Index: head/sbin/geom/class/eli/geom_eli.c
===================================================================
--- head/sbin/geom/class/eli/geom_eli.c	(revision 308136)
+++ head/sbin/geom/class/eli/geom_eli.c	(revision 308137)
@@ -1,1726 +1,1726 @@
 /*-
  * Copyright (c) 2004-2010 Pawel Jakub Dawidek <pjd@FreeBSD.org>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
 #include <sys/mman.h>
 #include <sys/sysctl.h>
 #include <sys/resource.h>
 #include <opencrypto/cryptodev.h>
 
 #include <assert.h>
 #include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <libgeom.h>
 #include <paths.h>
 #include <readpassphrase.h>
 #include <stdbool.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <strings.h>
 #include <unistd.h>
 
 #include <geom/eli/g_eli.h>
 #include <geom/eli/pkcs5v2.h>
 
 #include "core/geom.h"
 #include "misc/subr.h"
 
 
 uint32_t lib_version = G_LIB_VERSION;
 uint32_t version = G_ELI_VERSION;
 
 #define	GELI_BACKUP_DIR	"/var/backups/"
 #define	GELI_ENC_ALGO	"aes"
 
 static void eli_main(struct gctl_req *req, unsigned flags);
 static void eli_init(struct gctl_req *req);
 static void eli_attach(struct gctl_req *req);
 static void eli_configure(struct gctl_req *req);
 static void eli_setkey(struct gctl_req *req);
 static void eli_delkey(struct gctl_req *req);
 static void eli_resume(struct gctl_req *req);
 static void eli_kill(struct gctl_req *req);
 static void eli_backup(struct gctl_req *req);
 static void eli_restore(struct gctl_req *req);
 static void eli_resize(struct gctl_req *req);
 static void eli_version(struct gctl_req *req);
 static void eli_clear(struct gctl_req *req);
 static void eli_dump(struct gctl_req *req);
 
 static int eli_backup_create(struct gctl_req *req, const char *prov,
     const char *file);
 
 /*
  * Available commands:
  *
  * init [-bgPTv] [-a aalgo] [-B backupfile] [-e ealgo] [-i iterations] [-l keylen] [-J newpassfile] [-K newkeyfile] [-s sectorsize] [-V version] prov
  * label - alias for 'init'
  * attach [-dprv] [-j passfile] [-k keyfile] prov
  * detach [-fl] prov ...
  * stop - alias for 'detach'
  * onetime [-d] [-a aalgo] [-e ealgo] [-l keylen] prov
  * configure [-bBgGtT] prov ...
  * setkey [-pPv] [-n keyno] [-j passfile] [-J newpassfile] [-k keyfile] [-K newkeyfile] prov
  * delkey [-afv] [-n keyno] prov
  * suspend [-v] -a | prov ...
  * resume [-pv] [-j passfile] [-k keyfile] prov
  * kill [-av] [prov ...]
  * backup [-v] prov file
  * restore [-fv] file prov
  * resize [-v] -s oldsize prov
  * version [prov ...]
  * clear [-v] prov ...
  * dump [-v] prov ...
  */
 struct g_command class_commands[] = {
 	{ "init", G_FLAG_VERBOSE, eli_main,
 	    {
 		{ 'a', "aalgo", "", G_TYPE_STRING },
 		{ 'b', "boot", NULL, G_TYPE_BOOL },
 		{ 'B', "backupfile", "", G_TYPE_STRING },
 		{ 'e', "ealgo", "", G_TYPE_STRING },
 		{ 'g', "geliboot", NULL, G_TYPE_BOOL },
 		{ 'i', "iterations", "-1", G_TYPE_NUMBER },
 		{ 'J', "newpassfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI },
 		{ 'K', "newkeyfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI },
 		{ 'l', "keylen", "0", G_TYPE_NUMBER },
 		{ 'P', "nonewpassphrase", NULL, G_TYPE_BOOL },
 		{ 's', "sectorsize", "0", G_TYPE_NUMBER },
 		{ 'T', "notrim", NULL, G_TYPE_BOOL },
 		{ 'V', "mdversion", "-1", G_TYPE_NUMBER },
 		G_OPT_SENTINEL
 	    },
 	    "[-bgPTv] [-a aalgo] [-B backupfile] [-e ealgo] [-i iterations] [-l keylen] [-J newpassfile] [-K newkeyfile] [-s sectorsize] [-V version] prov"
 	},
 	{ "label", G_FLAG_VERBOSE, eli_main,
 	    {
 		{ 'a', "aalgo", "", G_TYPE_STRING },
 		{ 'b', "boot", NULL, G_TYPE_BOOL },
 		{ 'B', "backupfile", "", G_TYPE_STRING },
 		{ 'e', "ealgo", "", G_TYPE_STRING },
 		{ 'g', "geliboot", NULL, G_TYPE_BOOL },
 		{ 'i', "iterations", "-1", G_TYPE_NUMBER },
 		{ 'J', "newpassfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI },
 		{ 'K', "newkeyfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI },
 		{ 'l', "keylen", "0", G_TYPE_NUMBER },
 		{ 'P', "nonewpassphrase", NULL, G_TYPE_BOOL },
 		{ 's', "sectorsize", "0", G_TYPE_NUMBER },
 		{ 'V', "mdversion", "-1", G_TYPE_NUMBER },
 		G_OPT_SENTINEL
 	    },
 	    "- an alias for 'init'"
 	},
 	{ "attach", G_FLAG_VERBOSE | G_FLAG_LOADKLD, eli_main,
 	    {
 		{ 'd', "detach", NULL, G_TYPE_BOOL },
 		{ 'j', "passfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI },
 		{ 'k', "keyfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI },
 		{ 'p', "nopassphrase", NULL, G_TYPE_BOOL },
 		{ 'r', "readonly", NULL, G_TYPE_BOOL },
 		G_OPT_SENTINEL
 	    },
 	    "[-dprv] [-j passfile] [-k keyfile] prov"
 	},
 	{ "detach", 0, NULL,
 	    {
 		{ 'f', "force", NULL, G_TYPE_BOOL },
 		{ 'l', "last", NULL, G_TYPE_BOOL },
 		G_OPT_SENTINEL
 	    },
 	    "[-fl] prov ..."
 	},
 	{ "stop", 0, NULL,
 	    {
 		{ 'f', "force", NULL, G_TYPE_BOOL },
 		{ 'l', "last", NULL, G_TYPE_BOOL },
 		G_OPT_SENTINEL
 	    },
 	    "- an alias for 'detach'"
 	},
 	{ "onetime", G_FLAG_VERBOSE | G_FLAG_LOADKLD, NULL,
 	    {
 		{ 'a', "aalgo", "", G_TYPE_STRING },
 		{ 'd', "detach", NULL, G_TYPE_BOOL },
 		{ 'e', "ealgo", GELI_ENC_ALGO, G_TYPE_STRING },
 		{ 'l', "keylen", "0", G_TYPE_NUMBER },
 		{ 's', "sectorsize", "0", G_TYPE_NUMBER },
 		{ 'T', "notrim", NULL, G_TYPE_BOOL },
 		G_OPT_SENTINEL
 	    },
 	    "[-dT] [-a aalgo] [-e ealgo] [-l keylen] [-s sectorsize] prov"
 	},
 	{ "configure", G_FLAG_VERBOSE, eli_main,
 	    {
 		{ 'b', "boot", NULL, G_TYPE_BOOL },
 		{ 'B', "noboot", NULL, G_TYPE_BOOL },
 		{ 'g', "geliboot", NULL, G_TYPE_BOOL },
 		{ 'G', "nogeliboot", NULL, G_TYPE_BOOL },
 		{ 't', "trim", NULL, G_TYPE_BOOL },
 		{ 'T', "notrim", NULL, G_TYPE_BOOL },
 		G_OPT_SENTINEL
 	    },
 	    "[-bBgGtT] prov ..."
 	},
 	{ "setkey", G_FLAG_VERBOSE, eli_main,
 	    {
 		{ 'i', "iterations", "-1", G_TYPE_NUMBER },
 		{ 'j', "passfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI },
 		{ 'J', "newpassfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI },
 		{ 'k', "keyfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI },
 		{ 'K', "newkeyfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI },
 		{ 'n', "keyno", "-1", G_TYPE_NUMBER },
 		{ 'p', "nopassphrase", NULL, G_TYPE_BOOL },
 		{ 'P', "nonewpassphrase", NULL, G_TYPE_BOOL },
 		G_OPT_SENTINEL
 	    },
 	    "[-pPv] [-n keyno] [-i iterations] [-j passfile] [-J newpassfile] [-k keyfile] [-K newkeyfile] prov"
 	},
 	{ "delkey", G_FLAG_VERBOSE, eli_main,
 	    {
 		{ 'a', "all", NULL, G_TYPE_BOOL },
 		{ 'f', "force", NULL, G_TYPE_BOOL },
 		{ 'n', "keyno", "-1", G_TYPE_NUMBER },
 		G_OPT_SENTINEL
 	    },
 	    "[-afv] [-n keyno] prov"
 	},
 	{ "suspend", G_FLAG_VERBOSE, NULL,
 	    {
 		{ 'a', "all", NULL, G_TYPE_BOOL },
 		G_OPT_SENTINEL
 	    },
 	    "[-v] -a | prov ..."
 	},
 	{ "resume", G_FLAG_VERBOSE, eli_main,
 	    {
 		{ 'j', "passfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI },
 		{ 'k', "keyfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI },
 		{ 'p', "nopassphrase", NULL, G_TYPE_BOOL },
 		G_OPT_SENTINEL
 	    },
 	    "[-pv] [-j passfile] [-k keyfile] prov"
 	},
 	{ "kill", G_FLAG_VERBOSE, eli_main,
 	    {
 		{ 'a', "all", NULL, G_TYPE_BOOL },
 		G_OPT_SENTINEL
 	    },
 	    "[-av] [prov ...]"
 	},
 	{ "backup", G_FLAG_VERBOSE, eli_main, G_NULL_OPTS,
 	    "[-v] prov file"
 	},
 	{ "restore", G_FLAG_VERBOSE, eli_main,
 	    {
 		{ 'f', "force", NULL, G_TYPE_BOOL },
 		G_OPT_SENTINEL
 	    },
 	    "[-fv] file prov"
 	},
 	{ "resize", G_FLAG_VERBOSE, eli_main,
 	    {
 		{ 's', "oldsize", NULL, G_TYPE_NUMBER },
 		G_OPT_SENTINEL
 	    },
 	    "[-v] -s oldsize prov"
 	},
 	{ "version", G_FLAG_LOADKLD, eli_main, G_NULL_OPTS,
 	    "[prov ...]"
 	},
 	{ "clear", G_FLAG_VERBOSE, eli_main, G_NULL_OPTS,
 	    "[-v] prov ..."
 	},
 	{ "dump", G_FLAG_VERBOSE, eli_main, G_NULL_OPTS,
 	    "[-v] prov ..."
 	},
 	G_CMD_SENTINEL
 };
 
