svn commit: r353291 - in stable: 11/sys/opencrypto 12/sys/opencrypto

Mon, 07 Oct 2019 13:42:52 -0700 

Author: jhb
Date: Mon Oct  7 20:41:55 2019
New Revision: 353291
URL: https://svnweb.freebsd.org/changeset/base/353291

Log:
  MFC 351557: Adjust the deprecated warnings for /dev/crypto to be less noisy.
  
  Warn when actual operations are performed instead of when sessions are
  created.  The /dev/crypto engine in OpenSSL 1.0.x tries to create
  sessions for all possible algorithms each time it is initialized
  resulting in spurious warnings.

Modified:
  stable/11/sys/opencrypto/cryptodev.c
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/12/sys/opencrypto/cryptodev.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/11/sys/opencrypto/cryptodev.c
==============================================================================
--- stable/11/sys/opencrypto/cryptodev.c        Mon Oct  7 20:35:04 2019        
(r353290)
+++ stable/11/sys/opencrypto/cryptodev.c        Mon Oct  7 20:41:55 2019        
(r353291)
@@ -393,8 +393,6 @@ cryptof_ioctl(
        struct crypt_op copc;
        struct crypt_kop kopc;
 #endif
-       static struct timeval arc4warn, blfwarn, castwarn, deswarn, md5warn;
-       static struct timeval skipwarn, tdeswarn;
 
        switch (cmd) {
        case CIOCGSESSION:
@@ -415,28 +413,18 @@ cryptof_ioctl(
                case 0:
                        break;
                case CRYPTO_DES_CBC:
-                       if (ratecheck(&deswarn, &warninterval))
-                               gone_in(13, "DES cipher via /dev/crypto");
                        txform = &enc_xform_des;
                        break;
                case CRYPTO_3DES_CBC:
-                       if (ratecheck(&tdeswarn, &warninterval))
-                               gone_in(13, "3DES cipher via /dev/crypto");
                        txform = &enc_xform_3des;
                        break;
                case CRYPTO_BLF_CBC:
-                       if (ratecheck(&blfwarn, &warninterval))
-                               gone_in(13, "Blowfish cipher via /dev/crypto");
                        txform = &enc_xform_blf;
                        break;
                case CRYPTO_CAST_CBC:
-                       if (ratecheck(&castwarn, &warninterval))
-                               gone_in(13, "CAST128 cipher via /dev/crypto");
                        txform = &enc_xform_cast5;
                        break;
                case CRYPTO_SKIPJACK_CBC:
-                       if (ratecheck(&skipwarn, &warninterval))
-                               gone_in(13, "Skipjack cipher via /dev/crypto");
                        txform = &enc_xform_skipjack;
                        break;
                case CRYPTO_AES_CBC:
@@ -449,8 +437,6 @@ cryptof_ioctl(
                        txform = &enc_xform_null;
                        break;
                case CRYPTO_ARC4:
-                       if (ratecheck(&arc4warn, &warninterval))
-                               gone_in(13, "ARC4 cipher via /dev/crypto");
                        txform = &enc_xform_arc4;
                        break;
                case CRYPTO_CAMELLIA_CBC:
@@ -473,9 +459,6 @@ cryptof_ioctl(
                case 0:
                        break;
                case CRYPTO_MD5_HMAC:
-                       if (ratecheck(&md5warn, &warninterval))
-                               gone_in(13,
-                                   "MD5-HMAC authenticator via /dev/crypto");
                        thash = &auth_hash_hmac_md5;
                        break;
                case CRYPTO_SHA1_HMAC:
@@ -764,6 +747,47 @@ cod_free(struct cryptop_data *cod)
        free(cod, M_XDATA);
 }
 
+static void
+cryptodev_warn(struct csession *cse)
+{
+       static struct timeval arc4warn, blfwarn, castwarn, deswarn, md5warn;
+       static struct timeval skipwarn, tdeswarn;
+
+       switch (cse->cipher) {
+       case CRYPTO_DES_CBC:
+               if (ratecheck(&deswarn, &warninterval))
+                       gone_in(13, "DES cipher via /dev/crypto");
+               break;
+       case CRYPTO_3DES_CBC:
+               if (ratecheck(&tdeswarn, &warninterval))
+                       gone_in(13, "3DES cipher via /dev/crypto");
+               break;
+       case CRYPTO_BLF_CBC:
+               if (ratecheck(&blfwarn, &warninterval))
+                       gone_in(13, "Blowfish cipher via /dev/crypto");
+               break;
+       case CRYPTO_CAST_CBC:
+               if (ratecheck(&castwarn, &warninterval))
+                       gone_in(13, "CAST128 cipher via /dev/crypto");
+               break;
+       case CRYPTO_SKIPJACK_CBC:
+               if (ratecheck(&skipwarn, &warninterval))
+                       gone_in(13, "Skipjack cipher via /dev/crypto");
+               break;
+       case CRYPTO_ARC4:
+               if (ratecheck(&arc4warn, &warninterval))
+                       gone_in(13, "ARC4 cipher via /dev/crypto");
+               break;
+       }
+
+       switch (cse->mac) {
+       case CRYPTO_MD5_HMAC:
+               if (ratecheck(&md5warn, &warninterval))
+                       gone_in(13, "MD5-HMAC authenticator via /dev/crypto");
+               break;
+       }
+}
+
 static int
 cryptodev_op(
        struct csession *cse,
@@ -886,6 +910,7 @@ cryptodev_op(
                error = EINVAL;
                goto bail;
        }
+       cryptodev_warn(cse);
 
 again:
        /*
@@ -1054,6 +1079,7 @@ cryptodev_aead(
                SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
                goto bail;
        }
+       cryptodev_warn(cse);
 again:
        /*
         * Let the dispatch run unlocked, then, interlock against the
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to