aboutsummaryrefslogtreecommitdiff
path: root/lib/geom
diff options
context:
space:
mode:
authorJohn Baldwin <jhb@FreeBSD.org>2020-04-15 00:14:50 +0000
committerJohn Baldwin <jhb@FreeBSD.org>2020-04-15 00:14:50 +0000
commite2b9919398c338ecaf0eee2d1060ef71fca7bc94 (patch)
tree747ecbb592267a09a51942cda090794cb6bd0534 /lib/geom
parent30b4df2e4a12016f961f4d4e6b8b5b361feeb96f (diff)
downloadsrc-e2b9919398c338ecaf0eee2d1060ef71fca7bc94.tar.gz
src-e2b9919398c338ecaf0eee2d1060ef71fca7bc94.zip
Remove support for geli(4) algorithms deprecated in r348206.
This removes support for reading and writing volumes using the following algorithms: - Triple DES - Blowfish - MD5 HMAC integrity In addition, this commit adds an explicit whitelist of supported algorithms to give a better error message when an invalid or unsupported algorithm is used by an existing volume. Reviewed by: cem Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D24343
Notes
Notes: svn path=/head/; revision=359945
Diffstat (limited to 'lib/geom')
-rw-r--r--lib/geom/eli/geli.829
-rw-r--r--lib/geom/eli/geom_eli.c16
2 files changed, 3 insertions, 42 deletions
diff --git a/lib/geom/eli/geli.8 b/lib/geom/eli/geli.8
index c56b79cfbb61..798c4ce5e2af 100644
--- a/lib/geom/eli/geli.8
+++ b/lib/geom/eli/geli.8
@@ -24,7 +24,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd March 19, 2020
+.Dd April 14, 2020
.Dt GELI 8
.Os
.Sh NAME
@@ -172,14 +172,11 @@ will make use of it automatically.
Supports many cryptographic algorithms (currently
.Nm AES-XTS ,
.Nm AES-CBC ,
-.Nm Blowfish-CBC ,
-.Nm Camellia-CBC
and
-.Nm 3DES-CBC ) .
+.Nm Camellia-CBC ) .
.It
Can optionally perform data authentication (integrity verification) utilizing
one of the following algorithms:
-.Nm HMAC/MD5 ,
.Nm HMAC/SHA1 ,
.Nm HMAC/RIPEMD160 ,
.Nm HMAC/SHA256 ,
@@ -259,7 +256,6 @@ For example, when using 4096 bytes sector and
.Nm HMAC/SHA256
algorithm, 89% of the original provider storage will be available for use.
Currently supported algorithms are:
-.Nm HMAC/MD5 ,
.Nm HMAC/SHA1 ,
.Nm HMAC/RIPEMD160 ,
.Nm HMAC/SHA256 ,
@@ -303,9 +299,7 @@ Encryption algorithm to use.
Currently supported algorithms are:
.Nm AES-XTS ,
.Nm AES-CBC ,
-.Nm Blowfish-CBC ,
.Nm Camellia-CBC ,
-.Nm 3DES-CBC ,
and
.Nm NULL .
The default and recommended algorithm is
@@ -359,11 +353,6 @@ key length.
.Em 128 ,
192,
256
-.It Nm Blowfish-CBC
-.Em 128
-+ n * 32, for n=[0..10]
-.It Nm 3DES-CBC
-.Em 192
.El
.It Fl P
Do not use a passphrase as a component of the User Key.
@@ -901,18 +890,6 @@ specified in
.El
.Sh EXIT STATUS
Exit status is 0 on success, and 1 if the command fails.
-.Sh DEPRECATION NOTICE
-Support for the
-.Nm Blowfish-CBC
-and
-.Nm 3DES-CBC
-cryptographic algorithms and
-.Nm HMAC/MD5
-authentication algorithm will be removed in
-.Fx 13.0 .
-New volumes cannot be created using these algorithms.
-Existing volumes should be migrated to a new volume that uses
-non-deprecated algorithms.
.Sh EXAMPLES
Initialize a provider which is going to be encrypted with a
passphrase and random data from a file on the user's pen drive.
@@ -967,7 +944,7 @@ Reenter new passphrase:
Encrypted swap partition setup:
.Bd -literal -offset indent
# dd if=/dev/random of=/dev/ada0s1b bs=1m
-# geli onetime -d -e 3des ada0s1b
+# geli onetime -d ada0s1b
# swapon /dev/ada0s1b.eli
.Ed
.Pp
diff --git a/lib/geom/eli/geom_eli.c b/lib/geom/eli/geom_eli.c
index d5cf3cbf3a09..8ee4643e3c91 100644
--- a/lib/geom/eli/geom_eli.c
+++ b/lib/geom/eli/geom_eli.c
@@ -805,22 +805,6 @@ eli_init(struct gctl_req *req)
return;
}
}
- if (md.md_flags & G_ELI_FLAG_AUTH) {
- switch (md.md_aalgo) {
- case CRYPTO_MD5_HMAC:
- gctl_error(req,
- "The %s authentication algorithm is deprecated.",
- g_eli_algo2str(md.md_aalgo));
- return;
- }
- }
- switch (md.md_ealgo) {
- case CRYPTO_3DES_CBC:
- case CRYPTO_BLF_CBC:
- gctl_error(req, "The %s encryption algorithm is deprecated.",
- g_eli_algo2str(md.md_ealgo));
- return;
- }
val = gctl_get_intmax(req, "keylen");
md.md_keylen = val;
md.md_keylen = g_eli_keylen(md.md_ealgo, md.md_keylen);