 static int verbose = 0;
 
 #define	BUFSIZE	1024
 
 static int
 eli_protect(struct gctl_req *req)
 {
 	struct rlimit rl;
 
 	/* Disable core dumps. */
 	rl.rlim_cur = 0;
 	rl.rlim_max = 0;
 	if (setrlimit(RLIMIT_CORE, &rl) == -1) {
 		gctl_error(req, "Cannot disable core dumps: %s.",
 		    strerror(errno));
 		return (-1);
 	}
 	/* Disable swapping. */
 	if (mlockall(MCL_FUTURE) == -1) {
 		gctl_error(req, "Cannot lock memory: %s.", strerror(errno));
 		return (-1);
 	}
 	return (0);
 }
 
 static void
 eli_main(struct gctl_req *req, unsigned int flags)
 {
 	const char *name;
 
 	if (eli_protect(req) == -1)
 		return;
 
 	if ((flags & G_FLAG_VERBOSE) != 0)
 		verbose = 1;
 
 	name = gctl_get_ascii(req, "verb");
 	if (name == NULL) {
 		gctl_error(req, "No '%s' argument.", "verb");
 		return;
 	}
 	if (strcmp(name, "init") == 0 || strcmp(name, "label") == 0)
 		eli_init(req);
 	else if (strcmp(name, "attach") == 0)
 		eli_attach(req);
 	else if (strcmp(name, "configure") == 0)
 		eli_configure(req);
 	else if (strcmp(name, "setkey") == 0)
 		eli_setkey(req);
 	else if (strcmp(name, "delkey") == 0)
 		eli_delkey(req);
 	else if (strcmp(name, "resume") == 0)
 		eli_resume(req);
 	else if (strcmp(name, "kill") == 0)
 		eli_kill(req);
 	else if (strcmp(name, "backup") == 0)
 		eli_backup(req);
 	else if (strcmp(name, "restore") == 0)
 		eli_restore(req);
 	else if (strcmp(name, "resize") == 0)
 		eli_resize(req);
 	else if (strcmp(name, "version") == 0)
 		eli_version(req);
 	else if (strcmp(name, "dump") == 0)
 		eli_dump(req);
 	else if (strcmp(name, "clear") == 0)
 		eli_clear(req);
 	else
 		gctl_error(req, "Unknown command: %s.", name);
 }
 
 static bool
 eli_is_attached(const char *prov)
 {
 	char name[MAXPATHLEN];
 
 	/*
 	 * Not the best way to do it, but the easiest.
 	 * We try to open provider and check if it is a GEOM provider
 	 * by asking about its sectorsize.
 	 */
 	snprintf(name, sizeof(name), "%s%s", prov, G_ELI_SUFFIX);
 	return (g_get_sectorsize(name) > 0);
 }
 
 static int
 eli_genkey_files(struct gctl_req *req, bool new, const char *type,
     struct hmac_ctx *ctxp, char *passbuf, size_t passbufsize)
 {
 	char *p, buf[BUFSIZE], argname[16];
 	const char *file;
 	int error, fd, i;
 	ssize_t done;
 
 	assert((strcmp(type, "keyfile") == 0 && ctxp != NULL &&
 	    passbuf == NULL && passbufsize == 0) ||
 	    (strcmp(type, "passfile") == 0 && ctxp == NULL &&
 	    passbuf != NULL && passbufsize > 0));
 	assert(strcmp(type, "keyfile") == 0 || passbuf[0] == '\0');
 
 	for (i = 0; ; i++) {
 		snprintf(argname, sizeof(argname), "%s%s%d",
 		    new ? "new" : "", type, i);
 
 		/* No more {key,pass}files? */
 		if (!gctl_has_param(req, argname))
 			return (i);
 
 		file = gctl_get_ascii(req, "%s", argname);
 		assert(file != NULL);
 
 		if (strcmp(file, "-") == 0)
 			fd = STDIN_FILENO;
 		else {
 			fd = open(file, O_RDONLY);
 			if (fd == -1) {
 				gctl_error(req, "Cannot open %s %s: %s.",
 				    type, file, strerror(errno));
 				return (-1);
 			}
 		}
 		if (strcmp(type, "keyfile") == 0) {
 			while ((done = read(fd, buf, sizeof(buf))) > 0)
 				g_eli_crypto_hmac_update(ctxp, buf, done);
 		} else /* if (strcmp(type, "passfile") == 0) */ {
 			assert(strcmp(type, "passfile") == 0);
 
