summaryrefslogtreecommitdiffstats
path: root/freebsd/sys/netipsec/xform_ah.c
diff options
context:
space:
mode:
Diffstat (limited to 'freebsd/sys/netipsec/xform_ah.c')
-rw-r--r--freebsd/sys/netipsec/xform_ah.c21
1 files changed, 21 insertions, 0 deletions
diff --git a/freebsd/sys/netipsec/xform_ah.c b/freebsd/sys/netipsec/xform_ah.c
index 84ba6c16..618fbd9b 100644
--- a/freebsd/sys/netipsec/xform_ah.c
+++ b/freebsd/sys/netipsec/xform_ah.c
@@ -110,6 +110,7 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, stats, struct ahstat,
#endif
static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */
+static struct timeval md5warn, ripewarn, kpdkmd5warn, kpdksha1warn;
static int ah_input_cb(struct cryptop*);
static int ah_output_cb(struct cryptop*);
@@ -186,6 +187,26 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
__func__, sav->alg_auth));
return EINVAL;
}
+
+ switch (sav->alg_auth) {
+ case SADB_AALG_MD5HMAC:
+ if (ratecheck(&md5warn, &ipsec_warn_interval))
+ gone_in(13, "MD5-HMAC authenticator for IPsec");
+ break;
+ case SADB_X_AALG_RIPEMD160HMAC:
+ if (ratecheck(&ripewarn, &ipsec_warn_interval))
+ gone_in(13, "RIPEMD160-HMAC authenticator for IPsec");
+ break;
+ case SADB_X_AALG_MD5:
+ if (ratecheck(&kpdkmd5warn, &ipsec_warn_interval))
+ gone_in(13, "Keyed-MD5 authenticator for IPsec");
+ break;
+ case SADB_X_AALG_SHA:
+ if (ratecheck(&kpdksha1warn, &ipsec_warn_interval))
+ gone_in(13, "Keyed-SHA1 authenticator for IPsec");
+ break;
+ }
+
/*
* Verify the replay state block allocation is consistent with
* the protocol type. We check here so we can make assumptions
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-04 10:28:45 +0000