Quoth ipsec.conf(5):
Use of DES as an encryption algorithm is considered to be insecure since
brute force attacks are practical due its short key length.
The attached patch removes support for DES-CBC encryption in ESP
and in IKE main and quick mode from the kernel, iked(8), ipsecctl(8),
and isakmpd(8).
Note this is plain DES, *not* 3DES.
RFC2409 (November 1998) says that DES support is a "MUST" for IKEv1,
but I think we _must_ ignore this.
Next I intend to remove DES from the kernel crypto framework.
Index: sys/net/pfkeyv2.c
===================================================================
RCS file: /cvs/src/sys/net/pfkeyv2.c,v
retrieving revision 1.145
diff -u -p -r1.145 pfkeyv2.c
--- sys/net/pfkeyv2.c 17 Jul 2015 18:31:08 -0000 1.145
+++ sys/net/pfkeyv2.c 2 Dec 2015 22:13:21 -0000
@@ -103,7 +103,6 @@ static int npromisc = 0;
static const struct sadb_alg ealgs[] = {
{ SADB_EALG_NULL, 0, 0, 0 },
- { SADB_EALG_DESCBC, 64, 64, 64 },
{ SADB_EALG_3DESCBC, 64, 192, 192 },
{ SADB_X_EALG_BLF, 64, 40, BLF_MAXKEYLEN * 8},
{ SADB_X_EALG_CAST, 64, 40, 128},
@@ -1848,11 +1847,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo
sadb_comb->sadb_comb_encrypt =
SADB_EALG_3DESCBC;
sadb_comb->sadb_comb_encrypt_minbits = 192;
sadb_comb->sadb_comb_encrypt_maxbits = 192;
- } else if (!strncasecmp(ipsec_def_enc, "des",
- sizeof("des"))) {
- sadb_comb->sadb_comb_encrypt = SADB_EALG_DESCBC;
- sadb_comb->sadb_comb_encrypt_minbits = 64;
- sadb_comb->sadb_comb_encrypt_maxbits = 64;
} else if (!strncasecmp(ipsec_def_enc, "blowfish",
sizeof("blowfish"))) {
sadb_comb->sadb_comb_encrypt = SADB_X_EALG_BLF;
Index: sys/net/pfkeyv2.h
===================================================================
RCS file: /cvs/src/sys/net/pfkeyv2.h,v
retrieving revision 1.71
diff -u -p -r1.71 pfkeyv2.h
--- sys/net/pfkeyv2.h 2 Dec 2015 12:43:59 -0000 1.71
+++ sys/net/pfkeyv2.h 2 Dec 2015 22:11:46 -0000
@@ -296,7 +296,6 @@ struct sadb_x_tap {
#define SADB_AALG_MAX 12
#define SADB_EALG_NONE 0
-#define SADB_EALG_DESCBC 2
#define SADB_EALG_3DESCBC 3
#define SADB_X_EALG_CAST 6
#define SADB_X_EALG_BLF 7
Index: sys/net/pfkeyv2_convert.c
===================================================================
RCS file: /cvs/src/sys/net/pfkeyv2_convert.c,v
retrieving revision 1.56
diff -u -p -r1.56 pfkeyv2_convert.c
--- sys/net/pfkeyv2_convert.c 3 Nov 2015 01:50:36 -0000 1.56
+++ sys/net/pfkeyv2_convert.c 2 Dec 2015 22:12:19 -0000
@@ -228,10 +228,6 @@ export_sa(void **p, struct tdb *tdb)
sadb_sa->sadb_sa_encrypt = SADB_EALG_NULL;
break;
- case CRYPTO_DES_CBC:
- sadb_sa->sadb_sa_encrypt = SADB_EALG_DESCBC;
- break;
-
case CRYPTO_3DES_CBC:
sadb_sa->sadb_sa_encrypt = SADB_EALG_3DESCBC;
break;
Index: sys/netinet/ip_esp.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_esp.c,v