 			while ((done = read(fd, buf, sizeof(buf) - 1)) > 0) {
 				buf[done] = '\0';
 				p = strchr(buf, '\n');
 				if (p != NULL) {
 					*p = '\0';
 					done = p - buf;
 				}
 				if (strlcat(passbuf, buf, passbufsize) >=
 				    passbufsize) {
 					gctl_error(req,
 					    "Passphrase in %s too long.", file);
 					bzero(buf, sizeof(buf));
 					return (-1);
 				}
 				if (p != NULL)
 					break;
 			}
 		}
 		error = errno;
 		if (strcmp(file, "-") != 0)
 			close(fd);
 		bzero(buf, sizeof(buf));
 		if (done == -1) {
 			gctl_error(req, "Cannot read %s %s: %s.",
 			    type, file, strerror(error));
 			return (-1);
 		}
 	}
 	/* NOTREACHED */
 }
 
 static int
 eli_genkey_passphrase_prompt(struct gctl_req *req, bool new, char *passbuf,
     size_t passbufsize)
 {
 	char *p;
 
 	for (;;) {
 		p = readpassphrase(
 		    new ? "Enter new passphrase: " : "Enter passphrase: ",
 		    passbuf, passbufsize, RPP_ECHO_OFF | RPP_REQUIRE_TTY);
 		if (p == NULL) {
 			bzero(passbuf, passbufsize);
 			gctl_error(req, "Cannot read passphrase: %s.",
 			    strerror(errno));
 			return (-1);
 		}
 
 		if (new) {
 			char tmpbuf[BUFSIZE];
 
 			p = readpassphrase("Reenter new passphrase: ",
 			    tmpbuf, sizeof(tmpbuf),
 			    RPP_ECHO_OFF | RPP_REQUIRE_TTY);
 			if (p == NULL) {
 				bzero(passbuf, passbufsize);
 				gctl_error(req,
 				    "Cannot read passphrase: %s.",
 				    strerror(errno));
 				return (-1);
 			}
 
 			if (strcmp(passbuf, tmpbuf) != 0) {
 				bzero(passbuf, passbufsize);
 				fprintf(stderr, "They didn't match.\n");
 				continue;
 			}
 			bzero(tmpbuf, sizeof(tmpbuf));
 		}
 		return (0);
 	}
 	/* NOTREACHED */
 }
 
 static int
 eli_genkey_passphrase(struct gctl_req *req, struct g_eli_metadata *md, bool new,
     struct hmac_ctx *ctxp)
 {
 	char passbuf[BUFSIZE];
 	bool nopassphrase;
 	int nfiles;
 
 	nopassphrase =
 	    gctl_get_int(req, new ? "nonewpassphrase" : "nopassphrase");
 	if (nopassphrase) {
 		if (gctl_has_param(req, new ? "newpassfile0" : "passfile0")) {
 			gctl_error(req,
 			    "Options -%c and -%c are mutually exclusive.",
 			    new ? 'J' : 'j', new ? 'P' : 'p');
 			return (-1);
 		}
 		return (0);
 	}
 
 	if (!new && md->md_iterations == -1) {
 		gctl_error(req, "Missing -p flag.");
 		return (-1);
 	}
 	passbuf[0] = '\0';
 	nfiles = eli_genkey_files(req, new, "passfile", NULL, passbuf,
 	    sizeof(passbuf));
 	if (nfiles == -1)
 		return (-1);
 	else if (nfiles == 0) {
 		if (eli_genkey_passphrase_prompt(req, new, passbuf,
 		    sizeof(passbuf)) == -1) {
 			return (-1);
 		}
 	}
 	/*
 	 * Field md_iterations equal to -1 means "choose some sane
 	 * value for me".
 	 */
 	if (md->md_iterations == -1) {
 		assert(new);
 		if (verbose)
 			printf("Calculating number of iterations...\n");
 		md->md_iterations = pkcs5v2_calculate(2000000);
 		assert(md->md_iterations > 0);
 		if (verbose) {
 			printf("Done, using %d iterations.\n",
 			    md->md_iterations);
 		}
 	}
 	/*
 	 * If md_iterations is equal to 0, user doesn't want PKCS#5v2.
 	 */
 	if (md->md_iterations == 0) {
 		g_eli_crypto_hmac_update(ctxp, md->md_salt,
 		    sizeof(md->md_salt));
 		g_eli_crypto_hmac_update(ctxp, passbuf, strlen(passbuf));
 	} else /* if (md->md_iterations > 0) */ {
 		unsigned char dkey[G_ELI_USERKEYLEN];
 
 		pkcs5v2_genkey(dkey, sizeof(dkey), md->md_salt,
 		    sizeof(md->md_salt), passbuf, md->md_iterations);
 		g_eli_crypto_hmac_update(ctxp, dkey, sizeof(dkey));
 		bzero(dkey, sizeof(dkey));
 	}
 	bzero(passbuf, sizeof(passbuf));
 
 	return (0);
 }
 
 static unsigned char *
 eli_genkey(struct gctl_req *req, struct g_eli_metadata *md, unsigned char *key,
     bool new)
 {
 	struct hmac_ctx ctx;
 	bool nopassphrase;
 	int nfiles;
 
 	nopassphrase =
 	    gctl_get_int(req, new ? "nonewpassphrase" : "nopassphrase");
 
 	g_eli_crypto_hmac_init(&ctx, NULL, 0);
 
 	nfiles = eli_genkey_files(req, new, "keyfile", &ctx, NULL, 0);
 	if (nfiles == -1)
 		return (NULL);
 	else if (nfiles == 0 && nopassphrase) {
 		gctl_error(req, "No key components given.");
 		return (NULL);
 	}
 
 	if (eli_genkey_passphrase(req, md, new, &ctx) == -1)
 		return (NULL);
 
 	g_eli_crypto_hmac_final(&ctx, key, 0);
 
 	return (key);
 }
 
 static int
 eli_metadata_read(struct gctl_req *req, const char *prov,
     struct g_eli_metadata *md)
 {
 	unsigned char sector[sizeof(struct g_eli_metadata)];
 	int error;
 
 	if (g_get_sectorsize(prov) == 0) {
 		int fd;
 
 		/* This is a file probably. */
 		fd = open(prov, O_RDONLY);
 		if (fd == -1) {
 			gctl_error(req, "Cannot open %s: %s.", prov,
 			    strerror(errno));
 			return (-1);
 		}
 		if (read(fd, sector, sizeof(sector)) != sizeof(sector)) {
 			gctl_error(req, "Cannot read metadata from %s: %s.",
 			    prov, strerror(errno));
 			close(fd);
 			return (-1);
 		}
 		close(fd);
 	} else {
 		/* This is a GEOM provider. */
 		error = g_metadata_read(prov, sector, sizeof(sector),
 		    G_ELI_MAGIC);
 		if (error != 0) {
 			gctl_error(req, "Cannot read metadata from %s: %s.",
 			    prov, strerror(error));
 			return (-1);
 		}
 	}
 	error = eli_metadata_decode(sector, md);
 	switch (error) {
 	case 0:
 		break;
 	case EOPNOTSUPP:
 		gctl_error(req,
 		    "Provider's %s metadata version %u is too new.\n"
 		    "geli: The highest supported version is %u.",
 		    prov, (unsigned int)md->md_version, G_ELI_VERSION);
 		return (-1);
 	case EINVAL:
 		gctl_error(req, "Inconsistent provider's %s metadata.", prov);
 		return (-1);
 	default:
 		gctl_error(req,
 		    "Unexpected error while decoding provider's %s metadata: %s.",
 		    prov, strerror(error));
 		return (-1);
 	}
 	return (0);
 }
 
 static int
 eli_metadata_store(struct gctl_req *req, const char *prov,
     struct g_eli_metadata *md)
 {
 	unsigned char sector[sizeof(struct g_eli_metadata)];
 	int error;
 
 	eli_metadata_encode(md, sector);
 	if (g_get_sectorsize(prov) == 0) {
 		int fd;
 
