diff --git a/lib/geom/eli/geli.8 b/lib/geom/eli/geli.8 index 876f46687868..43ca9a2928c7 100644 --- a/lib/geom/eli/geli.8 +++ b/lib/geom/eli/geli.8 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd April 3, 2019 +.Dd May 23, 2019 .Dt GELI 8 .Os .Sh NAME @@ -901,6 +901,18 @@ specified in .El .Sh EXIT STATUS Exit status is 0 on success, and 1 if the command fails. +.Sh DEPRECATION NOTICE +Support for the +.Nm Blowfish-CBC +and +.Nm 3DES-CBC +cryptographic algorithms and +.Nm HMAC/MD5 +authentication algorithm will be removed in +.Fx 13.0 . +New volumes cannot be created using these algorithms. +Existing volumes should be migrated to a new volume that uses +non-deprecated algorithms. .Sh EXAMPLES Initialize a provider which is going to be encrypted with a passphrase and random data from a file on the user's pen drive. @@ -1134,7 +1146,7 @@ utility appeared in .Fx 6.0 . Support for the .Nm Camellia -block cipher is implemented by Yoshisato Yanagisawa in +block cipher was implemented by Yoshisato Yanagisawa in .Fx 7.0 . .Pp Highest diff --git a/lib/geom/eli/geom_eli.c b/lib/geom/eli/geom_eli.c index 2b08bf14a185..7fddef29acdb 100644 --- a/lib/geom/eli/geom_eli.c +++ b/lib/geom/eli/geom_eli.c @@ -805,6 +805,22 @@ eli_init(struct gctl_req *req) return; } } + if (md.md_flags & G_ELI_FLAG_AUTH) { + switch (md.md_aalgo) { + case CRYPTO_MD5_HMAC: + gctl_error(req, + "The %s authentication algorithm is deprecated.", + g_eli_algo2str(md.md_aalgo)); + return; + } + } + switch (md.md_ealgo) { + case CRYPTO_3DES_CBC: + case CRYPTO_BLF_CBC: + gctl_error(req, "The %s encryption algorithm is deprecated.", + g_eli_algo2str(md.md_aalgo)); + return; + } val = gctl_get_intmax(req, "keylen"); md.md_keylen = val; md.md_keylen = g_eli_keylen(md.md_ealgo, md.md_keylen); diff --git a/sys/geom/eli/g_eli.c b/sys/geom/eli/g_eli.c index 04d05e464c5b..ef390f1612a3 100644 --- a/sys/geom/eli/g_eli.c +++ b/sys/geom/eli/g_eli.c @@ -960,8 +960,25 @@ g_eli_create(struct gctl_req *req, struct g_class *mp, struct g_provider *bpp, G_ELI_DEBUG(0, "Device %s created.", pp->name); G_ELI_DEBUG(0, "Encryption: %s %u", g_eli_algo2str(sc->sc_ealgo), sc->sc_ekeylen); - if (sc->sc_flags & G_ELI_FLAG_AUTH) + switch (sc->sc_ealgo) { + case CRYPTO_3DES_CBC: + gone_in(13, + "support for GEOM_ELI volumes encrypted with 3des"); + break; + case CRYPTO_BLF_CBC: + gone_in(13, + "support for GEOM_ELI volumes encrypted with blowfish"); + break; + } + if (sc->sc_flags & G_ELI_FLAG_AUTH) { G_ELI_DEBUG(0, " Integrity: %s", g_eli_algo2str(sc->sc_aalgo)); + switch (sc->sc_aalgo) { + case CRYPTO_MD5_HMAC: + gone_in(13, + "support for GEOM_ELI volumes authenticated with hmac/md5"); + break; + } + } G_ELI_DEBUG(0, " Crypto: %s", sc->sc_crypto == G_ELI_CRYPTO_SW ? "software" : "hardware"); return (gp);