retrieving revision 1.135
diff -u -p -r1.135 ip_esp.c
--- sys/netinet/ip_esp.c 3 Nov 2015 01:50:36 -0000 1.135
+++ sys/netinet/ip_esp.c 2 Dec 2015 22:11:23 -0000
@@ -111,10 +111,6 @@ esp_init(struct tdb *tdbp, struct xforms
txform = &enc_xform_null;
break;
- case SADB_EALG_DESCBC:
- txform = &enc_xform_des;
- break;
-
case SADB_EALG_3DESCBC:
txform = &enc_xform_3des;
break;
Index: sbin/iked/iked.conf.5
===================================================================
RCS file: /cvs/src/sbin/iked/iked.conf.5,v
retrieving revision 1.43
diff -u -p -r1.43 iked.conf.5
--- sbin/iked/iked.conf.5 4 Nov 2015 12:40:49 -0000 1.43
+++ sbin/iked/iked.conf.5 2 Dec 2015 21:38:05 -0000
@@ -757,7 +757,6 @@ The following cipher types are permitted
keyword:
.Bl -column "chacha20-poly1305" "Key Length" "[ESP only]" -offset indent
.It Em "Cipher" Ta Em "Key Length" Ta ""
-.It Li des Ta "56 bits" Ta "[ESP only]"
.It Li 3des Ta "168 bits" Ta ""
.It Li aes-128 Ta "128 bits" Ta ""
.It Li aes-192 Ta "192 bits" Ta ""
@@ -782,11 +781,7 @@ not encryption:
.It Li null Ta "" Ta "[ESP only]"
.El
.Pp
-Use of DES as an encryption algorithm is considered to be insecure
-since brute force attacks are practical due its short key length.
-.Pp
-DES requires 8 bytes to form a 56-bit key and 3DES requires 24 bytes
-to form its 168-bit key.
+3DES requires 24 bytes to form its 168-bit key.
This is because the most significant bit of each byte is used for parity.
.Pp
The keysize of AES-CTR is actually 128-bit.
Index: sbin/iked/parse.y
===================================================================
RCS file: /cvs/src/sbin/iked/parse.y,v
retrieving revision 1.53
diff -u -p -r1.53 parse.y
--- sbin/iked/parse.y 4 Nov 2015 12:40:49 -0000 1.53
+++ sbin/iked/parse.y 2 Dec 2015 18:15:18 -0000
@@ -177,7 +177,6 @@ const struct ipsec_xf ikeencxfs[] = {
};
const struct ipsec_xf ipsecencxfs[] = {
- { "des", IKEV2_XFORMENCR_DES, 8 },
{ "3des", IKEV2_XFORMENCR_3DES, 24 },
{ "3des-cbc", IKEV2_XFORMENCR_3DES, 24 },
{ "aes-128", IKEV2_XFORMENCR_AES_CBC, 16, 16 },
Index: sbin/iked/pfkey.c
===================================================================
RCS file: /cvs/src/sbin/iked/pfkey.c,v
retrieving revision 1.48
diff -u -p -r1.48 pfkey.c
--- sbin/iked/pfkey.c 2 Dec 2015 12:43:59 -0000 1.48
+++ sbin/iked/pfkey.c 2 Dec 2015 18:15:37 -0000
@@ -69,7 +69,6 @@ struct pfkey_constmap {
};
static const struct pfkey_constmap pfkey_encr[] = {
- { SADB_EALG_DESCBC, IKEV2_XFORMENCR_DES },
{ SADB_EALG_3DESCBC, IKEV2_XFORMENCR_3DES },
{ SADB_X_EALG_CAST, IKEV2_XFORMENCR_CAST },
{ SADB_X_EALG_BLF, IKEV2_XFORMENCR_BLOWFISH },
Index: sbin/ipsecctl/ike.c
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/ike.c,v
