Re: svn commit: r351246 - in stable: 11/sys/opencrypto 12/sys/opencrypto

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r351246 - in stable: 11/sys/opencrypto 12/sys/opencrypto

mdtancsa
On a busy server, I am getting a lot of these spewing to dmesg

Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto
Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto
Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto
Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via
/dev/crypto
Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via
/dev/crypto
Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto
Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto
Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto
Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via
/dev/crypto
Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via
/dev/crypto


What is the best way to try and track down what apps are triggering that ?

    ---Mike

On 8/19/2019 9:30 PM, John Baldwin wrote:

> Author: jhb
> Date: Tue Aug 20 01:30:35 2019
> New Revision: 351246
> URL: https://svnweb.freebsd.org/changeset/base/351246
>
> Log:
>   MFC 348876: Add warnings to /dev/crypto for deprecated algorithms.
>  
>   These algorithms are deprecated algorithms that will have no in-kernel
>   consumers in FreeBSD 13.  Specifically, deprecate the following
>   algorithms:
>   - ARC4
>   - Blowfish
>   - CAST128
>   - DES
>   - 3DES
>   - MD5-HMAC
>   - Skipjack
>  
>   Relnotes: yes
>
> Modified:
>   stable/11/sys/opencrypto/cryptodev.c
> Directory Properties:
>   stable/11/   (props changed)
>
> Changes in other areas also in this revision:
> Modified:
>   stable/12/sys/opencrypto/cryptodev.c
> Directory Properties:
>   stable/12/   (props changed)
>
> Modified: stable/11/sys/opencrypto/cryptodev.c
> ==============================================================================
> --- stable/11/sys/opencrypto/cryptodev.c Tue Aug 20 01:26:02 2019 (r351245)
> +++ stable/11/sys/opencrypto/cryptodev.c Tue Aug 20 01:30:35 2019 (r351246)
> @@ -388,6 +388,9 @@ cryptof_ioctl(
>   struct crypt_op copc;
>   struct crypt_kop kopc;
>  #endif
> + static struct timeval arc4warn, blfwarn, castwarn, deswarn, md5warn;
> + static struct timeval skipwarn, tdeswarn;
> + static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 };
>  
>   switch (cmd) {
>   case CIOCGSESSION:
> @@ -408,18 +411,28 @@ cryptof_ioctl(
>   case 0:
>   break;
>   case CRYPTO_DES_CBC:
> + if (ratecheck(&deswarn, &warninterval))
> + gone_in(13, "DES cipher via /dev/crypto");
>   txform = &enc_xform_des;
>   break;
>   case CRYPTO_3DES_CBC:
> + if (ratecheck(&tdeswarn, &warninterval))
> + gone_in(13, "3DES cipher via /dev/crypto");
>   txform = &enc_xform_3des;
>   break;
>   case CRYPTO_BLF_CBC:
> + if (ratecheck(&blfwarn, &warninterval))
> + gone_in(13, "Blowfish cipher via /dev/crypto");
>   txform = &enc_xform_blf;
>   break;
>   case CRYPTO_CAST_CBC:
> + if (ratecheck(&castwarn, &warninterval))
> + gone_in(13, "CAST128 cipher via /dev/crypto");
>   txform = &enc_xform_cast5;
>   break;
>   case CRYPTO_SKIPJACK_CBC:
> + if (ratecheck(&skipwarn, &warninterval))
> + gone_in(13, "Skipjack cipher via /dev/crypto");
>   txform = &enc_xform_skipjack;
>   break;
>   case CRYPTO_AES_CBC:
> @@ -432,6 +445,8 @@ cryptof_ioctl(
>   txform = &enc_xform_null;
>   break;
>   case CRYPTO_ARC4:
> + if (ratecheck(&arc4warn, &warninterval))
> + gone_in(13, "ARC4 cipher via /dev/crypto");
>   txform = &enc_xform_arc4;
>   break;
>   case CRYPTO_CAMELLIA_CBC:
> @@ -454,6 +469,9 @@ cryptof_ioctl(
>   case 0:
>   break;
>   case CRYPTO_MD5_HMAC:
> + if (ratecheck(&md5warn, &warninterval))
> + gone_in(13,
> +    "MD5-HMAC authenticator via /dev/crypto");
>   thash = &auth_hash_hmac_md5;
>   break;
>   case CRYPTO_SHA1_HMAC:
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11
> To unsubscribe, send any mail to "[hidden email]"
>
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r351246 - in stable: 11/sys/opencrypto 12/sys/opencrypto

John Baldwin
On 8/21/19 8:21 AM, mike tancsa wrote:
> On a busy server, I am getting a lot of these spewing to dmesg

I have a change staged for MFC that lets you adjust the warning intervals
so you can tone down the spam.

> Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via
> /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via
> /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via
> /dev/crypto
> Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via
> /dev/crypto
>
>
> What is the best way to try and track down what apps are triggering that ?

One might be to use 'procstat -af' to see which processes have crypto file
descriptors open (file descriptor type 'c').

The other approach would be to use dtrace with the fbt::_gone_in:entry
trace maybe building a count of process names or some such, something like:

dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count()'

Let that run and then Ctrl-C after you see some warnings.

>     ---Mike
>
> On 8/19/2019 9:30 PM, John Baldwin wrote:
>> Author: jhb
>> Date: Tue Aug 20 01:30:35 2019
>> New Revision: 351246
>> URL: https://svnweb.freebsd.org/changeset/base/351246
>>
>> Log:
>>   MFC 348876: Add warnings to /dev/crypto for deprecated algorithms.
>>  
>>   These algorithms are deprecated algorithms that will have no in-kernel
>>   consumers in FreeBSD 13.  Specifically, deprecate the following
>>   algorithms:
>>   - ARC4
>>   - Blowfish
>>   - CAST128
>>   - DES
>>   - 3DES
>>   - MD5-HMAC
>>   - Skipjack
>>  
>>   Relnotes: yes
>>
>> Modified:
>>   stable/11/sys/opencrypto/cryptodev.c
>> Directory Properties:
>>   stable/11/   (props changed)
>>
>> Changes in other areas also in this revision:
>> Modified:
>>   stable/12/sys/opencrypto/cryptodev.c
>> Directory Properties:
>>   stable/12/   (props changed)
>>
>> Modified: stable/11/sys/opencrypto/cryptodev.c
>> ==============================================================================
>> --- stable/11/sys/opencrypto/cryptodev.c Tue Aug 20 01:26:02 2019 (r351245)
>> +++ stable/11/sys/opencrypto/cryptodev.c Tue Aug 20 01:30:35 2019 (r351246)
>> @@ -388,6 +388,9 @@ cryptof_ioctl(
>>   struct crypt_op copc;
>>   struct crypt_kop kopc;
>>  #endif
>> + static struct timeval arc4warn, blfwarn, castwarn, deswarn, md5warn;
>> + static struct timeval skipwarn, tdeswarn;
>> + static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 };
>>  
>>   switch (cmd) {
>>   case CIOCGSESSION:
>> @@ -408,18 +411,28 @@ cryptof_ioctl(
>>   case 0:
>>   break;
>>   case CRYPTO_DES_CBC:
>> + if (ratecheck(&deswarn, &warninterval))
>> + gone_in(13, "DES cipher via /dev/crypto");
>>   txform = &enc_xform_des;
>>   break;
>>   case CRYPTO_3DES_CBC:
>> + if (ratecheck(&tdeswarn, &warninterval))
>> + gone_in(13, "3DES cipher via /dev/crypto");
>>   txform = &enc_xform_3des;
>>   break;
>>   case CRYPTO_BLF_CBC:
>> + if (ratecheck(&blfwarn, &warninterval))
>> + gone_in(13, "Blowfish cipher via /dev/crypto");
>>   txform = &enc_xform_blf;
>>   break;
>>   case CRYPTO_CAST_CBC:
>> + if (ratecheck(&castwarn, &warninterval))
>> + gone_in(13, "CAST128 cipher via /dev/crypto");
>>   txform = &enc_xform_cast5;
>>   break;
>>   case CRYPTO_SKIPJACK_CBC:
>> + if (ratecheck(&skipwarn, &warninterval))
>> + gone_in(13, "Skipjack cipher via /dev/crypto");
>>   txform = &enc_xform_skipjack;
>>   break;
>>   case CRYPTO_AES_CBC:
>> @@ -432,6 +445,8 @@ cryptof_ioctl(
>>   txform = &enc_xform_null;
>>   break;
>>   case CRYPTO_ARC4:
>> + if (ratecheck(&arc4warn, &warninterval))
>> + gone_in(13, "ARC4 cipher via /dev/crypto");
>>   txform = &enc_xform_arc4;
>>   break;
>>   case CRYPTO_CAMELLIA_CBC:
>> @@ -454,6 +469,9 @@ cryptof_ioctl(
>>   case 0:
>>   break;
>>   case CRYPTO_MD5_HMAC:
>> + if (ratecheck(&md5warn, &warninterval))
>> + gone_in(13,
>> +    "MD5-HMAC authenticator via /dev/crypto");
>>   thash = &auth_hash_hmac_md5;
>>   break;
>>   case CRYPTO_SHA1_HMAC:
>> _______________________________________________
>> [hidden email] mailing list
>> https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11
>> To unsubscribe, send any mail to "[hidden email]"
>>


