svn commit: r221628 - head/sys/geom/eli
Pawel Jakub Dawidek
pjd at FreeBSD.org
Sun May 8 09:17:57 UTC 2011
Author: pjd
Date: Sun May 8 09:17:56 2011
New Revision: 221628
URL: http://svn.freebsd.org/changeset/base/221628
Log:
When support for multiple encryption keys was committed, GELI integrity mode
was not updated to pass CRD_F_KEY_EXPLICIT flag to opencrypto. This resulted in
always using first key.
We need to support providers created with this bug, so set special
G_ELI_FLAG_FIRST_KEY flag for GELI provider in integrity mode with version
smaller than 6 and pass the CRD_F_KEY_EXPLICIT flag to opencrypto only if
G_ELI_FLAG_FIRST_KEY doesn't exist.
Reported by: Anton Yuzhaninov <citrin at citrin.ru>
MFC after: 1 week
Modified:
head/sys/geom/eli/g_eli.c
head/sys/geom/eli/g_eli.h
head/sys/geom/eli/g_eli_integrity.c
Modified: head/sys/geom/eli/g_eli.c
==============================================================================
--- head/sys/geom/eli/g_eli.c Sun May 8 09:11:59 2011 (r221627)
+++ head/sys/geom/eli/g_eli.c Sun May 8 09:17:56 2011 (r221628)
@@ -329,7 +329,12 @@ g_eli_newsession(struct g_eli_worker *wr
crie.cri_klen = sc->sc_ekeylen;
if (sc->sc_ealgo == CRYPTO_AES_XTS)
crie.cri_klen <<= 1;
- crie.cri_key = sc->sc_ekey;
+ if ((sc->sc_flags & G_ELI_FLAG_FIRST_KEY) != 0) {
+ crie.cri_key = g_eli_key_hold(sc, 0,
+ LIST_FIRST(&sc->sc_geom->consumer)->provider->sectorsize);
+ } else {
+ crie.cri_key = sc->sc_ekey;
+ }
if (sc->sc_flags & G_ELI_FLAG_AUTH) {
bzero(&cria, sizeof(cria));
cria.cri_alg = sc->sc_aalgo;
@@ -368,6 +373,9 @@ g_eli_newsession(struct g_eli_worker *wr
panic("%s: invalid condition", __func__);
}
+ if ((sc->sc_flags & G_ELI_FLAG_FIRST_KEY) != 0)
+ g_eli_key_drop(sc, crie.cri_key);
+
return (error);
}
@@ -708,6 +716,8 @@ g_eli_create(struct gctl_req *req, struc
sc->sc_flags |= G_ELI_FLAG_NATIVE_BYTE_ORDER;
if (md->md_version < 5)
sc->sc_flags |= G_ELI_FLAG_SINGLE_KEY;
+ if (md->md_version < 6 && (sc->sc_flags & G_ELI_FLAG_AUTH) != 0)
+ sc->sc_flags |= G_ELI_FLAG_FIRST_KEY;
sc->sc_ealgo = md->md_ealgo;
sc->sc_nkey = nkey;
Modified: head/sys/geom/eli/g_eli.h
==============================================================================
--- head/sys/geom/eli/g_eli.h Sun May 8 09:11:59 2011 (r221627)
+++ head/sys/geom/eli/g_eli.h Sun May 8 09:17:56 2011 (r221628)
@@ -63,10 +63,19 @@
* 2 - Added G_ELI_FLAG_READONLY.
* 3 - Added 'configure' subcommand.
* 4 - IV is generated from offset converted to little-endian
- * (flag G_ELI_FLAG_NATIVE_BYTE_ORDER will be set for older versions).
+ * (the G_ELI_FLAG_NATIVE_BYTE_ORDER flag will be set for older versions).
* 5 - Added multiple encrypton keys and AES-XTS support.
+ * 6 - Fixed usage of multiple keys for authenticated providers (the
+ * G_ELI_FLAG_FIRST_KEY flag will be set for older versions).
*/
-#define G_ELI_VERSION 5
+#define G_ELI_VERSION_00 0
+#define G_ELI_VERSION_01 1
+#define G_ELI_VERSION_02 2
+#define G_ELI_VERSION_03 3
+#define G_ELI_VERSION_04 4
+#define G_ELI_VERSION_05 5
+#define G_ELI_VERSION_06 6
+#define G_ELI_VERSION G_ELI_VERSION_06
/* ON DISK FLAGS. */
/* Use random, onetime keys. */
@@ -92,6 +101,8 @@
#define G_ELI_FLAG_SINGLE_KEY 0x00080000
/* Device suspended. */
#define G_ELI_FLAG_SUSPEND 0x00100000
+/* Provider uses first encryption key. */
+#define G_ELI_FLAG_FIRST_KEY 0x00200000
#define G_ELI_NEW_BIO 255
Modified: head/sys/geom/eli/g_eli_integrity.c
==============================================================================
--- head/sys/geom/eli/g_eli_integrity.c Sun May 8 09:11:59 2011 (r221627)
+++ head/sys/geom/eli/g_eli_integrity.c Sun May 8 09:17:56 2011 (r221628)
@@ -513,6 +513,8 @@ g_eli_auth_run(struct g_eli_worker *wr,
crde->crd_skip = sc->sc_alen;
crde->crd_len = data_secsize;
crde->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT;
+ if ((sc->sc_flags & G_ELI_FLAG_FIRST_KEY) == 0)
+ crde->crd_flags |= CRD_F_KEY_EXPLICIT;
if (bp->bio_cmd == BIO_WRITE)
crde->crd_flags |= CRD_F_ENCRYPT;
crde->crd_alg = sc->sc_ealgo;
More information about the svn-src-head
mailing list