Fix geli's null cipher, and add a test case

PR: 247954 Submitted by: jhb (sys), asomers (tests) Reviewed by: jhb (tests), asomers (sys) MFC after: 2 weeks Sponsored by: Axcient
svn path=/head/; revision=363402
2020-07-21 19:18:29 +00:00 · 2020-07-21 19:18:29 +00:00 · aafaa8b794 · 2020-12-20 02:59:44 +00:00
commit aafaa8b794
parent 716df522b8
3 changed files with 55 additions and 6 deletions
--- a/sys/geom/eli/g_eli_integrity.c
+++ b/sys/geom/eli/g_eli_integrity.c
@ -536,13 +536,15 @@ g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp)
 		crp->crp_digest_start = 0;
 		crp->crp_payload_start = sc->sc_alen;
 		crp->crp_payload_length = data_secsize;
-		crp->crp_flags |= CRYPTO_F_IV_SEPARATE;
 		if ((sc->sc_flags & G_ELI_FLAG_FIRST_KEY) == 0) {
 			crp->crp_cipher_key = g_eli_key_hold(sc, dstoff,
 			    encr_secsize);
 		}
-		g_eli_crypto_ivgen(sc, dstoff, crp->crp_iv,
-		    sizeof(crp->crp_iv));
+		if (g_eli_ivlen(sc->sc_ealgo) != 0) {
+			crp->crp_flags |= CRYPTO_F_IV_SEPARATE;
+			g_eli_crypto_ivgen(sc, dstoff, crp->crp_iv,
+			sizeof(crp->crp_iv));
+		}

 		g_eli_auth_keygen(sc, dstoff, authkey);
 		crp->crp_auth_key = authkey;
--- a/sys/geom/eli/g_eli_privacy.c
+++ b/sys/geom/eli/g_eli_privacy.c
@ -281,13 +281,15 @@ g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp)

 		crp->crp_payload_start = 0;
 		crp->crp_payload_length = secsize;
-		crp->crp_flags |= CRYPTO_F_IV_SEPARATE;
 		if ((sc->sc_flags & G_ELI_FLAG_SINGLE_KEY) == 0) {
 			crp->crp_cipher_key = g_eli_key_hold(sc, dstoff,
 			    secsize);
 		}
-		g_eli_crypto_ivgen(sc, dstoff, crp->crp_iv,
-		    sizeof(crp->crp_iv));
+		if (g_eli_ivlen(sc->sc_ealgo) != 0) {
+			crp->crp_flags |= CRYPTO_F_IV_SEPARATE;
+			g_eli_crypto_ivgen(sc, dstoff, crp->crp_iv,
+			sizeof(crp->crp_iv));
+		}

 		error = crypto_dispatch(crp);
 		KASSERT(error == 0, ("crypto_dispatch() failed (error=%d)",
--- a/tests/sys/geom/class/eli/onetime_test.sh
+++ b/tests/sys/geom/class/eli/onetime_test.sh
@ -130,9 +130,54 @@ onetime_d_cleanup()
 	geli_test_cleanup
 }

+atf_test_case onetime cleanup
+onetime_null_head()
+{
+	atf_set "descr" "geli onetime can use the null cipher"
+	atf_set "require.user" "root"
+}
+onetime_null_body()
+{
+	geli_test_setup
+
+	sectors=100
+
+	dd if=/dev/random of=rnd bs=${MAX_SECSIZE} count=${sectors} status=none
+
+	secsize=512
+	ealgo=${cipher%%:*}
+	keylen=${cipher##*:}
+
+	md=$(attach_md -t malloc -s 100k)
+
+	atf_check -s exit:0 -o ignore -e ignore \
+		geli onetime -e null -s ${secsize} ${md}
+
+	atf_check dd if=rnd of=/dev/${md}.eli bs=${secsize} count=${sectors} status=none
+
+	md_rnd=`dd if=rnd bs=${secsize} count=${sectors} status=none | md5`
+	atf_check_equal 0 $?
+	md_ddev=`dd if=/dev/${md}.eli bs=${secsize} count=${sectors} status=none | md5`
+	atf_check_equal 0 $?
+	md_edev=`dd if=/dev/${md} bs=${secsize} count=${sectors} status=none | md5`
+	atf_check_equal 0 $?
+
+	if [ ${md_rnd} != ${md_ddev} ]; then
+		atf_fail "geli did not return the original data"
+	fi
+	if [ ${md_rnd} != ${md_edev} ]; then
+		atf_fail "geli encrypted the data even with the null cipher"
+	fi
+}
+onetime_null_cleanup()
+{
+	geli_test_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case onetime
 	atf_add_test_case onetime_a
 	atf_add_test_case onetime_d
+	atf_add_test_case onetime_null
 }