--
John Baldwin
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r351246 - in stable: 11/sys/opencrypto 12/sys/opencrypto

mdtancsa
On 8/21/2019 12:00 PM, John Baldwin wrote:
> dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count()'

Thanks, I am not familiar with dtrace at all. This command gives a
syntax error

0(cage)# dtrace -n 'fbt::_gone_in:entry {
@counts[curthread->td_proc->p_comm] = count()'
dtrace: invalid probe specifier fbt::_gone_in:entry {
@counts[curthread->td_proc->p_comm] = count(): syntax error near end of
input
1(cage)#


_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r351246 - in stable: 11/sys/opencrypto 12/sys/opencrypto

John Baldwin
On 8/21/19 9:08 AM, mike tancsa wrote:

> On 8/21/2019 12:00 PM, John Baldwin wrote:
>> dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count()'
>
> Thanks, I am not familiar with dtrace at all. This command gives a
> syntax error
>
> 0(cage)# dtrace -n 'fbt::_gone_in:entry {
> @counts[curthread->td_proc->p_comm] = count()'
> dtrace: invalid probe specifier fbt::_gone_in:entry {
> @counts[curthread->td_proc->p_comm] = count(): syntax error near end of
> input
> 1(cage)#

Oops, I forgot the closing }.  First, do "dtrace -l | grep _gone_in" to make
sure dtrace is loaded.  You should see something like this:

# dtrace -l | grep _gone_in
87003        fbt            kernel                          _gone_in entry
87004        fbt            kernel                          _gone_in return
98682        fbt            kernel                      _gone_in_dev entry
98683        fbt            kernel                      _gone_in_dev return

Then this should work:

# dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count() }'
dtrace: description 'fbt::_gone_in:entry ' matched 1 probe

--
John Baldwin
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r351246 - in stable: 11/sys/opencrypto 12/sys/opencrypto

mdtancsa
On 8/21/2019 6:38 PM, John Baldwin wrote:

> On 8/21/19 9:08 AM, mike tancsa wrote:
>> On 8/21/2019 12:00 PM, John Baldwin wrote:
>>> dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count()'
>> Thanks, I am not familiar with dtrace at all. This command gives a
>> syntax error
>>
>> 0(cage)# dtrace -n 'fbt::_gone_in:entry {
>> @counts[curthread->td_proc->p_comm] = count()'
>> dtrace: invalid probe specifier fbt::_gone_in:entry {
>> @counts[curthread->td_proc->p_comm] = count(): syntax error near end of
>> input
>> 1(cage)#
> Oops, I forgot the closing }.  First, do "dtrace -l | grep _gone_in" to make
> sure dtrace is loaded.  You should see something like this:
>
> # dtrace -l | grep _gone_in
> 87003        fbt            kernel                          _gone_in entry
> 87004        fbt            kernel                          _gone_in return
> 98682        fbt            kernel                      _gone_in_dev entry
> 98683        fbt            kernel                      _gone_in_dev return
>
> Then this should work:
>
> # dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count() }'
> dtrace: description 'fbt::_gone_in:entry ' matched 1 probe
>
Thanks!

