diff options
| author | Christian Weisgerber <naddy@cvs.openbsd.org> | 2015-12-09 21:41:51 +0000 |
|---|---|---|
| committer | Christian Weisgerber <naddy@cvs.openbsd.org> | 2015-12-09 21:41:51 +0000 |
| commit | 269c53634d852828f364f2ab5d2c0c602014d455 (patch) | |
| tree | 65177662c39722e3ec8d8a560bfb037d2d35dcee /sys | |
| parent | c1d2897d759ec008f27fea1f8e5c398a6562b3e4 (diff) | |
Remove plain DES encryption from IPsec.
DES is insecure since brute force attacks are practical due to its
short key length.
This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/net/pfkeyv2.c | 8 | ||||
| -rw-r--r-- | sys/net/pfkeyv2.h | 3 | ||||
| -rw-r--r-- | sys/net/pfkeyv2_convert.c | 6 | ||||
| -rw-r--r-- | sys/netinet/ip_esp.c | 6 |
4 files changed, 4 insertions, 19 deletions
diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index f7c0b261e10..ef6a6685136 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.c,v 1.145 2015/07/17 18:31:08 blambert Exp $ */ +/* $OpenBSD: pfkeyv2.c,v 1.146 2015/12/09 21:41:50 naddy Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -103,7 +103,6 @@ static int npromisc = 0; static const struct sadb_alg ealgs[] = { { SADB_EALG_NULL, 0, 0, 0 }, - { SADB_EALG_DESCBC, 64, 64, 64 }, { SADB_EALG_3DESCBC, 64, 192, 192 }, { SADB_X_EALG_BLF, 64, 40, BLF_MAXKEYLEN * 8}, { SADB_X_EALG_CAST, 64, 40, 128}, @@ -1848,11 +1847,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw, sadb_comb->sadb_comb_encrypt = SADB_EALG_3DESCBC; sadb_comb->sadb_comb_encrypt_minbits = 192; sadb_comb->sadb_comb_encrypt_maxbits = 192; - } else if (!strncasecmp(ipsec_def_enc, "des", - sizeof("des"))) { - sadb_comb->sadb_comb_encrypt = SADB_EALG_DESCBC; - sadb_comb->sadb_comb_encrypt_minbits = 64; - sadb_comb->sadb_comb_encrypt_maxbits = 64; } else if (!strncasecmp(ipsec_def_enc, "blowfish", sizeof("blowfish"))) { sadb_comb->sadb_comb_encrypt = SADB_X_EALG_BLF; diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h index c395240bde5..07fab0f7ed4 100644 --- a/sys/net/pfkeyv2.h +++ b/sys/net/pfkeyv2.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.h,v 1.71 2015/12/02 12:43:59 naddy Exp $ */ +/* $OpenBSD: pfkeyv2.h,v 1.72 2015/12/09 21:41:50 naddy Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) January 1998 * @@ -296,7 +296,6 @@ struct sadb_x_tap { #define SADB_AALG_MAX 12 #define SADB_EALG_NONE 0 -#define SADB_EALG_DESCBC 2 #define SADB_EALG_3DESCBC 3 #define SADB_X_EALG_CAST 6 #define SADB_X_EALG_BLF 7 diff --git a/sys/net/pfkeyv2_convert.c b/sys/net/pfkeyv2_convert.c index 2b2568b502e..49821decdbf 100644 --- a/sys/net/pfkeyv2_convert.c +++ b/sys/net/pfkeyv2_convert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2_convert.c,v 1.56 2015/11/03 01:50:36 mikeb Exp $ */ +/* $OpenBSD: pfkeyv2_convert.c,v 1.57 2015/12/09 21:41:50 naddy Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@keromytis.org) * @@ -228,10 +228,6 @@ export_sa(void **p, struct tdb *tdb) sadb_sa->sadb_sa_encrypt = SADB_EALG_NULL; break; - case CRYPTO_DES_CBC: - sadb_sa->sadb_sa_encrypt = SADB_EALG_DESCBC; - break; - case CRYPTO_3DES_CBC: sadb_sa->sadb_sa_encrypt = SADB_EALG_3DESCBC; break; diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c index b4cd25f12e4..02e6693396f 100644 --- a/sys/netinet/ip_esp.c +++ b/sys/netinet/ip_esp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.c,v 1.135 2015/11/03 01:50:36 mikeb Exp $ */ +/* $OpenBSD: ip_esp.c,v 1.136 2015/12/09 21:41:50 naddy Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -111,10 +111,6 @@ esp_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) txform = &enc_xform_null; break; - case SADB_EALG_DESCBC: - txform = &enc_xform_des; - break; - case SADB_EALG_3DESCBC: txform = &enc_xform_3des; break; |