 		/* This is a file probably. */
 		fd = open(prov, O_WRONLY | O_TRUNC);
 		if (fd == -1) {
 			gctl_error(req, "Cannot open %s: %s.", prov,
 			    strerror(errno));
 			bzero(sector, sizeof(sector));
 			return (-1);
 		}
 		if (write(fd, sector, sizeof(sector)) != sizeof(sector)) {
 			gctl_error(req, "Cannot write metadata to %s: %s.",
 			    prov, strerror(errno));
 			bzero(sector, sizeof(sector));
 			close(fd);
 			return (-1);
 		}
 		close(fd);
 	} else {
 		/* This is a GEOM provider. */
 		error = g_metadata_store(prov, sector, sizeof(sector));
 		if (error != 0) {
 			gctl_error(req, "Cannot write metadata to %s: %s.",
 			    prov, strerror(errno));
 			bzero(sector, sizeof(sector));
 			return (-1);
 		}
 	}
 	bzero(sector, sizeof(sector));
 	return (0);
 }
 
 static void
 eli_init(struct gctl_req *req)
 {
 	struct g_eli_metadata md;
-	unsigned char sector[sizeof(struct g_eli_metadata)];
+	unsigned char sector[sizeof(struct g_eli_metadata)] __aligned(4);
 	unsigned char key[G_ELI_USERKEYLEN];
 	char backfile[MAXPATHLEN];
 	const char *str, *prov;
 	unsigned int secsize, version;
 	off_t mediasize;
 	intmax_t val;
 	int error, nargs;
 
 	nargs = gctl_get_int(req, "nargs");
 	if (nargs != 1) {
 		gctl_error(req, "Invalid number of arguments.");
 		return;
 	}
 	prov = gctl_get_ascii(req, "arg0");
 	mediasize = g_get_mediasize(prov);
 	secsize = g_get_sectorsize(prov);
 	if (mediasize == 0 || secsize == 0) {
 		gctl_error(req, "Cannot get informations about %s: %s.", prov,
 		    strerror(errno));
 		return;
 	}
 
 	bzero(&md, sizeof(md));
 	strlcpy(md.md_magic, G_ELI_MAGIC, sizeof(md.md_magic));
 	val = gctl_get_intmax(req, "mdversion");
 	if (val == -1) {
 		version = G_ELI_VERSION;
 	} else if (val < 0 || val > G_ELI_VERSION) {
 		gctl_error(req,
 		    "Invalid version specified should be between %u and %u.",
 		    G_ELI_VERSION_00, G_ELI_VERSION);
 		return;
 	} else {
 		version = val;
 	}
 	md.md_version = version;
 	md.md_flags = 0;
 	if (gctl_get_int(req, "boot"))
 		md.md_flags |= G_ELI_FLAG_BOOT;
 	if (gctl_get_int(req, "geliboot"))
 		md.md_flags |= G_ELI_FLAG_GELIBOOT;
 	if (gctl_get_int(req, "notrim"))
 		md.md_flags |= G_ELI_FLAG_NODELETE;
 	md.md_ealgo = CRYPTO_ALGORITHM_MIN - 1;
 	str = gctl_get_ascii(req, "aalgo");
 	if (*str != '\0') {
 		if (version < G_ELI_VERSION_01) {
 			gctl_error(req,
 			    "Data authentication is supported starting from version %u.",
 			    G_ELI_VERSION_01);
 			return;
 		}
 		md.md_aalgo = g_eli_str2aalgo(str);
 		if (md.md_aalgo >= CRYPTO_ALGORITHM_MIN &&
 		    md.md_aalgo <= CRYPTO_ALGORITHM_MAX) {
 			md.md_flags |= G_ELI_FLAG_AUTH;
 		} else {
 			/*
 			 * For backward compatibility, check if the -a option
 			 * was used to provide encryption algorithm.
 			 */
 			md.md_ealgo = g_eli_str2ealgo(str);
 			if (md.md_ealgo < CRYPTO_ALGORITHM_MIN ||
 			    md.md_ealgo > CRYPTO_ALGORITHM_MAX) {
 				gctl_error(req,
 				    "Invalid authentication algorithm.");
 				return;
 			} else {
 				fprintf(stderr, "warning: The -e option, not "
 				    "the -a option is now used to specify "
 				    "encryption algorithm to use.\n");
 			}
 		}
 	}
 	if (md.md_ealgo < CRYPTO_ALGORITHM_MIN ||
 	    md.md_ealgo > CRYPTO_ALGORITHM_MAX) {
 		str = gctl_get_ascii(req, "ealgo");
 		if (*str == '\0') {
 			if (version < G_ELI_VERSION_05)
 				str = "aes-cbc";
 			else
 				str = GELI_ENC_ALGO;
 		}
 		md.md_ealgo = g_eli_str2ealgo(str);
 		if (md.md_ealgo < CRYPTO_ALGORITHM_MIN ||
 		    md.md_ealgo > CRYPTO_ALGORITHM_MAX) {
 			gctl_error(req, "Invalid encryption algorithm.");
 			return;
 		}
 		if (md.md_ealgo == CRYPTO_CAMELLIA_CBC &&
 		    version < G_ELI_VERSION_04) {
 			gctl_error(req,
 			    "Camellia-CBC algorithm is supported starting from version %u.",
 			    G_ELI_VERSION_04);
 			return;
 		}
 		if (md.md_ealgo == CRYPTO_AES_XTS &&
 		    version < G_ELI_VERSION_05) {
 			gctl_error(req,
 			    "AES-XTS algorithm is supported starting from version %u.",
 			    G_ELI_VERSION_05);
 			return;
 		}
 	}
 	val = gctl_get_intmax(req, "keylen");
 	md.md_keylen = val;
 	md.md_keylen = g_eli_keylen(md.md_ealgo, md.md_keylen);
 	if (md.md_keylen == 0) {
 		gctl_error(req, "Invalid key length.");
 		return;
 	}
 	md.md_provsize = mediasize;
 
 	val = gctl_get_intmax(req, "iterations");
 	if (val != -1) {
 		int nonewpassphrase;
 
 		/*
 		 * Don't allow to set iterations when there will be no
 		 * passphrase.
 		 */
 		nonewpassphrase = gctl_get_int(req, "nonewpassphrase");
 		if (nonewpassphrase) {
 			gctl_error(req,
 			    "Options -i and -P are mutually exclusive.");
 			return;
 		}
 	}
 	md.md_iterations = val;
 
 	val = gctl_get_intmax(req, "sectorsize");
 	if (val == 0)
 		md.md_sectorsize = secsize;
 	else {
 		if (val < 0 || (val % secsize) != 0 || !powerof2(val)) {
 			gctl_error(req, "Invalid sector size.");
 			return;
 		}
 		if (val > sysconf(_SC_PAGE_SIZE)) {
 			fprintf(stderr,
 			    "warning: Using sectorsize bigger than the page size!\n");
 		}
 		md.md_sectorsize = val;
 	}
 
 	md.md_keys = 0x01;
 	arc4random_buf(md.md_salt, sizeof(md.md_salt));
 	arc4random_buf(md.md_mkeys, sizeof(md.md_mkeys));
 
 	/* Generate user key. */
 	if (eli_genkey(req, &md, key, true) == NULL) {
 		bzero(key, sizeof(key));
 		bzero(&md, sizeof(md));
 		return;
 	}
 