#  dtrace -l | grep _gone_in
15632        fbt            kernel                          _gone_in entry
22693        fbt            kernel                      _gone_in_dev entry

# dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] =
count() }'
dtrace: description 'fbt::_gone_in:entry ' matched 1 probe

However, It doesnt show anything after that even as I get the
deprecation messages in dmesg

    ---Mike

--
-------------------
Mike Tancsa, tel +1 519 651 3400 x203
Sentex Communications, [hidden email]
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada  


_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r351246 - in stable: 11/sys/opencrypto 12/sys/opencrypto

John Baldwin
On 8/21/19 5:47 PM, Mike Tancsa wrote:

> On 8/21/2019 6:38 PM, John Baldwin wrote:
>> On 8/21/19 9:08 AM, mike tancsa wrote:
>>> On 8/21/2019 12:00 PM, John Baldwin wrote:
>>>> dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count()'
>>> Thanks, I am not familiar with dtrace at all. This command gives a
>>> syntax error
>>>
>>> 0(cage)# dtrace -n 'fbt::_gone_in:entry {
>>> @counts[curthread->td_proc->p_comm] = count()'
>>> dtrace: invalid probe specifier fbt::_gone_in:entry {
>>> @counts[curthread->td_proc->p_comm] = count(): syntax error near end of
>>> input
>>> 1(cage)#
>> Oops, I forgot the closing }.  First, do "dtrace -l | grep _gone_in" to make
>> sure dtrace is loaded.  You should see something like this:
>>
>> # dtrace -l | grep _gone_in
>> 87003        fbt            kernel                          _gone_in entry
>> 87004        fbt            kernel                          _gone_in return
>> 98682        fbt            kernel                      _gone_in_dev entry
>> 98683        fbt            kernel                      _gone_in_dev return
>>
>> Then this should work:
>>
>> # dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count() }'
>> dtrace: description 'fbt::_gone_in:entry ' matched 1 probe
>>
> Thanks!
>
> #  dtrace -l | grep _gone_in
> 15632        fbt            kernel                          _gone_in entry
> 22693        fbt            kernel                      _gone_in_dev entry
>
> # dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] =
> count() }'
> dtrace: description 'fbt::_gone_in:entry ' matched 1 probe
>
> However, It doesnt show anything after that even as I get the
> deprecation messages in dmesg

Can you hit Ctrl-C after seeing some of the messages?  This trace won't
show any results until you exit dtrace.

--
John Baldwin
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r351246 - in stable: 11/sys/opencrypto 12/sys/opencrypto

mdtancsa
On 8/22/2019 6:51 PM, John Baldwin wrote:

> On 8/21/19 5:47 PM,
> # dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] =
> count() }'
> dtrace: description 'fbt::_gone_in:entry ' matched 1 probe
>
> However, It doesnt show anything after that even as I get the
> deprecation messages in dmesg
> Can you hit Ctrl-C after seeing some of the messages?  This trace won't
> show any results until you exit dtrace.
>
Nothing unfortunately


# date ; dtrace -n 'fbt::_gone_in:entry {
@counts[curthread->td_proc->p_comm] = count() }' ; date
Thu Aug 22 20:14:16 EDT 2019
dtrace: description 'fbt::_gone_in:entry ' matched 1 probe
^C

Thu Aug 22 20:19:01 EDT 2019

in kern.*


Aug 22 20:17:36 vinyl6b kernel: Deprecated code (to be removed in
FreeBSD 13): ARC4 cipher via /dev/crypto
Aug 22 20:17:36 vinyl6b kernel: Deprecated code (to be removed in
FreeBSD 13): DES cipher via /dev/crypto
Aug 22 20:17:36 vinyl6b kernel: Deprecated code (to be removed in
FreeBSD 13): 3DES cipher via /dev/crypto
Aug 22 20:17:36 vinyl6b kernel: Deprecated code (to be removed in
FreeBSD 13): Blowfish cipher via /dev/crypto
Aug 22 20:17:36 vinyl6b kernel: Deprecated code (to be removed in
FreeBSD 13): CAST128 cipher via /dev/crypto

    ---Mike

--

-------------------
Mike Tancsa, tel +1 519 651 3400 x203
Sentex Communications, [hidden email]
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada  


_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r351246 - in stable: 11/sys/opencrypto 12/sys/opencrypto

mdtancsa
On 8/22/2019 8:21 PM, Mike Tancsa wrote:

