Userland bits of geli(8) data authentication.
Now, encryption algorithm is given using '-e' option, not '-a'. The '-a' option is now used to specify authentication algorithm. Supported by: Wheel Sp. z o.o. (http://www.wheel.pl)
This commit is contained in:
parent
eaa3b91996
commit
7fe923a866
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=159308
@ -54,7 +54,8 @@ __FBSDID("$FreeBSD$");
|
||||
uint32_t lib_version = G_LIB_VERSION;
|
||||
uint32_t version = G_ELI_VERSION;
|
||||
|
||||
static char algo[] = "aes";
|
||||
static char aalgo[] = "none";
|
||||
static char ealgo[] = "aes";
|
||||
static intmax_t keylen = 0;
|
||||
static intmax_t keyno = -1;
|
||||
static intmax_t iterations = -1;
|
||||
@ -75,12 +76,12 @@ static void eli_dump(struct gctl_req *req);
|
||||
/*
|
||||
* Available commands:
|
||||
*
|
||||
* init [-bhPv] [-a algo] [-i iterations] [-l keylen] [-K newkeyfile] prov
|
||||
* init [-bhPv] [-a aalgo] [-e ealgo] [-i iterations] [-l keylen] [-K newkeyfile] prov
|
||||
* label - alias for 'init'
|
||||
* attach [-dpv] [-k keyfile] prov
|
||||
* detach [-fl] prov ...
|
||||
* stop - alias for 'detach'
|
||||
* onetime [-d] [-a algo] [-l keylen] prov ...
|
||||
* onetime [-d] [-a aalgo] [-e ealgo] [-l keylen] prov ...
|
||||
* setkey [-pPv] [-n keyno] [-k keyfile] [-K newkeyfile] prov
|
||||
* delkey [-afv] [-n keyno] prov
|
||||
* kill [-av] [prov ...]
|
||||
@ -92,8 +93,9 @@ static void eli_dump(struct gctl_req *req);
|
||||
struct g_command class_commands[] = {
|
||||
{ "init", G_FLAG_VERBOSE, eli_main,
|
||||
{
|
||||
{ 'a', "algo", algo, G_TYPE_STRING },
|
||||
{ 'a', "aalgo", aalgo, G_TYPE_STRING },
|
||||
{ 'b', "boot", NULL, G_TYPE_NONE },
|
||||
{ 'e', "ealgo", ealgo, G_TYPE_STRING },
|
||||
{ 'i', "iterations", &iterations, G_TYPE_NUMBER },
|
||||
{ 'K', "newkeyfile", newkeyfile, G_TYPE_STRING },
|
||||
{ 'l', "keylen", &keylen, G_TYPE_NUMBER },
|
||||
@ -101,12 +103,13 @@ struct g_command class_commands[] = {
|
||||
{ 's', "sectorsize", §orsize, G_TYPE_NUMBER },
|
||||
G_OPT_SENTINEL
|
||||
},
|
||||
"[-bPv] [-a algo] [-i iterations] [-l keylen] [-K newkeyfile] [-s sectorsize] prov"
|
||||
"[-bPv] [-a aalgo] [-e ealgo] [-i iterations] [-l keylen] [-K newkeyfile] [-s sectorsize] prov"
|
||||
},
|
||||
{ "label", G_FLAG_VERBOSE, eli_main,
|
||||
{
|
||||
{ 'a', "algo", algo, G_TYPE_STRING },
|
||||
{ 'a', "aalgo", aalgo, G_TYPE_STRING },
|
||||
{ 'b', "boot", NULL, G_TYPE_NONE },
|
||||
{ 'e', "ealgo", ealgo, G_TYPE_STRING },
|
||||
{ 'i', "iterations", &iterations, G_TYPE_NUMBER },
|
||||
{ 'K', "newkeyfile", newkeyfile, G_TYPE_STRING },
|
||||
{ 'l', "keylen", &keylen, G_TYPE_NUMBER },
|
||||
@ -143,13 +146,14 @@ struct g_command class_commands[] = {
|
||||
},
|
||||
{ "onetime", G_FLAG_VERBOSE | G_FLAG_LOADKLD, NULL,
|
||||
{
|
||||
{ 'a', "algo", algo, G_TYPE_STRING },
|
||||
{ 'a', "aalgo", aalgo, G_TYPE_STRING },
|
||||
{ 'd', "detach", NULL, G_TYPE_NONE },
|
||||
{ 'e', "ealgo", ealgo, G_TYPE_STRING },
|
||||
{ 'l', "keylen", &keylen, G_TYPE_NUMBER },
|
||||
{ 's', "sectorsize", §orsize, G_TYPE_NUMBER },
|
||||
G_OPT_SENTINEL
|
||||
},
|
||||
"[-d] [-a algo] [-l keylen] [-s sectorsize] prov ..."