 	/* Encrypt the first and the only Master Key. */
 	error = g_eli_mkey_encrypt(md.md_ealgo, key, md.md_keylen, md.md_mkeys);
 	bzero(key, sizeof(key));
 	if (error != 0) {
 		bzero(&md, sizeof(md));
 		gctl_error(req, "Cannot encrypt Master Key: %s.",
 		    strerror(error));
 		return;
 	}
 
 	eli_metadata_encode(&md, sector);
 	bzero(&md, sizeof(md));
 	error = g_metadata_store(prov, sector, sizeof(sector));
 	bzero(sector, sizeof(sector));
 	if (error != 0) {
 		gctl_error(req, "Cannot store metadata on %s: %s.", prov,
 		    strerror(error));
 		return;
 	}
 	if (verbose)
 		printf("Metadata value stored on %s.\n", prov);
 	/* Backup metadata to a file. */
 	str = gctl_get_ascii(req, "backupfile");
 	if (str[0] != '\0') {
 		/* Backupfile given be the user, just copy it. */
 		strlcpy(backfile, str, sizeof(backfile));
 	} else {
 		/* Generate file name automatically. */
 		const char *p = prov;
 		unsigned int i;
 
 		if (strncmp(p, _PATH_DEV, sizeof(_PATH_DEV) - 1) == 0)
 			p += sizeof(_PATH_DEV) - 1;
 		snprintf(backfile, sizeof(backfile), "%s%s.eli",
 		    GELI_BACKUP_DIR, p);
 		/* Replace all / with _. */
 		for (i = strlen(GELI_BACKUP_DIR); backfile[i] != '\0'; i++) {
 			if (backfile[i] == '/')
 				backfile[i] = '_';
 		}
 	}
 	if (strcmp(backfile, "none") != 0 &&
 	    eli_backup_create(req, prov, backfile) == 0) {
 		printf("\nMetadata backup can be found in %s and\n", backfile);
 		printf("can be restored with the following command:\n");
 		printf("\n\t# geli restore %s %s\n\n", backfile, prov);
 	}
 }
 
 static void
 eli_attach(struct gctl_req *req)
 {
 	struct g_eli_metadata md;
 	unsigned char key[G_ELI_USERKEYLEN];
 	const char *prov;
 	off_t mediasize;
 	int nargs;
 
 	nargs = gctl_get_int(req, "nargs");
 	if (nargs != 1) {
 		gctl_error(req, "Invalid number of arguments.");
 		return;
 	}
 	prov = gctl_get_ascii(req, "arg0");
 
 	if (eli_metadata_read(req, prov, &md) == -1)
 		return;
 
 	mediasize = g_get_mediasize(prov);
 	if (md.md_provsize != (uint64_t)mediasize) {
 		gctl_error(req, "Provider size mismatch.");
 		return;
 	}
 
 	if (eli_genkey(req, &md, key, false) == NULL) {
 		bzero(key, sizeof(key));
 		return;
 	}
 
 	gctl_ro_param(req, "key", sizeof(key), key);
 	if (gctl_issue(req) == NULL) {
 		if (verbose)
 			printf("Attached to %s.\n", prov);
 	}
 	bzero(key, sizeof(key));
 }
 
 static void
 eli_configure_detached(struct gctl_req *req, const char *prov, int boot,
  int geliboot, int trim)
 {
 	struct g_eli_metadata md;
 	bool changed = 0;
 
 	if (eli_metadata_read(req, prov, &md) == -1)
 		return;
 
 	if (boot == 1 && (md.md_flags & G_ELI_FLAG_BOOT)) {
 		if (verbose)
 			printf("BOOT flag already configured for %s.\n", prov);
 	} else if (boot == 0 && !(md.md_flags & G_ELI_FLAG_BOOT)) {
 		if (verbose)
 			printf("BOOT flag not configured for %s.\n", prov);
 	} else if (boot >= 0) {
 		if (boot)
 			md.md_flags |= G_ELI_FLAG_BOOT;
 		else
 			md.md_flags &= ~G_ELI_FLAG_BOOT;
 		changed = 1;
 	}
 
 	if (geliboot == 1 && (md.md_flags & G_ELI_FLAG_GELIBOOT)) {
 		if (verbose)
 			printf("GELIBOOT flag already configured for %s.\n", prov);
 	} else if (geliboot == 0 && !(md.md_flags & G_ELI_FLAG_GELIBOOT)) {
 		if (verbose)
 			printf("GELIBOOT flag not configured for %s.\n", prov);
 	} else if (geliboot >= 0) {
 		if (geliboot)
 			md.md_flags |= G_ELI_FLAG_GELIBOOT;
 		else
 			md.md_flags &= ~G_ELI_FLAG_GELIBOOT;
 		changed = 1;
 	}
 
 	if (trim == 0 && (md.md_flags & G_ELI_FLAG_NODELETE)) {
 		if (verbose)
 			printf("TRIM disable flag already configured for %s.\n", prov);
 	} else if (trim == 1 && !(md.md_flags & G_ELI_FLAG_NODELETE)) {
 		if (verbose)
 			printf("TRIM disable flag not configured for %s.\n", prov);
 	} else if (trim >= 0) {
 		if (trim)
 			md.md_flags &= ~G_ELI_FLAG_NODELETE;
 		else
 			md.md_flags |= G_ELI_FLAG_NODELETE;
 		changed = 1;
 	}
 
 	if (changed)
 		eli_metadata_store(req, prov, &md);
 	bzero(&md, sizeof(md));
 }
 
 static void
 eli_configure(struct gctl_req *req)
 {
 	const char *prov;
 	bool boot, noboot, geliboot, nogeliboot, trim, notrim;
 	int doboot, dogeliboot, dotrim;
 	int i, nargs;
 
 	nargs = gctl_get_int(req, "nargs");
 	if (nargs == 0) {
 		gctl_error(req, "Too few arguments.");
 		return;
 	}
 
 	boot = gctl_get_int(req, "boot");
 	noboot = gctl_get_int(req, "noboot");
 	geliboot = gctl_get_int(req, "geliboot");
 	nogeliboot = gctl_get_int(req, "nogeliboot");
 	trim = gctl_get_int(req, "trim");
 	notrim = gctl_get_int(req, "notrim");
 
 	doboot = -1;
 	if (boot && noboot) {
 		gctl_error(req, "Options -b and -B are mutually exclusive.");
 		return;
 	}
 	if (boot)
 		doboot = 1;
 	else if (noboot)
 		doboot = 0;
 
 	dogeliboot = -1;
 	if (geliboot && nogeliboot) {
 		gctl_error(req, "Options -g and -G are mutually exclusive.");
 		return;
 	}
 	if (geliboot)
 		dogeliboot = 1;
 	else if (nogeliboot)
 		dogeliboot = 0;
 
 	dotrim = -1;
 	if (trim && notrim) {
 		gctl_error(req, "Options -t and -T are mutually exclusive.");
 		return;
 	}
 	if (trim)
 		dotrim = 1;
 	else if (notrim)
 		dotrim = 0;
 
 	if (doboot == -1 && dogeliboot == -1 && dotrim == -1) {
 		gctl_error(req, "No option given.");
 		return;
 	}
 
 	/* First attached providers. */
 	gctl_issue(req);
 	/* Now the rest. */
 	for (i = 0; i < nargs; i++) {
 		prov = gctl_get_ascii(req, "arg%d", i);
 		if (!eli_is_attached(prov))
 			eli_configure_detached(req, prov, doboot, dogeliboot, dotrim);
 	}
 }
 
 static void
 eli_setkey_attached(struct gctl_req *req, struct g_eli_metadata *md)
 {
 	unsigned char key[G_ELI_USERKEYLEN];
 	intmax_t val, old = 0;
 	int error;
 
 	val = gctl_get_intmax(req, "iterations");
 	/* Check if iterations number should be changed. */
 	if (val != -1)
 		md->md_iterations = val;
 	else
 		old = md->md_iterations;
 
 	/* Generate key for Master Key encryption. */
 	if (eli_genkey(req, md, key, true) == NULL) {
 		bzero(key, sizeof(key));
 		return;
 	}
 	/*
 	 * If number of iterations has changed, but wasn't given as a
 	 * command-line argument, update the request.
 	 */
 	if (val == -1 && md->md_iterations != old) {
 		error = gctl_change_param(req, "iterations", sizeof(intmax_t),
 		    &md->md_iterations);
 		assert(error == 0);
 	}
 
 	gctl_ro_param(req, "key", sizeof(key), key);
 	gctl_issue(req);
 	bzero(key, sizeof(key));
 }
 
 static void
 eli_setkey_detached(struct gctl_req *req, const char *prov,
  struct g_eli_metadata *md)
 {
 	unsigned char key[G_ELI_USERKEYLEN], mkey[G_ELI_DATAIVKEYLEN];
 	unsigned char *mkeydst;
 	unsigned int nkey;
 	intmax_t val;
 	int error;
 
 	if (md->md_keys == 0) {
 		gctl_error(req, "No valid keys on %s.", prov);
 		return;
 	}
 
