• Milan Broz's avatar
    dm crypt: introduce new format of cipher with "capi:" prefix · 33d2f09f
    Milan Broz authored
    For the new authenticated encryption we have to support generic composed
    modes (combination of encryption algorithm and authenticator) because
    this is how the kernel crypto API accesses such algorithms.
    
    To simplify the interface, we accept an algorithm directly in crypto API
    format.  The new format is recognised by the "capi:" prefix.  The
    dmcrypt internal IV specification is the same as for the old format.
    
    The crypto API cipher specifications format is:
         capi:cipher_api_spec-ivmode[:ivopts]
    Examples:
         capi:cbc(aes)-essiv:sha256 (equivalent to old aes-cbc-essiv:sha256)
         capi:xts(aes)-plain64      (equivalent to old aes-xts-plain64)
    Examples of authenticated modes:
         capi:gcm(aes)-random
         capi:authenc(hmac(sha256),xts(aes))-random
         capi:rfc7539(chacha20,poly1305)-random
    
    Authenticated modes can only be configured using the new cipher format.
    Note that this format allows user to specify arbitrary combinations that
    can be insecure. (Policy decision is done in cryptsetup userspace.)
    
    Authenticated encryption algorithms can be of two types, either native
    modes (like GCM) that performs both encryption and authentication
    internally, or composed modes where user can compose AEAD with separate
    specification of encryption algorithm and authenticator.
    
    For composed mode with HMAC (length-preserving encryption mode like an
    XTS and HMAC as an authenticator) we have to calculate HMAC digest size
    (the separate authentication key is the same size as the HMAC digest).
    Introduce crypt_ctr_auth_cipher() to parse the crypto API string to get
    HMAC algorithm and retrieve digest size from it.
    
    Also, for HMAC composed mode we need to parse the crypto API string to
    get the cipher mode nested in the specification.  For native AEAD mode
    (like GCM), we can use crypto_tfm_alg_name() API to get the cipher
    specification.
    
    Because the HMAC composed mode is not processed the same as the native
    AEAD mode, the CRYPT_MODE_INTEGRITY_HMAC flag is no longer needed and
    "hmac" specification for the table integrity argument is removed.
    Signed-off-by: default avatarMilan Broz <gmazyland@gmail.com>
    Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
    33d2f09f
dm-crypt.c 73.9 KB