0', 'aesni0', 'armv8crypto0', 'ccr0', 'ccp0' ] def GenTestCase(cname): @@ -331,46 +330,6 @@ def GenTestCase(cname): " Actual: " + repr(binascii.hexlify(r)) + \ " Expected: " + repr(data) + \ " on " + cname) - - ############### - ##### DES ##### - ############### - @unittest.skipIf(cname not in desmodules, 'skipping DES on %s' % (cname)) - def test_tdes(self): - for i in katg('KAT_TDES', 'TCBC[a-z]*.rsp'): - self.runTDES(i) - - def runTDES(self, fname): - columns = [ 'COUNT', 'KEYs', 'IV', 'PLAINTEXT', 'CIPHERTEXT', ] - with cryptodev.KATParser(fname, columns) as parser: - self.runTDESWithParser(parser) - - def runTDESWithParser(self, parser): - curfun = None - for mode, lines in next(parser): - if mode == 'ENCRYPT': - swapptct = False - curfun = Crypto.encrypt - elif mode == 'DECRYPT': - swapptct = True - curfun = Crypto.decrypt - else: - raise RuntimeError('unknown mode: %r' % repr(mode)) - - for data in lines: - curcnt = int(data['COUNT']) - key = data['KEYs'] * 3 - cipherkey = binascii.unhexlify(key) - iv = binascii.unhexlify(data['IV']) - pt = binascii.unhexlify(data['PLAINTEXT']) - ct = binascii.unhexlify(data['CIPHERTEXT']) - - if swapptct: - pt, ct = ct, pt - # run the fun - c = Crypto(cryptodev.CRYPTO_3DES_CBC, cipherkey, crid=crid) - r = curfun(c, pt, iv) - self.assertEqual(r, ct) ############### ##### SHA #####