 	/* Generate key for Master Key decryption. */
 	if (eli_genkey(req, md, key, false) == NULL) {
 		bzero(key, sizeof(key));
 		return;
 	}
 
 	/* Decrypt Master Key. */
 	error = g_eli_mkey_decrypt(md, key, mkey, &nkey);
 	bzero(key, sizeof(key));
 	if (error != 0) {
 		bzero(md, sizeof(*md));
 		if (error == -1)
 			gctl_error(req, "Wrong key for %s.", prov);
 		else /* if (error > 0) */ {
 			gctl_error(req, "Cannot decrypt Master Key: %s.",
 			    strerror(error));
 		}
 		return;
 	}
 	if (verbose)
 		printf("Decrypted Master Key %u.\n", nkey);
 
 	val = gctl_get_intmax(req, "keyno");
 	if (val != -1)
 		nkey = val;
 #if 0
 	else
 		; /* Use the key number which was found during decryption. */
 #endif
 	if (nkey >= G_ELI_MAXMKEYS) {
 		gctl_error(req, "Invalid '%s' argument.", "keyno");
 		return;
 	}
 
 	val = gctl_get_intmax(req, "iterations");
 	/* Check if iterations number should and can be changed. */
 	if (val != -1) {
 		if (bitcount32(md->md_keys) != 1) {
 			gctl_error(req, "To be able to use '-i' option, only "
 			    "one key can be defined.");
 			return;
 		}
 		if (md->md_keys != (1 << nkey)) {
 			gctl_error(req, "Only already defined key can be "
 			    "changed when '-i' option is used.");
 			return;
 		}
 		md->md_iterations = val;
 	}
 
 	mkeydst = md->md_mkeys + nkey * G_ELI_MKEYLEN;
 	md->md_keys |= (1 << nkey);
 
 	bcopy(mkey, mkeydst, sizeof(mkey));
 	bzero(mkey, sizeof(mkey));
 
 	/* Generate key for Master Key encryption. */
 	if (eli_genkey(req, md, key, true) == NULL) {
 		bzero(key, sizeof(key));
 		bzero(md, sizeof(*md));
 		return;
 	}
 
 	/* Encrypt the Master-Key with the new key. */
 	error = g_eli_mkey_encrypt(md->md_ealgo, key, md->md_keylen, mkeydst);
 	bzero(key, sizeof(key));
 	if (error != 0) {
 		bzero(md, sizeof(*md));
 		gctl_error(req, "Cannot encrypt Master Key: %s.",
 		    strerror(error));
 		return;
 	}
 
 	/* Store metadata with fresh key. */
 	eli_metadata_store(req, prov, md);
 	bzero(md, sizeof(*md));
 }
 
 static void
 eli_setkey(struct gctl_req *req)
 {
 	struct g_eli_metadata md;
 	const char *prov;
 	int nargs;
 
 	nargs = gctl_get_int(req, "nargs");
 	if (nargs != 1) {
 		gctl_error(req, "Invalid number of arguments.");
 		return;
 	}
 	prov = gctl_get_ascii(req, "arg0");
 
 	if (eli_metadata_read(req, prov, &md) == -1)
 		return;
 
 	if (eli_is_attached(prov))
 		eli_setkey_attached(req, &md);
 	else
 		eli_setkey_detached(req, prov, &md);
 
 	if (req->error == NULL || req->error[0] == '\0') {
 		printf("Note, that the master key encrypted with old keys "
 		    "and/or passphrase may still exists in a metadata backup "
 		    "file.\n");
 	}
 }
 
 static void
 eli_delkey_attached(struct gctl_req *req, const char *prov __unused)
 {
 
 	gctl_issue(req);
 }
 
 static void
 eli_delkey_detached(struct gctl_req *req, const char *prov)
 {
 	struct g_eli_metadata md;
 	unsigned char *mkeydst;
 	unsigned int nkey;
 	intmax_t val;
 	bool all, force;
 
 	if (eli_metadata_read(req, prov, &md) == -1)
 		return;
 
 	all = gctl_get_int(req, "all");
 	if (all)
 		arc4random_buf(md.md_mkeys, sizeof(md.md_mkeys));
 	else {
 		force = gctl_get_int(req, "force");
 		val = gctl_get_intmax(req, "keyno");
 		if (val == -1) {
 			gctl_error(req, "Key number has to be specified.");
 			return;
 		}
 		nkey = val;
 		if (nkey >= G_ELI_MAXMKEYS) {
 			gctl_error(req, "Invalid '%s' argument.", "keyno");
 			return;
 		}
 		if (!(md.md_keys & (1 << nkey)) && !force) {
 			gctl_error(req, "Master Key %u is not set.", nkey);
 			return;
 		}
 		md.md_keys &= ~(1 << nkey);
 		if (md.md_keys == 0 && !force) {
 			gctl_error(req, "This is the last Master Key. Use '-f' "
 			    "option if you really want to remove it.");
 			return;
 		}
 		mkeydst = md.md_mkeys + nkey * G_ELI_MKEYLEN;
 		arc4random_buf(mkeydst, G_ELI_MKEYLEN);
 	}
 
 	eli_metadata_store(req, prov, &md);
 	bzero(&md, sizeof(md));
 }
 
 static void
 eli_delkey(struct gctl_req *req)
 {
 	const char *prov;
 	int nargs;
 
 	nargs = gctl_get_int(req, "nargs");
 	if (nargs != 1) {
 		gctl_error(req, "Invalid number of arguments.");
 		return;
 	}
 	prov = gctl_get_ascii(req, "arg0");
 
 	if (eli_is_attached(prov))
 		eli_delkey_attached(req, prov);
 	else
 		eli_delkey_detached(req, prov);
 }
 
 static void
 eli_resume(struct gctl_req *req)
 {
 	struct g_eli_metadata md;
 	unsigned char key[G_ELI_USERKEYLEN];
 	const char *prov;
 	off_t mediasize;
 	int nargs;
 
 	nargs = gctl_get_int(req, "nargs");
 	if (nargs != 1) {
 		gctl_error(req, "Invalid number of arguments.");
 		return;
 	}
 	prov = gctl_get_ascii(req, "arg0");
 
 	if (eli_metadata_read(req, prov, &md) == -1)
 		return;
 
 	mediasize = g_get_mediasize(prov);
 	if (md.md_provsize != (uint64_t)mediasize) {
 		gctl_error(req, "Provider size mismatch.");
 		return;
 	}
 
 	if (eli_genkey(req, &md, key, false) == NULL) {
 		bzero(key, sizeof(key));
 		return;
 	}
 
 	gctl_ro_param(req, "key", sizeof(key), key);
 	if (gctl_issue(req) == NULL) {
 		if (verbose)
 			printf("Resumed %s.\n", prov);
 	}
 	bzero(key, sizeof(key));
 }
 
 static int
 eli_trash_metadata(struct gctl_req *req, const char *prov, int fd, off_t offset)
 {
 	unsigned int overwrites;
 	unsigned char *sector;
 	ssize_t size;
 	int error;
 
 	size = sizeof(overwrites);
 	if (sysctlbyname("kern.geom.eli.overwrites", &overwrites, &size,
 	    NULL, 0) == -1 || overwrites == 0) {
 		overwrites = G_ELI_OVERWRITES;
 	}
 
 	size = g_sectorsize(fd);
 	if (size <= 0) {
 		gctl_error(req, "Cannot obtain provider sector size %s: %s.",
 		    prov, strerror(errno));
 		return (-1);
 	}
 	sector = malloc(size);
 	if (sector == NULL) {
 		gctl_error(req, "Cannot allocate %zd bytes of memory.", size);
 		return (-1);
 	}
 
 	error = 0;
 	do {
 		arc4random_buf(sector, size);
 		if (pwrite(fd, sector, size, offset) != size) {
 			if (error == 0)
 				error = errno;
 		}
 		(void)g_flush(fd);
 	} while (--overwrites > 0);
 	free(sector);
 	if (error != 0) {
 		gctl_error(req, "Cannot trash metadata on provider %s: %s.",
 		    prov, strerror(error));
 		return (-1);
 	}
 	return (0);
 }
 
 static void
 eli_kill_detached(struct gctl_req *req, const char *prov)
 {
 	off_t offset;
 	int fd;
 