retrieving revision 1.80
diff -u -p -r1.80 ike.c
--- sbin/ipsecctl/ike.c 25 May 2015 19:29:36 -0000 1.80
+++ sbin/ipsecctl/ike.c 2 Dec 2015 20:17:49 -0000
@@ -198,9 +198,6 @@ ike_section_p2(struct ipsec_rule *r, FIL
case ENCXF_3DES_CBC:
enc_alg = "3DES";
break;
- case ENCXF_DES_CBC:
- enc_alg = "DES";
- break;
case ENCXF_AES:
enc_alg = "AES";
key_length = "128,128:256";
@@ -440,9 +437,6 @@ ike_section_p1(struct ipsec_rule *r, FIL
switch (r->p1xfs->encxf->id) {
case ENCXF_3DES_CBC:
enc_alg = "3DES";
- break;
- case ENCXF_DES_CBC:
- enc_alg = "DES";
break;
case ENCXF_AES:
enc_alg = "AES";
Index: sbin/ipsecctl/ipsec.conf.5
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
retrieving revision 1.150
diff -u -p -r1.150 ipsec.conf.5
--- sbin/ipsecctl/ipsec.conf.5 1 Nov 2015 21:26:48 -0000 1.150
+++ sbin/ipsecctl/ipsec.conf.5 2 Dec 2015 21:38:38 -0000
@@ -624,7 +624,6 @@ The following cipher types are permitted
keyword:
.Bl -column "aes-128-gmac" "Key Length" "Description" -offset indent
.It Em "Cipher" Ta Em "Key Length" Ta ""
-.It Li des Ta "56 bits" Ta ""
.It Li 3des Ta "168 bits" Ta ""
.It Li aes Ta "128 bits" Ta ""
.It Li aes-128 Ta "128 bits" Ta ""
@@ -645,11 +644,7 @@ keyword:
.It Li null Ta "(none)" Ta "[phase 2 only]"
.El
.Pp
-Use of DES as an encryption algorithm is considered to be insecure
-since brute force attacks are practical due its short key length.
-.Pp
-DES requires 8 bytes to form a 56-bit key and 3DES requires 24 bytes
-to form its 168-bit key.
+3DES requires 24 bytes to form its 168-bit key.
This is because the most significant bit of each byte is used for parity.
.Pp
The keysize of AES-CTR can be 128, 192, or 256 bits.
Index: sbin/ipsecctl/ipsecctl.h
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/ipsecctl.h,v
retrieving revision 1.68
diff -u -p -r1.68 ipsecctl.h
--- sbin/ipsecctl/ipsecctl.h 4 Nov 2015 12:46:13 -0000 1.68
+++ sbin/ipsecctl/ipsecctl.h 2 Dec 2015 20:17:20 -0000
@@ -62,7 +62,7 @@ enum {
AUTHXF_HMAC_SHA2_512
};
enum {
- ENCXF_UNKNOWN, ENCXF_NONE, ENCXF_3DES_CBC, ENCXF_DES_CBC, ENCXF_AES,
+ ENCXF_UNKNOWN, ENCXF_NONE, ENCXF_3DES_CBC, ENCXF_AES,
ENCXF_AES_128, ENCXF_AES_192, ENCXF_AES_256, ENCXF_AESCTR,
ENCXF_AES_128_CTR, ENCXF_AES_192_CTR, ENCXF_AES_256_CTR,
ENCXF_AES_128_GCM, ENCXF_AES_192_GCM, ENCXF_AES_256_GCM,
Index: sbin/ipsecctl/parse.y
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/parse.y,v
retrieving revision 1.163
diff -u -p -r1.163 parse.y
--- sbin/ipsecctl/parse.y 4 Nov 2015 12:46:13 -0000 1.163
+++ sbin/ipsecctl/parse.y 2 Dec 2015 20:16:57 -0000
@@ -105,7 +105,6 @@ const struct ipsec_xf encxfs[] = {
{ "unknown", ENCXF_UNKNOWN, 0, 0, 0, 0 },
{ "none", ENCXF_NONE, 0, 0, 0, 0 },
{ "3des-cbc", ENCXF_3DES_CBC, 24, 24, 0, 0 },
