summaryrefslogtreecommitdiffstats
path: root/freebsd/sys/netipsec/xform_esp.c
diff options
context:
space:
mode:
Diffstat (limited to 'freebsd/sys/netipsec/xform_esp.c')
-rw-r--r--freebsd/sys/netipsec/xform_esp.c24
1 files changed, 23 insertions, 1 deletions
diff --git a/freebsd/sys/netipsec/xform_esp.c b/freebsd/sys/netipsec/xform_esp.c
index f8473575..388fe499 100644
--- a/freebsd/sys/netipsec/xform_esp.c
+++ b/freebsd/sys/netipsec/xform_esp.c
@@ -96,6 +96,8 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, stats,
struct espstat, espstat,
"ESP statistics (struct espstat, netipsec/esp_var.h");
+static struct timeval deswarn, blfwarn, castwarn, camelliawarn;
+
static int esp_input_cb(struct cryptop *op);
static int esp_output_cb(struct cryptop *crp);
@@ -158,6 +160,26 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
__func__));
return EINVAL;
}
+
+ switch (sav->alg_enc) {
+ case SADB_EALG_DESCBC:
+ if (ratecheck(&deswarn, &ipsec_warn_interval))
+ gone_in(13, "DES cipher for IPsec");
+ break;
+ case SADB_X_EALG_BLOWFISHCBC:
+ if (ratecheck(&blfwarn, &ipsec_warn_interval))
+ gone_in(13, "Blowfish cipher for IPsec");
+ break;
+ case SADB_X_EALG_CAST128CBC:
+ if (ratecheck(&castwarn, &ipsec_warn_interval))
+ gone_in(13, "CAST cipher for IPsec");
+ break;
+ case SADB_X_EALG_CAMELLIACBC:
+ if (ratecheck(&camelliawarn, &ipsec_warn_interval))
+ gone_in(13, "Camellia cipher for IPsec");
+ break;
+ }
+
/* subtract off the salt, RFC4106, 8.1 and RFC3686, 5.1 */
keylen = _KEYLEN(sav->key_enc) - SAV_ISCTRORGCM(sav) * 4;
if (txform->minkey > keylen || keylen > txform->maxkey) {
@@ -770,7 +792,7 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
*/
switch (sav->flags & SADB_X_EXT_PMASK) {
case SADB_X_EXT_PRAND:
- (void) read_random(pad, padding - 2);
+ arc4random_buf(pad, padding - 2);
break;
case SADB_X_EXT_PZERO:
bzero(pad, padding - 2);
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-04 12:42:54 +0000