How to Enable support for IPsec deprecated algorithms: 3DES, MD5-HMAC

Reply: John Baldwin : "Re: How to Enable support for IPsec deprecated algorithms: 3DES, MD5-HMAC"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: alfadev <alfadev_at_protonmail.com>
Date: Tue, 04 Oct 2022 08:53:04 UTC
Hi, i am trying to move my gateway from FreeBSD 11.0 to FreeBSD 14.0 to use
newly added ipfw table lookup for mac addresses (https://reviews.freebsd.org/D35103)

Also I have too many IPSec connections between fortigate, cisco etc.
And their operators use only 3DES algorithms and they have no intention to change it for me.
So, now i have to enable 3DES support for FreeBSD 14.0 .

To add 3DES support again i changed some files shown below.
I am not sure what i did any help welcomes.

i restored below files:

https://cgit.freebsd.org/src/commit/?id=16aabb761c0a

-rw-r--r--	[lib/libipsec/pfkey_dump.c](https://cgit.freebsd.org/src/diff/lib/libipsec/pfkey_dump.c?id=16aabb761c0a)	25

-rw-r--r--	[sbin/setkey/sample.cf](https://cgit.freebsd.org/src/diff/sbin/setkey/sample.cf?id=16aabb761c0a)	79

-rw-r--r--	[sbin/setkey/setkey.8](https://cgit.freebsd.org/src/diff/sbin/setkey/setkey.8?id=16aabb761c0a)	29

-rw-r--r--	[sbin/setkey/test-pfkey.c](https://cgit.freebsd.org/src/diff/sbin/setkey/test-pfkey.c?id=16aabb761c0a)	32

-rw-r--r--	[sbin/setkey/token.l](https://cgit.freebsd.org/src/diff/sbin/setkey/token.l?id=16aabb761c0a)	11

-rw-r--r--	[sys/netipsec/ipsec.c](https://cgit.freebsd.org/src/diff/sys/netipsec/ipsec.c?id=16aabb761c0a)	5

-rw-r--r--	[sys/netipsec/ipsec.h](https://cgit.freebsd.org/src/diff/sys/netipsec/ipsec.h?id=16aabb761c0a)	2

-rw-r--r--	[sys/netipsec/key.c](https://cgit.freebsd.org/src/diff/sys/netipsec/key.c?id=16aabb761c0a)	12

-rw-r--r--	[sys/netipsec/xform_ah.c](https://cgit.freebsd.org/src/diff/sys/netipsec/xform_ah.c?id=16aabb761c0a)	26

-rw-r--r--	[sys/netipsec/xform_esp.c](https://cgit.freebsd.org/src/diff/sys/netipsec/xform_esp.c?id=16aabb761c0a)	25

-rw-r--r--	[usr.bin/netstat/ipsec.c](https://cgit.freebsd.org/src/diff/usr.bin/netstat/ipsec.c?id=16aabb761c0a)

https://cgit.freebsd.org/src/commit/?id=6c80c319ef88

-rw-r--r--	[sys/opencrypto/cryptodev.c](https://cgit.freebsd.org/src/diff/sys/opencrypto/cryptodev.c?id=6c80c319ef88)
-rw-r--r--	[sys/opencrypto/cryptodev.](https://cgit.freebsd.org/src/diff/sys/opencrypto/cryptodev.c?id=6c80c319ef88)h

Compiled New Kernel with this extra options:

# OWNKERNv1
include GENERICident OWNKERNv1

options IPFIREWALL
options DUMMYNET
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
options IPSEC
options IPSEC_SUPPORT
device crypto

cd /usr/src
make -j$(sysctl -n hw.ncpu) buildkernel KERNCONF=OWNKERNv1

But When i try to compile new kernel it gets too many errors.
any help will be appreciated at this point..

Part of Error Logs:
-- all_subdir_cryptodev ---
/usr/src/sys/opencrypto/cryptodev.c:314:16: error: incompatible function pointer types initializing 'fo_stat_t *' (aka 'int (*)(struct file *, struct stat *, struct ucred *)') with an expression of type 'int (struct file *, struct stat *, struct ucred *, struct thread *)' [-Werror,-Wincompatible-function-pointer-types]
.fo_stat = cryptof_stat,
^~~~~~~~~~~~
/usr/src/sys/opencrypto/cryptodev.c:412:14: error: use of undeclared identifier 'enc_xform_des'; did you mean 'enc_xform_ccm'?
txform = &enc_xform_des;
^~~~~~~~~~~~~
enc_xform_ccm
/usr/src/sys/opencrypto/xform_enc.h:105:31: note: 'enc_xform_ccm' declared here
extern const struct enc_xform enc_xform_ccm;
^
/usr/src/sys/opencrypto/cryptodev.c:415:14: error: use of undeclared identifier 'enc_xform_3des'
txform = &enc_xform_3des;
^...