- { "des-cbc", ENCXF_DES_CBC, 8, 8, 0, 0 },
{ "aes", ENCXF_AES, 16, 32, 0, 0 },
{ "aes-128", ENCXF_AES_128, 16, 16, 0, 0 },
{ "aes-192", ENCXF_AES_192, 24, 24, 0, 0 },
Index: sbin/ipsecctl/pfkdump.c
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/pfkdump.c,v
retrieving revision 1.41
diff -u -p -r1.41 pfkdump.c
--- sbin/ipsecctl/pfkdump.c 2 Dec 2015 12:43:59 -0000 1.41
+++ sbin/ipsecctl/pfkdump.c 2 Dec 2015 20:15:53 -0000
@@ -157,7 +157,6 @@ struct idname auth_types[] = {
struct idname enc_types[] = {
{ SADB_EALG_NONE, "none", NULL },
{ SADB_EALG_3DESCBC, "3des-cbc", NULL },
- { SADB_EALG_DESCBC, "des-cbc", NULL },
{ SADB_X_EALG_AES, "aes", NULL },
{ SADB_X_EALG_AESCTR, "aesctr", NULL },
{ SADB_X_EALG_AESGCM16, "aes-gcm", NULL },
@@ -678,9 +677,6 @@ pfkey_print_sa(struct sadb_msg *msg, int
switch (sa->sadb_sa_encrypt) {
case SADB_EALG_3DESCBC:
xfs.encxf = &encxfs[ENCXF_3DES_CBC];
- break;
- case SADB_EALG_DESCBC:
- xfs.encxf = &encxfs[ENCXF_DES_CBC];
break;
case SADB_X_EALG_AES:
switch (r.enckey->len) {
Index: sbin/ipsecctl/pfkey.c
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/pfkey.c,v
retrieving revision 1.55
diff -u -p -r1.55 pfkey.c
--- sbin/ipsecctl/pfkey.c 18 Oct 2015 02:30:53 -0000 1.55
+++ sbin/ipsecctl/pfkey.c 2 Dec 2015 20:16:30 -0000
@@ -485,9 +485,6 @@ pfkey_sa(int sd, u_int8_t satype, u_int8
case ENCXF_3DES_CBC:
sa.sadb_sa_encrypt = SADB_EALG_3DESCBC;
break;
- case ENCXF_DES_CBC:
- sa.sadb_sa_encrypt = SADB_EALG_DESCBC;
- break;
case ENCXF_AES:
case ENCXF_AES_128:
case ENCXF_AES_192:
Index: sbin/isakmpd/conf.c
===================================================================
RCS file: /cvs/src/sbin/isakmpd/conf.c,v
retrieving revision 1.104
diff -u -p -r1.104 conf.c
--- sbin/isakmpd/conf.c 20 Aug 2015 22:02:21 -0000 1.104
+++ sbin/isakmpd/conf.c 2 Dec 2015 21:13:31 -0000
@@ -288,13 +288,13 @@ conf_parse(int trans, char *buf, size_t
*
* Resulting section names can be:
* For main mode:
- * {DES,BLF,3DES,CAST,AES,AES-{128,192,256}-{MD5,SHA,SHA2-{256,384,512}} \
+ * {BLF,3DES,CAST,AES,AES-{128,192,256}-{MD5,SHA,SHA2-{256,384,512}} \
* [-GRP{1,2,5,14,15}][-{DSS,RSA_SIG}]
* For quick mode:
* QM-{proto}[-TRP]-{cipher}[-{hash}][-PFS[-{group}]]-SUITE
* where
* {proto} = ESP, AH
- * {cipher} = DES, 3DES, CAST, BLF, AES, AES-{128,192,256}, AESCTR
+ * {cipher} = 3DES, CAST, BLF, AES, AES-{128,192,256}, AESCTR
* {hash} = MD5, SHA, RIPEMD, SHA2-{256,384,512}
* {group} = GRP1, GRP2, GRP5, GRP14, GRP15
*
@@ -477,21 +477,21 @@ conf_load_defaults(int tr)
0};
char *mm_hash_p[] = {"-MD5", "-SHA", "-SHA2-256", "-SHA2-384",
"-SHA2-512", "", 0 };
- char *mm_enc[] = {"DES_CBC", "BLOWFISH_CBC", "3DES_CBC", "CAST_CBC",
+ char *mm_enc[] = {"BLOWFISH_CBC", "3DES_CBC", "CAST_CBC",