> On 8/22/2019 6:51 PM, John Baldwin wrote:
>> On 8/21/19 5:47 PM,
>> # dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] =
>> count() }'
>> dtrace: description 'fbt::_gone_in:entry ' matched 1 probe
>>
>> However, It doesnt show anything after that even as I get the
>> deprecation messages in dmesg
>> Can you hit Ctrl-C after seeing some of the messages?  This trace won't
>> show any results until you exit dtrace.
>>
> Nothing unfortunately
>
Tried running it over night, and still no results where as the server
had many entries

# grep "Aug 23" /var/log/kernel | grep Dep | wc
     805   13685   87101

#

# date ; dtrace -n 'fbt::_gone_in:entry {
@counts[curthread->td_proc->p_comm] = count() }' ; date
Thu Aug 22 20:20:33 EDT 2019
dtrace: description 'fbt::_gone_in:entry ' matched 1 probe

^C

Fri Aug 23 08:11:11 EDT 2019

#

> # date ; dtrace -n 'fbt::_gone_in:entry {
> @counts[curthread->td_proc->p_comm] = count() }' ; date
> Thu Aug 22 20:14:16 EDT 2019
> dtrace: description 'fbt::_gone_in:entry ' matched 1 probe
> ^C
>
> Thu Aug 22 20:19:01 EDT 2019
>
> in kern.*
>
>
> Aug 22 20:17:36 vinyl6b kernel: Deprecated code (to be removed in
> FreeBSD 13): ARC4 cipher via /dev/crypto
> Aug 22 20:17:36 vinyl6b kernel: Deprecated code (to be removed in
> FreeBSD 13): DES cipher via /dev/crypto
> Aug 22 20:17:36 vinyl6b kernel: Deprecated code (to be removed in
> FreeBSD 13): 3DES cipher via /dev/crypto
> Aug 22 20:17:36 vinyl6b kernel: Deprecated code (to be removed in
> FreeBSD 13): Blowfish cipher via /dev/crypto
> Aug 22 20:17:36 vinyl6b kernel: Deprecated code (to be removed in
> FreeBSD 13): CAST128 cipher via /dev/crypto
>
>     ---Mike
>

--
-------------------
Mike Tancsa, tel +1 519 651 3400 x203
Sentex Communications, [hidden email]
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada  

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r351246 - in stable: 11/sys/opencrypto 12/sys/opencrypto

mdtancsa
In reply to this post by John Baldwin
On 8/22/2019 6:51 PM, John Baldwin wrote:

> On 8/21/19 5:47 PM, Mike Tancsa wrote:
>> On 8/21/2019 6:38 PM, John Baldwin wrote:
>>> On 8/21/19 9:08 AM, mike tancsa wrote:
>>>> On 8/21/2019 12:00 PM, John Baldwin wrote:
>>>>> dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count()'
>>>> Thanks, I am not familiar with dtrace at all. This command gives a
>>>> syntax error
>>>>
>>>> 0(cage)# dtrace -n 'fbt::_gone_in:entry {
>>>> @counts[curthread->td_proc->p_comm] = count()'
>>>> dtrace: invalid probe specifier fbt::_gone_in:entry {
>>>> @counts[curthread->td_proc->p_comm] = count(): syntax error near end of
>>>> input
>>>> 1(cage)#
>>> Oops, I forgot the closing }.  First, do "dtrace -l | grep _gone_in" to make
>>> sure dtrace is loaded.  You should see something like this:
>>>
>>> # dtrace -l | grep _gone_in
>>> 87003        fbt            kernel                          _gone_in entry
>>> 87004        fbt            kernel                          _gone_in return
>>> 98682        fbt            kernel                      _gone_in_dev entry
>>> 98683        fbt            kernel                      _gone_in_dev return
>>>
>>> Then this should work:
>>>
>>> # dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count() }'
>>> dtrace: description 'fbt::_gone_in:entry ' matched 1 probe
>>>
>> Thanks!
>>
>> #  dtrace -l | grep _gone_in
>> 15632        fbt            kernel                          _gone_in entry
>> 22693        fbt            kernel                      _gone_in_dev entry
>>
>> # dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] =
>> count() }'
>> dtrace: description 'fbt::_gone_in:entry ' matched 1 probe
>>
>> However, It doesnt show anything after that even as I get the
>> deprecation messages in dmesg
> Can you hit Ctrl-C after seeing some of the messages?  This trace won't
> show any results until you exit dtrace.

