Date: Tue, 6 Jun 2006 09:08:27 +0200 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Nate Lawson <nate@root.org> Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sbin/geom/class/eli geom_eli.c Message-ID: <20060606070827.GC72060@garage.freebsd.pl> In-Reply-To: <4484DB40.1010907@root.org> References: <20060605223446.AD29316DBF5@hub.freebsd.org> <4484DB40.1010907@root.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--B4IIlcmfBL/1gGOG Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jun 05, 2006 at 06:32:48PM -0700, Nate Lawson wrote: +> Pawel Jakub Dawidek wrote: +> >pjd 2006-06-05 21:40:54 UTC +> > FreeBSD src repository +> > Modified files: +> > sbin/geom/class/eli geom_eli.c Log: +> > Userland bits of geli(8) data authentication. +> > Now, encryption algorithm is given using '-e' option, not '-a'. +> > The '-a' option is now used to specify authentication algorithm. +> > Supported by: Wheel Sp. z o.o. (http://www.wheel.pl) +> > Revision Changes Path +> > 1.11 +29 -15 src/sbin/geom/class/eli/geom_eli.c +>=20 +> Excellent! One of my longstanding complaints has been that no block enc= ryption software supported integrity, only privacy. +>=20 +> http://www.root.org/talks/Usenix_20040629.pdf The problem is that it was not easy to make it reliable, ie. to be sure that storing both data and HMAC is atomic operation, so user won't get false postitives on system crash or power failure. But I found a way to do it, so here it is:) If you are interested how it is done, I tried to describe it at the beginning of g_eli_integrity.c. (I need to write a paper about GELI someday...) +> As far as the flag change goes, won't this make it difficult to MFC this= new feature later? One will get an error if it tries to specify encryption algorithm with '-a' flag, so nothing bad will happen. I handle metadata backward compatibility, so we are safe here. If needed I can eventually accept encryption algorithm specified with '-a' flag and print a warning. The bigger problem is that to MFC geli(8) authentication, I need to MFC my recent opencrypto work, which I'd like to be well tested first. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --B4IIlcmfBL/1gGOG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFEhSnrForvXbEpPzQRAvXNAJwL1luKjfHwp+JoJkx31Y+3M3vK+wCgqL5t aLcMiUuHyMgoDfH7Boa1Mh4= =cKxy -----END PGP SIGNATURE----- --B4IIlcmfBL/1gGOG--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060606070827.GC72060>