diff options
| author | Christian Weisgerber <naddy@cvs.openbsd.org> | 2015-12-09 21:41:51 +0000 |
|---|---|---|
| committer | Christian Weisgerber <naddy@cvs.openbsd.org> | 2015-12-09 21:41:51 +0000 |
| commit | 269c53634d852828f364f2ab5d2c0c602014d455 (patch) | |
| tree | 65177662c39722e3ec8d8a560bfb037d2d35dcee /sys/net/pfkeyv2.c | |
| parent | c1d2897d759ec008f27fea1f8e5c398a6562b3e4 (diff) | |
Remove plain DES encryption from IPsec.
DES is insecure since brute force attacks are practical due to its
short key length.
This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
Diffstat (limited to 'sys/net/pfkeyv2.c')
| -rw-r--r-- | sys/net/pfkeyv2.c | 8 |
1 files changed, 1 insertions, 7 deletions
diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index f7c0b261e10..ef6a6685136 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.c,v 1.145 2015/07/17 18:31:08 blambert Exp $ */ +/* $OpenBSD: pfkeyv2.c,v 1.146 2015/12/09 21:41:50 naddy Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -103,7 +103,6 @@ static int npromisc = 0; static const struct sadb_alg ealgs[] = { { SADB_EALG_NULL, 0, 0, 0 }, - { SADB_EALG_DESCBC, 64, 64, 64 }, { SADB_EALG_3DESCBC, 64, 192, 192 }, { SADB_X_EALG_BLF, 64, 40, BLF_MAXKEYLEN * 8}, { SADB_X_EALG_CAST, 64, 40, 128}, @@ -1848,11 +1847,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw, sadb_comb->sadb_comb_encrypt = SADB_EALG_3DESCBC; sadb_comb->sadb_comb_encrypt_minbits = 192; sadb_comb->sadb_comb_encrypt_maxbits = 192; - } else if (!strncasecmp(ipsec_def_enc, "des", - sizeof("des"))) { - sadb_comb->sadb_comb_encrypt = SADB_EALG_DESCBC; - sadb_comb->sadb_comb_encrypt_minbits = 64; - sadb_comb->sadb_comb_encrypt_maxbits = 64; } else if (!strncasecmp(ipsec_def_enc, "blowfish", sizeof("blowfish"))) { sadb_comb->sadb_comb_encrypt = SADB_X_EALG_BLF; |