 	/*
 	 * NOTE: Maybe we should verify if this is geli provider first,
 	 *       but 'kill' command is quite critical so better don't waste
 	 *       the time.
 	 */
 #if 0
 	error = g_metadata_read(prov, (unsigned char *)&md, sizeof(md),
 	    G_ELI_MAGIC);
 	if (error != 0) {
 		gctl_error(req, "Cannot read metadata from %s: %s.", prov,
 		    strerror(error));
 		return;
 	}
 #endif
 
 	fd = g_open(prov, 1);
 	if (fd == -1) {
 		gctl_error(req, "Cannot open provider %s: %s.", prov,
 		    strerror(errno));
 		return;
 	}
 	offset = g_mediasize(fd) - g_sectorsize(fd);
 	if (offset <= 0) {
 		gctl_error(req,
 		    "Cannot obtain media size or sector size for provider %s: %s.",
 		    prov, strerror(errno));
 		(void)g_close(fd);
 		return;
 	}
 	(void)eli_trash_metadata(req, prov, fd, offset);
 	(void)g_close(fd);
 }
 
 static void
 eli_kill(struct gctl_req *req)
 {
 	const char *prov;
 	int i, nargs, all;
 
 	nargs = gctl_get_int(req, "nargs");
 	all = gctl_get_int(req, "all");
 	if (!all && nargs == 0) {
 		gctl_error(req, "Too few arguments.");
 		return;
 	}
 	/*
 	 * How '-a' option combine with a list of providers:
 	 * Delete Master Keys from all attached providers:
 	 * geli kill -a
 	 * Delete Master Keys from all attached providers and from
 	 * detached da0 and da1:
 	 * geli kill -a da0 da1
 	 * Delete Master Keys from (attached or detached) da0 and da1:
 	 * geli kill da0 da1
 	 */
 
 	/* First detached providers. */
 	for (i = 0; i < nargs; i++) {
 		prov = gctl_get_ascii(req, "arg%d", i);
 		if (!eli_is_attached(prov))
 			eli_kill_detached(req, prov);
 	}
 	/* Now attached providers. */
 	gctl_issue(req);
 }
 
 static int
 eli_backup_create(struct gctl_req *req, const char *prov, const char *file)
 {
 	unsigned char *sector;
 	ssize_t secsize;
 	int error, filefd, ret;
 
 	ret = -1;
 	filefd = -1;
 	sector = NULL;
 	secsize = 0;
 
 	secsize = g_get_sectorsize(prov);
 	if (secsize == 0) {
 		gctl_error(req, "Cannot get informations about %s: %s.", prov,
 		    strerror(errno));
 		goto out;
 	}
 	sector = malloc(secsize);
 	if (sector == NULL) {
 		gctl_error(req, "Cannot allocate memory.");
 		goto out;
 	}
 	/* Read metadata from the provider. */
 	error = g_metadata_read(prov, sector, secsize, G_ELI_MAGIC);
 	if (error != 0) {
 		gctl_error(req, "Unable to read metadata from %s: %s.", prov,
 		    strerror(error));
 		goto out;
 	}
 
 	filefd = open(file, O_WRONLY | O_TRUNC | O_CREAT, 0600);
 	if (filefd == -1) {
 		gctl_error(req, "Unable to open %s: %s.", file,
 		    strerror(errno));
 		goto out;
 	}
 	/* Write metadata to the destination file. */
 	if (write(filefd, sector, secsize) != secsize) {
 		gctl_error(req, "Unable to write to %s: %s.", file,
 		    strerror(errno));
 		(void)close(filefd);
 		(void)unlink(file);
 		goto out;
 	}
 	(void)fsync(filefd);
 	(void)close(filefd);
 	/* Success. */
 	ret = 0;
 out:
 	if (sector != NULL) {
 		bzero(sector, secsize);
 		free(sector);
 	}
 	return (ret);
 }
 
 static void
 eli_backup(struct gctl_req *req)
 {
 	const char *file, *prov;
 	int nargs;
 
 	nargs = gctl_get_int(req, "nargs");
 	if (nargs != 2) {
 		gctl_error(req, "Invalid number of arguments.");
 		return;
 	}
 	prov = gctl_get_ascii(req, "arg0");
 	file = gctl_get_ascii(req, "arg1");
 
 	eli_backup_create(req, prov, file);
 }
 
 static void
 eli_restore(struct gctl_req *req)
 {
 	struct g_eli_metadata md;
 	const char *file, *prov;
 	off_t mediasize;
 	int nargs;
 
 	nargs = gctl_get_int(req, "nargs");
 	if (nargs != 2) {
 		gctl_error(req, "Invalid number of arguments.");
 		return;
 	}
 	file = gctl_get_ascii(req, "arg0");
 	prov = gctl_get_ascii(req, "arg1");
 
 	/* Read metadata from the backup file. */
 	if (eli_metadata_read(req, file, &md) == -1)
 		return;
 	/* Obtain provider's mediasize. */
 	mediasize = g_get_mediasize(prov);
 	if (mediasize == 0) {
 		gctl_error(req, "Cannot get informations about %s: %s.", prov,
 		    strerror(errno));
 		return;
 	}
 	/* Check if the provider size has changed since we did the backup. */
 	if (md.md_provsize != (uint64_t)mediasize) {
 		if (gctl_get_int(req, "force")) {
 			md.md_provsize = mediasize;
 		} else {
 			gctl_error(req, "Provider size mismatch: "
 			    "wrong backup file?");
 			return;
 		}
 	}
 	/* Write metadata to the provider. */
 	(void)eli_metadata_store(req, prov, &md);
 }
 
 static void
 eli_resize(struct gctl_req *req)
 {
 	struct g_eli_metadata md;
 	const char *prov;
 	unsigned char *sector;
 	ssize_t secsize;
 	off_t mediasize, oldsize;
 	int error, nargs, provfd;
 
 	nargs = gctl_get_int(req, "nargs");
 	if (nargs != 1) {
 		gctl_error(req, "Invalid number of arguments.");
 		return;
 	}
 	prov = gctl_get_ascii(req, "arg0");
 
 	provfd = -1;
 	sector = NULL;
 	secsize = 0;
 
 	provfd = g_open(prov, 1);
 	if (provfd == -1) {
 		gctl_error(req, "Cannot open %s: %s.", prov, strerror(errno));
 		goto out;
 	}
 
 	mediasize = g_mediasize(provfd);
 	secsize = g_sectorsize(provfd);
 	if (mediasize == -1 || secsize == -1) {
 		gctl_error(req, "Cannot get information about %s: %s.", prov,
 		    strerror(errno));
 		goto out;
 	}
 
 	sector = malloc(secsize);
 	if (sector == NULL) {
 		gctl_error(req, "Cannot allocate memory.");
 		goto out;
 	}
 
 	oldsize = gctl_get_intmax(req, "oldsize");
 	if (oldsize < 0 || oldsize > mediasize) {
 		gctl_error(req, "Invalid oldsize: Out of range.");
 		goto out;
 	}
 	if (oldsize == mediasize) {
 		gctl_error(req, "Size hasn't changed.");
 		goto out;
 	}
 
 	/* Read metadata from the 'oldsize' offset. */
 	if (pread(provfd, sector, secsize, oldsize - secsize) != secsize) {
 		gctl_error(req, "Cannot read old metadata: %s.",
 		    strerror(errno));
 		goto out;
 	}
 