Hi,

    I am still having problems tracking it down via dtrace, but I am
able to create the problem on demand on sshd.  Whats odd is that if I
restrict the list of ciphers in sshd and even specify something like
aes-128 on the client, I still get warnings on the server.

e.g from a client,

% ssh -c aes128-cbc console1 uptime
 4:53PM  up  1:02, 3 users, load averages: 0.04, 0.08, 0.08

The server shows


Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): ARC4 cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): DES cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): 3DES cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): Blowfish cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): CAST128 cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): ARC4 cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): DES cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): 3DES cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): Blowfish cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): CAST128 cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): ARC4 cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): DES cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): 3DES cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): Blowfish cipher via /dev/crypto
Aug 26 16:53:13 console1 kernel: Deprecated code (to be removed in
FreeBSD 13): CAST128 cipher via /dev/crypto

Despite having

Ciphers       
aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,[hidden email],[hidden email],[hidden email]


in /etc/ssh/sshd_config


Doing ssh -v from the client doesnt show any of the warning ciphers
being used or proposed at all.

Just wondering what the value of the warnings are if there is no way to
really deal with them or even track down where the issues are ?  Rather
than filling up the logs, would it be possible to have

kern.cryptodev_warn_interval=0

to disable ?


    ---Mike






_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r351246 - in stable: 11/sys/opencrypto 12/sys/opencrypto

John Baldwin
On 8/26/19 1:59 PM, mike tancsa wrote:

> On 8/22/2019 6:51 PM, John Baldwin wrote:
>> On 8/21/19 5:47 PM, Mike Tancsa wrote:
>>> On 8/21/2019 6:38 PM, John Baldwin wrote:
>>>> On 8/21/19 9:08 AM, mike tancsa wrote:
>>>>> On 8/21/2019 12:00 PM, John Baldwin wrote:
>>>>>> dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count()'
>>>>> Thanks, I am not familiar with dtrace at all. This command gives a
>>>>> syntax error
>>>>>
>>>>> 0(cage)# dtrace -n 'fbt::_gone_in:entry {
>>>>> @counts[curthread->td_proc->p_comm] = count()'
>>>>> dtrace: invalid probe specifier fbt::_gone_in:entry {
>>>>> @counts[curthread->td_proc->p_comm] = count(): syntax error near end of
>>>>> input
>>>>> 1(cage)#
>>>> Oops, I forgot the closing }.  First, do "dtrace -l | grep _gone_in" to make
>>>> sure dtrace is loaded.  You should see something like this:
>>>>
>>>> # dtrace -l | grep _gone_in
>>>> 87003        fbt            kernel                          _gone_in entry
>>>> 87004        fbt            kernel                          _gone_in return
>>>> 98682        fbt            kernel                      _gone_in_dev entry
>>>> 98683        fbt            kernel                      _gone_in_dev return
>>>>
>>>> Then this should work:
>>>>
>>>> # dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count() }'
>>>> dtrace: description 'fbt::_gone_in:entry ' matched 1 probe
>>>>
>>> Thanks!
>>>
>>> #  dtrace -l | grep _gone_in
>>> 15632        fbt            kernel                          _gone_in entry
>>> 22693        fbt            kernel                      _gone_in_dev entry
>>>
>>> # dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] =
>>> count() }'
>>> dtrace: description 'fbt::_gone_in:entry ' matched 1 probe
>>>
>>> However, It doesnt show anything after that even as I get the
>>> deprecation messages in dmesg
>> Can you hit Ctrl-C after seeing some of the messages?  This trace won't
>> show any results until you exit dtrace.
>
> Hi,
>
>     I am still having problems tracking it down via dtrace, but I am
> able to create the problem on demand on sshd.  Whats odd is that if I
> restrict the list of ciphers in sshd and even specify something like
> aes-128 on the client, I still get warnings on the server.
>
> e.g from a client,
>
> % ssh -c aes128-cbc console1 uptime
>  4:53PM  up  1:02, 3 users, load averages: 0.04, 0.08, 0.08
>
> The server shows

Ok, I was able to reproduce this on an 11.x VM.  It appears to only
be something that the crypto engine in OpenSSL 1.0.x does (1.1.1 used
in 12.0 and later has a rewritten /dev/crypto engine).