|
||||
"[-d] [-a aalgo] [-e ealgo] [-l keylen] [-s sectorsize] prov ..."
|
||||
},
|
||||
{ "setkey", G_FLAG_VERBOSE, eli_main,
|
||||
{
|
||||
@ -523,16 +527,26 @@ eli_init(struct gctl_req *req)
|
||||
md.md_flags = 0;
|
||||
if (gctl_get_int(req, "boot"))
|
||||
md.md_flags |= G_ELI_FLAG_BOOT;
|
||||
str = gctl_get_ascii(req, "algo");
|
||||
md.md_algo = g_eli_str2algo(str);
|
||||
if (md.md_algo < CRYPTO_ALGORITHM_MIN ||
|
||||
md.md_algo > CRYPTO_ALGORITHM_MAX) {
|
||||
str = gctl_get_ascii(req, "aalgo");
|
||||
if (strcmp(str, "none") != 0) {
|
||||
md.md_aalgo = g_eli_str2aalgo(str);
|
||||
if (md.md_aalgo < CRYPTO_ALGORITHM_MIN ||
|
||||
md.md_aalgo > CRYPTO_ALGORITHM_MAX) {
|
||||
gctl_error(req, "Invalid authentication algorithm.");
|
||||
return;
|
||||
}
|
||||
md.md_flags |= G_ELI_FLAG_AUTH;
|
||||
}
|
||||
str = gctl_get_ascii(req, "ealgo");
|
||||
md.md_ealgo = g_eli_str2ealgo(str);
|
||||
if (md.md_ealgo < CRYPTO_ALGORITHM_MIN ||
|
||||
md.md_ealgo > CRYPTO_ALGORITHM_MAX) {
|
||||
gctl_error(req, "Invalid encryption algorithm.");
|
||||
return;
|
||||
}
|
||||
val = gctl_get_intmax(req, "keylen");
|
||||
md.md_keylen = val;
|
||||
md.md_keylen = g_eli_keylen(md.md_algo, md.md_keylen);
|
||||
md.md_keylen = g_eli_keylen(md.md_ealgo, md.md_keylen);
|
||||
if (md.md_keylen == 0) {
|
||||
gctl_error(req, "Invalid key length.");
|
||||
return;
|
||||
@ -579,7 +593,7 @@ eli_init(struct gctl_req *req)
|
||||
}
|
||||
|
||||
/* Encrypt the first and the only Master Key. */
|
||||
error = g_eli_mkey_encrypt(md.md_algo, key, md.md_keylen, md.md_mkeys);
|
||||
error = g_eli_mkey_encrypt(md.md_ealgo, key, md.md_keylen, md.md_mkeys);
|
||||
bzero(key, sizeof(key));
|
||||
if (error != 0) {
|
||||
bzero(&md, sizeof(md));
|
||||
@ -733,7 +747,7 @@ eli_setkey_detached(struct gctl_req *req, const char *prov,
|
||||
}
|
||||
|
||||
/* Encrypt the Master-Key with the new key. */
|
||||
error = g_eli_mkey_encrypt(md->md_algo, key, md->md_keylen, mkeydst);
|
||||
error = g_eli_mkey_encrypt(md->md_ealgo, key, md->md_keylen, mkeydst);
|
||||
bzero(key, sizeof(key));
|
||||
if (error != 0) {
|
||||
bzero(md, sizeof(*md));
|
||||
|
Loading…
Reference in New Issue
Block a user