"AES_CBC", "AES_CBC", "AES_CBC", "AES_CBC", 0};
- char *mm_enc_p[] = {"DES", "BLF", "3DES", "CAST", "AES", "AES-128",
+ char *mm_enc_p[] = {"BLF", "3DES", "CAST", "AES", "AES-128",
"AES-192", "AES-256", 0};
char *dhgroup[] = {"MODP_1024", "MODP_768", "MODP_1024",
"MODP_1536", "MODP_2048", "MODP_3072", "MODP_4096",
"MODP_6144", "MODP_8192", 0};
char *dhgroup_p[] = {"", "-GRP1", "-GRP2", "-GRP5", "-GRP14",
"-GRP15", "-GRP16", "-GRP17", "-GRP18", 0};
- char *qm_enc[] = {"DES", "3DES", "CAST", "BLOWFISH", "AES",
+ char *qm_enc[] = {"3DES", "CAST", "BLOWFISH", "AES",
"AES", "AES", "AES", "AES_CTR", "AES_CTR", "AES_CTR",
"AES_CTR", "AES_GCM_16",
"AES_GCM_16", "AES_GCM_16", "AES_GMAC", "AES_GMAC",
"AES_GMAC", "NULL", "NONE", 0};
- char *qm_enc_p[] = {"-DES", "-3DES", "-CAST", "-BLF", "-AES",
+ char *qm_enc_p[] = {"-3DES", "-CAST", "-BLF", "-AES",
"-AES-128", "-AES-192", "-AES-256", "-AESCTR",
"-AESCTR-128", "-AESCTR-192", "-AESCTR-256",
"-AESGCM-128", "-AESGCM-192", "-AESGCM-256",
Index: sbin/isakmpd/crypto.c
===================================================================
RCS file: /cvs/src/sbin/isakmpd/crypto.c,v
retrieving revision 1.32
diff -u -p -r1.32 crypto.c
--- sbin/isakmpd/crypto.c 21 Mar 2013 04:30:14 -0000 1.32
+++ sbin/isakmpd/crypto.c 2 Dec 2015 21:49:31 -0000
@@ -37,13 +37,10 @@
#include "crypto.h"
#include "log.h"
-enum cryptoerr des1_init(struct keystate *, u_int8_t *, u_int16_t);
enum cryptoerr des3_init(struct keystate *, u_int8_t *, u_int16_t);
enum cryptoerr blf_init(struct keystate *, u_int8_t *, u_int16_t);
enum cryptoerr cast_init(struct keystate *, u_int8_t *, u_int16_t);
enum cryptoerr aes_init(struct keystate *, u_int8_t *, u_int16_t);
-void des1_encrypt(struct keystate *, u_int8_t *, u_int16_t);
-void des1_decrypt(struct keystate *, u_int8_t *, u_int16_t);
void des3_encrypt(struct keystate *, u_int8_t *, u_int16_t);
void des3_decrypt(struct keystate *, u_int8_t *, u_int16_t);
void blf_encrypt(struct keystate *, u_int8_t *, u_int16_t);
@@ -55,12 +52,6 @@ void aes_decrypt(struct keyst
struct crypto_xf transforms[] = {
{
- DES_CBC, "Data Encryption Standard (CBC-Mode)", 8, 8,
- BLOCKSIZE, 0,
- des1_init,
- des1_encrypt, des1_decrypt
- },
- {
TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24,
BLOCKSIZE, 0,
des3_init,
@@ -85,33 +76,6 @@ struct crypto_xf transforms[] = {
aes_encrypt, aes_decrypt
},
};
-
-enum cryptoerr
-des1_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
-{
- /* DES_set_key returns -1 for parity problems, and -2 for weak keys */
- DES_set_odd_parity((void *)key);
- switch (DES_set_key((void *)key, &ks->ks_des[0])) {
- case -2:
- return EWEAKKEY;
- default:
- return EOKAY;
- }
-}
-
-void
-des1_encrypt(struct keystate *ks, u_int8_t *d, u_int16_t len)
