From f75bb255dcbcba07e793a434309c47e03645561f Mon Sep 17 00:00:00 2001
From: pjd <pjd@FreeBSD.org>
Date: Mon, 5 Jun 2006 21:40:54 +0000
Subject: Userland bits of geli(8) data authentication. Now, encryption
 algorithm is given using '-e' option, not '-a'. The '-a' option is now used
 to specify authentication algorithm.

Supported by:	Wheel Sp. z o.o. (http://www.wheel.pl)
---
 sbin/geom/class/eli/geom_eli.c | 44 ++++++++++++++++++++++++++++--------------
 1 file changed, 29 insertions(+), 15 deletions(-)

(limited to 'sbin/geom/class')

diff --git a/sbin/geom/class/eli/geom_eli.c b/sbin/geom/class/eli/geom_eli.c
index e71adc9..90df179 100644
--- a/sbin/geom/class/eli/geom_eli.c
+++ b/sbin/geom/class/eli/geom_eli.c
@@ -54,7 +54,8 @@ __FBSDID("$FreeBSD$");
 uint32_t lib_version = G_LIB_VERSION;
 uint32_t version = G_ELI_VERSION;
 
-static char algo[] = "aes";
+static char aalgo[] = "none";
+static char ealgo[] = "aes";
 static intmax_t keylen = 0;
 static intmax_t keyno = -1;
 static intmax_t iterations = -1;
@@ -75,12 +76,12 @@ static void eli_dump(struct gctl_req *req);
 /*
  * Available commands:
  *
- * init [-bhPv] [-a algo] [-i iterations] [-l keylen] [-K newkeyfile] prov
+ * init [-bhPv] [-a aalgo] [-e ealgo] [-i iterations] [-l keylen] [-K newkeyfile] prov
  * label - alias for 'init'
  * attach [-dpv] [-k keyfile] prov
  * detach [-fl] prov ...
  * stop - alias for 'detach'
- * onetime [-d] [-a algo] [-l keylen] prov ...
+ * onetime [-d] [-a aalgo] [-e ealgo] [-l keylen] prov ...
  * setkey [-pPv] [-n keyno] [-k keyfile] [-K newkeyfile] prov
  * delkey [-afv] [-n keyno] prov
  * kill [-av] [prov ...]
@@ -92,8 +93,9 @@ static void eli_dump(struct gctl_req *req);
 struct g_command class_commands[] = {
 	{ "init", G_FLAG_VERBOSE, eli_main,
 	    {
-		{ 'a', "algo", algo, G_TYPE_STRING },
+		{ 'a', "aalgo", aalgo, G_TYPE_STRING },
 		{ 'b', "boot", NULL, G_TYPE_NONE },
+		{ 'e', "ealgo", ealgo, G_TYPE_STRING },
 		{ 'i', "iterations", &iterations, G_TYPE_NUMBER },
 		{ 'K', "newkeyfile", newkeyfile, G_TYPE_STRING },
 		{ 'l', "keylen", &keylen, G_TYPE_NUMBER },
@@ -101,12 +103,13 @@ struct g_command class_commands[] = {
 		{ 's', "sectorsize", &sectorsize, G_TYPE_NUMBER },
 		G_OPT_SENTINEL
 	    },
-	    "[-bPv] [-a algo] [-i iterations] [-l keylen] [-K newkeyfile] [-s sectorsize] prov"
+	    "[-bPv] [-a aalgo] [-e ealgo] [-i iterations] [-l keylen] [-K newkeyfile] [-s sectorsize] prov"
 	},
 	{ "label", G_FLAG_VERBOSE, eli_main,
 	    {
-		{ 'a', "algo", algo, G_TYPE_STRING },
+		{ 'a', "aalgo", aalgo, G_TYPE_STRING },
 		{ 'b', "boot", NULL, G_TYPE_NONE },