I'll see if I can find a way to tone down the warning.  Maybe if
sshd is only creating sessions and not using them I can restrict
it to warning the first time a session tries to perform an operation
using a deprecated algorithm.  (There are separate ioctls for
creating a sessions vs doing actual crypto ops and the warning is
in the session creation currently.)

> kern.cryptodev_warn_interval=0

I'll try to get this tracked down this week, but this should be a
suitable workaround for now.

--
John Baldwin
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r351246 - in stable: 11/sys/opencrypto 12/sys/opencrypto

John Baldwin
On 8/26/19 5:25 PM, John Baldwin wrote:

> On 8/26/19 1:59 PM, mike tancsa wrote:
>> On 8/22/2019 6:51 PM, John Baldwin wrote:
>>> On 8/21/19 5:47 PM, Mike Tancsa wrote:
>>>> On 8/21/2019 6:38 PM, John Baldwin wrote:
>>>>> On 8/21/19 9:08 AM, mike tancsa wrote:
>>>>>> On 8/21/2019 12:00 PM, John Baldwin wrote:
>>>>>>> dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count()'
>>>>>> Thanks, I am not familiar with dtrace at all. This command gives a
>>>>>> syntax error
>>>>>>
>>>>>> 0(cage)# dtrace -n 'fbt::_gone_in:entry {
>>>>>> @counts[curthread->td_proc->p_comm] = count()'
>>>>>> dtrace: invalid probe specifier fbt::_gone_in:entry {
>>>>>> @counts[curthread->td_proc->p_comm] = count(): syntax error near end of
>>>>>> input
>>>>>> 1(cage)#
>>>>> Oops, I forgot the closing }.  First, do "dtrace -l | grep _gone_in" to make
>>>>> sure dtrace is loaded.  You should see something like this:
>>>>>
>>>>> # dtrace -l | grep _gone_in
>>>>> 87003        fbt            kernel                          _gone_in entry
>>>>> 87004        fbt            kernel                          _gone_in return
>>>>> 98682        fbt            kernel                      _gone_in_dev entry
>>>>> 98683        fbt            kernel                      _gone_in_dev return
>>>>>
>>>>> Then this should work:
>>>>>
>>>>> # dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] = count() }'
>>>>> dtrace: description 'fbt::_gone_in:entry ' matched 1 probe
>>>>>
>>>> Thanks!
>>>>
>>>> #  dtrace -l | grep _gone_in
>>>> 15632        fbt            kernel                          _gone_in entry
>>>> 22693        fbt            kernel                      _gone_in_dev entry
>>>>
>>>> # dtrace -n 'fbt::_gone_in:entry { @counts[curthread->td_proc->p_comm] =
>>>> count() }'
>>>> dtrace: description 'fbt::_gone_in:entry ' matched 1 probe
>>>>
>>>> However, It doesnt show anything after that even as I get the
>>>> deprecation messages in dmesg
>>> Can you hit Ctrl-C after seeing some of the messages?  This trace won't
>>> show any results until you exit dtrace.
>>
>> Hi,
>>
>>     I am still having problems tracking it down via dtrace, but I am
>> able to create the problem on demand on sshd.  Whats odd is that if I
>> restrict the list of ciphers in sshd and even specify something like
>> aes-128 on the client, I still get warnings on the server.
>>
>> e.g from a client,
>>
>> % ssh -c aes128-cbc console1 uptime
>>  4:53PM  up  1:02, 3 users, load averages: 0.04, 0.08, 0.08
>>
>> The server shows
>
> Ok, I was able to reproduce this on an 11.x VM.  It appears to only
> be something that the crypto engine in OpenSSL 1.0.x does (1.1.1 used
> in 12.0 and later has a rewritten /dev/crypto engine).
>
> I'll see if I can find a way to tone down the warning.  Maybe if
> sshd is only creating sessions and not using them I can restrict
> it to warning the first time a session tries to perform an operation
> using a deprecated algorithm.  (There are separate ioctls for
> creating a sessions vs doing actual crypto ops and the warning is
> in the session creation currently.)

I've committed a fix to head and will MFC it in a few days.  Thanks for tracking
this down!

--
John Baldwin
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[hidden email]"