-{
- DES_cbc_encrypt((void *)d, (void *)d, len, &ks->ks_des[0], (void
*)ks->riv,
- DES_ENCRYPT);
-}
-
-void
-des1_decrypt(struct keystate *ks, u_int8_t *d, u_int16_t len)
-{
- DES_cbc_encrypt((void *)d, (void *)d, len, &ks->ks_des[0], (void
*)ks->riv,
- DES_DECRYPT);
-}
enum cryptoerr
des3_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
Index: sbin/isakmpd/ipsec.c
===================================================================
RCS file: /cvs/src/sbin/isakmpd/ipsec.c,v
retrieving revision 1.144
diff -u -p -r1.144 ipsec.c
--- sbin/isakmpd/ipsec.c 20 Aug 2015 22:02:21 -0000 1.144
+++ sbin/isakmpd/ipsec.c 2 Dec 2015 20:56:43 -0000
@@ -1822,10 +1822,6 @@ ipsec_esp_enckeylength(struct proto *pro
/* Compute the keylength to use. */
switch (proto->id) {
- case IPSEC_ESP_DES:
- case IPSEC_ESP_DES_IV32:
- case IPSEC_ESP_DES_IV64:
- return 8;
case IPSEC_ESP_3DES:
return 24;
case IPSEC_ESP_CAST:
Index: sbin/isakmpd/isakmpd.conf.5
===================================================================
RCS file: /cvs/src/sbin/isakmpd/isakmpd.conf.5,v
retrieving revision 1.131
diff -u -p -r1.131 isakmpd.conf.5
--- sbin/isakmpd/isakmpd.conf.5 16 Jan 2015 15:37:20 -0000 1.131
+++ sbin/isakmpd/isakmpd.conf.5 2 Dec 2015 21:33:56 -0000
@@ -96,7 +96,7 @@ For Main Mode:
where:
.Bl -tag -width "cipher" -offset indent -compact
.It Ar cipher
-is either DES, BLF, 3DES, CAST, AES, AES-128, AES-192 or AES-256
+is either BLF, 3DES, CAST, AES, AES-128, AES-192 or AES-256
.It Ar hash
is either MD5, SHA, or SHA2-{256,384,512}
.It Ar group
@@ -121,7 +121,7 @@ where:
.It Ar proto
is either ESP or AH
.It Ar cipher
-is either DES, 3DES, CAST, BLF, AES, AES-128, AES-192, AES-256, AESCTR,
+is either 3DES, CAST, BLF, AES, AES-128, AES-192, AES-256, AESCTR,
AESCTR-128, AESCTR-192, AESCTR-256,
AESGCM-128, AESGCM-192, AESGCM-256, AESGMAC-128, AESGMAC-192, AESGMAC-256
or NULL
@@ -1005,22 +1005,6 @@ Transforms= 3DES-SHA
# Main mode transforms
######################
-# DES
-
-[DES-MD5]
-ENCRYPTION_ALGORITHM= DES_CBC
-HASH_ALGORITHM= MD5
-AUTHENTICATION_METHOD= PRE_SHARED
-GROUP_DESCRIPTION= MODP_1024
-Life= LIFE_MAIN_MODE
-
-[DES-SHA]
-ENCRYPTION_ALGORITHM= DES_CBC
-HASH_ALGORITHM= SHA
-AUTHENTICATION_METHOD= PRE_SHARED
-GROUP_DESCRIPTION= MODP_1024
-Life= LIFE_MAIN_MODE
-
# 3DES
[3DES-SHA]
@@ -1092,26 +1076,6 @@ Life= LIFE_MAIN_MODE
# Quick mode protection suites
##############################
-# DES
-
-[QM-ESP-DES-SUITE]
-Protocols= QM-ESP-DES
-
-[QM-ESP-DES-PFS-SUITE]
-Protocols= QM-ESP-DES-PFS
-
-[QM-ESP-DES-MD5-SUITE]
-Protocols= QM-ESP-DES-MD5
-
-[QM-ESP-DES-MD5-PFS-SUITE]
-Protocols= QM-ESP-DES-MD5-PFS
-
-[QM-ESP-DES-SHA-SUITE]
-Protocols= QM-ESP-DES-SHA
-
-[QM-ESP-DES-SHA-PFS-SUITE]