+		{ 'e', "ealgo", ealgo, G_TYPE_STRING },
 		{ 'i', "iterations", &iterations, G_TYPE_NUMBER },
 		{ 'K', "newkeyfile", newkeyfile, G_TYPE_STRING },
 		{ 'l', "keylen", &keylen, G_TYPE_NUMBER },
@@ -143,13 +146,14 @@ struct g_command class_commands[] = {
 	},
 	{ "onetime", G_FLAG_VERBOSE | G_FLAG_LOADKLD, NULL,
 	    {
-		{ 'a', "algo", algo, G_TYPE_STRING },
+		{ 'a', "aalgo", aalgo, G_TYPE_STRING },
 		{ 'd', "detach", NULL, G_TYPE_NONE },
+		{ 'e', "ealgo", ealgo, G_TYPE_STRING },
 		{ 'l', "keylen", &keylen, G_TYPE_NUMBER },
 		{ 's', "sectorsize", &sectorsize, G_TYPE_NUMBER },
 		G_OPT_SENTINEL
 	    },
-	    "[-d] [-a algo] [-l keylen] [-s sectorsize] prov ..."
+	    "[-d] [-a aalgo] [-e ealgo] [-l keylen] [-s sectorsize] prov ..."
 	},
 	{ "setkey", G_FLAG_VERBOSE, eli_main,
 	    {
@@ -523,16 +527,26 @@ eli_init(struct gctl_req *req)
 	md.md_flags = 0;
 	if (gctl_get_int(req, "boot"))
 		md.md_flags |= G_ELI_FLAG_BOOT;
-	str = gctl_get_ascii(req, "algo");
-	md.md_algo = g_eli_str2algo(str);
-	if (md.md_algo < CRYPTO_ALGORITHM_MIN ||
-	    md.md_algo > CRYPTO_ALGORITHM_MAX) {
+	str = gctl_get_ascii(req, "aalgo");
+	if (strcmp(str, "none") != 0) {
+		md.md_aalgo = g_eli_str2aalgo(str);
+		if (md.md_aalgo < CRYPTO_ALGORITHM_MIN ||
+		    md.md_aalgo > CRYPTO_ALGORITHM_MAX) {
+			gctl_error(req, "Invalid authentication algorithm.");
+			return;
+		}
+		md.md_flags |= G_ELI_FLAG_AUTH;
+	}
+	str = gctl_get_ascii(req, "ealgo");
+	md.md_ealgo = g_eli_str2ealgo(str);
+	if (md.md_ealgo < CRYPTO_ALGORITHM_MIN ||
+	    md.md_ealgo > CRYPTO_ALGORITHM_MAX) {
 		gctl_error(req, "Invalid encryption algorithm.");
 		return;
 	}
 	val = gctl_get_intmax(req, "keylen");
 	md.md_keylen = val;
-	md.md_keylen = g_eli_keylen(md.md_algo, md.md_keylen);
+	md.md_keylen = g_eli_keylen(md.md_ealgo, md.md_keylen);
 	if (md.md_keylen == 0) {
 		gctl_error(req, "Invalid key length.");
 		return;
@@ -579,7 +593,7 @@ eli_init(struct gctl_req *req)
 	}
 
 	/* Encrypt the first and the only Master Key. */
-	error = g_eli_mkey_encrypt(md.md_algo, key, md.md_keylen, md.md_mkeys);
+	error = g_eli_mkey_encrypt(md.md_ealgo, key, md.md_keylen, md.md_mkeys);
 	bzero(key, sizeof(key));
 	if (error != 0) {
 		bzero(&md, sizeof(md));
@@ -733,7 +747,7 @@ eli_setkey_detached(struct gctl_req *req, const char *prov,
 	}
 
 	/* Encrypt the Master-Key with the new key. */
-	error = g_eli_mkey_encrypt(md->md_algo, key, md->md_keylen, mkeydst);
+	error = g_eli_mkey_encrypt(md->md_ealgo, key, md->md_keylen, mkeydst);
 	bzero(key, sizeof(key));
 	if (error != 0) {
 		bzero(md, sizeof(*md));
-- 
cgit v1.1