-Protocols= QM-ESP-DES-SHA-PFS
-
# 3DES
[QM-ESP-3DES-SHA-SUITE]
@@ -1162,35 +1126,14 @@ Protocols= QM-AH-MD5-PFS
# AH + ESP (non-default)
-[QM-AH-MD5-ESP-DES-SUITE]
-Protocols= QM-AH-MD5,QM-ESP-DES
-
-[QM-AH-MD5-ESP-DES-MD5-SUITE]
-Protocols= QM-AH-MD5,QM-ESP-DES-MD5
+[QM-AH-MD5-ESP-3DES-SHA-SUITE]
+Protocols= QM-AH-MD5,QM-ESP-3DES-SHA
-[QM-ESP-DES-MD5-AH-MD5-SUITE]
-Protocols= QM-ESP-DES-MD5,QM-AH-MD5
+[QM-ESP-3DES-SHA-AH-MD5-SUITE]
+Protocols= QM-ESP-3DES-SHA,QM-AH-MD5
# Quick mode protocols
-# DES
-
-[QM-ESP-DES]
-PROTOCOL_ID= IPSEC_ESP
-Transforms= QM-ESP-DES-XF
-
-[QM-ESP-DES-MD5]
-PROTOCOL_ID= IPSEC_ESP
-Transforms= QM-ESP-DES-MD5-XF
-
-[QM-ESP-DES-MD5-PFS]
-PROTOCOL_ID= IPSEC_ESP
-Transforms= QM-ESP-DES-MD5-PFS-XF
-
-[QM-ESP-DES-SHA]
-PROTOCOL_ID= IPSEC_ESP
-Transforms= QM-ESP-DES-SHA-XF
-
# 3DES
[QM-ESP-3DES-SHA]
@@ -1273,32 +1216,6 @@ PROTOCOL_ID= IPSEC_AH
Transforms= QM-AH-MD5-PFS-XF
# Quick mode transforms
-
-# ESP DES+MD5
-
-[QM-ESP-DES-XF]
-TRANSFORM_ID= DES
-ENCAPSULATION_MODE= TUNNEL
-Life= LIFE_QUICK_MODE
-
-[QM-ESP-DES-MD5-XF]
-TRANSFORM_ID= DES
-ENCAPSULATION_MODE= TUNNEL
-AUTHENTICATION_ALGORITHM= HMAC_MD5
-Life= LIFE_QUICK_MODE
-
-[QM-ESP-DES-MD5-PFS-XF]
-TRANSFORM_ID= DES
-ENCAPSULATION_MODE= TUNNEL
-GROUP_DESCRIPTION= MODP_1024
-AUTHENTICATION_ALGORITHM= HMAC_MD5
-Life= LIFE_QUICK_MODE
-
-[QM-ESP-DES-SHA-XF]
-TRANSFORM_ID= DES
-ENCAPSULATION_MODE= TUNNEL
-AUTHENTICATION_ALGORITHM= HMAC_SHA
-Life= LIFE_QUICK_MODE
# 3DES
Index: sbin/isakmpd/pf_key_v2.c
===================================================================
RCS file: /cvs/src/sbin/isakmpd/pf_key_v2.c,v
retrieving revision 1.195
diff -u -p -r1.195 pf_key_v2.c
--- sbin/isakmpd/pf_key_v2.c 20 Aug 2015 22:02:21 -0000 1.195
+++ sbin/isakmpd/pf_key_v2.c 2 Dec 2015 20:55:55 -0000
@@ -901,12 +901,6 @@ pf_key_v2_set_spi(struct sa *sa, struct
hashlen = ipsec_esp_authkeylength(proto);
switch (proto->id) {
- case IPSEC_ESP_DES:
- case IPSEC_ESP_DES_IV32:
- case IPSEC_ESP_DES_IV64:
- ssa.sadb_sa_encrypt = SADB_EALG_DESCBC;
- break;
-
case IPSEC_ESP_3DES:
ssa.sadb_sa_encrypt = SADB_EALG_3DESCBC;
break;
Index: sbin/isakmpd/sa.c
===================================================================
RCS file: /cvs/src/sbin/isakmpd/sa.c,v
retrieving revision 1.122
diff -u -p -r1.122 sa.c
--- sbin/isakmpd/sa.c 20 Aug 2015 22:02:21 -0000 1.122
+++ sbin/isakmpd/sa.c 2 Dec 2015 20:57:22 -0000
@@ -550,12 +550,6 @@ report_proto(FILE *fd, struct proto *pro
fprintf(fd, "Encryption algorithm: ");
switch (proto->id) {
- case IPSEC_ESP_DES:
- case IPSEC_ESP_DES_IV32:
- case IPSEC_ESP_DES_IV64:
- fprintf(fd, "DES\n");
- break;
-
case IPSEC_ESP_3DES:
fprintf(fd, "3DES\n");
break;
--
Christian "naddy" Weisgerber [email protected]