 	/* Check if this sector contains geli metadata. */
 	error = eli_metadata_decode(sector, &md);
 	switch (error) {
 	case 0:
 		break;
 	case EOPNOTSUPP:
 		gctl_error(req,
 		    "Provider's %s metadata version %u is too new.\n"
 		    "geli: The highest supported version is %u.",
 		    prov, (unsigned int)md.md_version, G_ELI_VERSION);
 		goto out;
 	case EINVAL:
 		gctl_error(req, "Inconsistent provider's %s metadata.", prov);
 		goto out;
 	default:
 		gctl_error(req,
 		    "Unexpected error while decoding provider's %s metadata: %s.",
 		    prov, strerror(error));
 		goto out;
 	}
 
 	/*
 	 * If the old metadata doesn't have a correct provider size, refuse
 	 * to resize.
 	 */
 	if (md.md_provsize != (uint64_t)oldsize) {
 		gctl_error(req, "Provider size mismatch at oldsize.");
 		goto out;
 	}
 
 	/*
 	 * Update the old metadata with the current provider size and write
 	 * it back to the correct place on the provider.
 	 */
 	md.md_provsize = mediasize;
 	/* Write metadata to the provider. */
 	(void)eli_metadata_store(req, prov, &md);
 	/* Now trash the old metadata. */
 	(void)eli_trash_metadata(req, prov, provfd, oldsize - secsize);
 out:
 	if (provfd != -1)
 		(void)g_close(provfd);
 	if (sector != NULL) {
 		bzero(sector, secsize);
 		free(sector);
 	}
 }
 
 static void
 eli_version(struct gctl_req *req)
 {
 	struct g_eli_metadata md;
 	const char *name;
 	unsigned int version;
 	int error, i, nargs;
 
 	nargs = gctl_get_int(req, "nargs");
 
 	if (nargs == 0) {
 		unsigned int kernver;
 		ssize_t size;
 
 		size = sizeof(kernver);
 		if (sysctlbyname("kern.geom.eli.version", &kernver, &size,
 		    NULL, 0) == -1) {
 			warn("Unable to obtain GELI kernel version");
 		} else {
 			printf("kernel: %u\n", kernver);
 		}
 		printf("userland: %u\n", G_ELI_VERSION);
 		return;
 	}
 
 	for (i = 0; i < nargs; i++) {
 		name = gctl_get_ascii(req, "arg%d", i);
 		error = g_metadata_read(name, (unsigned char *)&md,
 		    sizeof(md), G_ELI_MAGIC);
 		if (error != 0) {
 			warn("%s: Unable to read metadata: %s.", name,
 			    strerror(error));
 			gctl_error(req, "Not fully done.");
 			continue;
 		}
 		version = le32dec(&md.md_version);
 		printf("%s: %u\n", name, version);
 	}
 }
 
 static void
 eli_clear(struct gctl_req *req)
 {
 	const char *name;
 	int error, i, nargs;
 
 	nargs = gctl_get_int(req, "nargs");
 	if (nargs < 1) {
 		gctl_error(req, "Too few arguments.");
 		return;
 	}
 
 	for (i = 0; i < nargs; i++) {
 		name = gctl_get_ascii(req, "arg%d", i);
 		error = g_metadata_clear(name, G_ELI_MAGIC);
 		if (error != 0) {
 			fprintf(stderr, "Cannot clear metadata on %s: %s.\n",
 			    name, strerror(error));
 			gctl_error(req, "Not fully done.");
 			continue;
 		}
 		if (verbose)
 			printf("Metadata cleared on %s.\n", name);
 	}
 }
 
 static void
 eli_dump(struct gctl_req *req)
 {
 	struct g_eli_metadata md;
 	const char *name;
 	int i, nargs;
 
 	nargs = gctl_get_int(req, "nargs");
 	if (nargs < 1) {
 		gctl_error(req, "Too few arguments.");
 		return;
 	}
 
 	for (i = 0; i < nargs; i++) {
 		name = gctl_get_ascii(req, "arg%d", i);
 		if (eli_metadata_read(NULL, name, &md) == -1) {
 			gctl_error(req, "Not fully done.");
 			continue;
 		}
 		printf("Metadata on %s:\n", name);
 		eli_metadata_dump(&md);
 		printf("\n");
 	}
 }
Index: head/sys/geom/eli/g_eli.h
===================================================================
--- head/sys/geom/eli/g_eli.h	(revision 308136)
+++ head/sys/geom/eli/g_eli.h	(revision 308137)
@@ -1,709 +1,715 @@
 /*-
  * Copyright (c) 2005-2011 Pawel Jakub Dawidek <pawel@dawidek.net>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
  * $FreeBSD$
  */
 
 #ifndef	_G_ELI_H_
 #define	_G_ELI_H_
 
 #include <sys/endian.h>
 #include <sys/errno.h>
 #include <sys/malloc.h>
 #include <crypto/sha2/sha256.h>
 #include <crypto/sha2/sha512.h>
 #include <opencrypto/cryptodev.h>
 #ifdef _KERNEL
 #include <sys/bio.h>
 #include <sys/libkern.h>
 #include <sys/lock.h>
 #include <sys/mutex.h>
 #include <geom/geom.h>
 #else
 #include <assert.h>
 #include <stdio.h>
 #include <string.h>
 #include <strings.h>
 #endif
 #include <sys/queue.h>
 #include <sys/tree.h>
 #ifndef _OpenSSL_
 #include <sys/md5.h>
 #endif
 
 #define	G_ELI_CLASS_NAME	"ELI"
 #define	G_ELI_MAGIC		"GEOM::ELI"
 #define	G_ELI_SUFFIX		".eli"
 
 /*
  * Version history:
  * 0 - Initial version number.
  * 1 - Added data authentication support (md_aalgo field and
  *     G_ELI_FLAG_AUTH flag).
  * 2 - Added G_ELI_FLAG_READONLY.
  * 3 - Added 'configure' subcommand.
  * 4 - IV is generated from offset converted to little-endian
  *     (the G_ELI_FLAG_NATIVE_BYTE_ORDER flag will be set for older versions).
  * 5 - Added multiple encrypton keys and AES-XTS support.
  * 6 - Fixed usage of multiple keys for authenticated providers (the
  *     G_ELI_FLAG_FIRST_KEY flag will be set for older versions).
  * 7 - Encryption keys are now generated from the Data Key and not from the
  *     IV Key (the G_ELI_FLAG_ENC_IVKEY flag will be set for older versions).
  */
 #define	G_ELI_VERSION_00	0
 #define	G_ELI_VERSION_01	1
 #define	G_ELI_VERSION_02	2
 #define	G_ELI_VERSION_03	3
 #define	G_ELI_VERSION_04	4
 #define	G_ELI_VERSION_05	5
 #define	G_ELI_VERSION_06	6
 #define	G_ELI_VERSION_07	7
 #define	G_ELI_VERSION		G_ELI_VERSION_07
 
 /* ON DISK FLAGS. */
 /* Use random, onetime keys. */
 #define	G_ELI_FLAG_ONETIME		0x00000001
 /* Ask for the passphrase from the kernel, before mounting root. */
 #define	G_ELI_FLAG_BOOT			0x00000002
 /* Detach on last close, if we were open for writing. */
 #define	G_ELI_FLAG_WO_DETACH		0x00000004
 /* Detach on last close. */
 #define	G_ELI_FLAG_RW_DETACH		0x00000008
 /* Provide data authentication. */
 #define	G_ELI_FLAG_AUTH			0x00000010
 /* Provider is read-only, we should deny all write attempts. */
 #define	G_ELI_FLAG_RO			0x00000020
 /* Don't pass through BIO_DELETE requests. */
 #define	G_ELI_FLAG_NODELETE		0x00000040
 /* This GELI supports GELIBoot */
 #define	G_ELI_FLAG_GELIBOOT		0x00000080
 /* RUNTIME FLAGS. */
 /* Provider was open for writing. */
 #define	G_ELI_FLAG_WOPEN		0x00010000
 /* Destroy device. */
 #define	G_ELI_FLAG_DESTROY		0x00020000
 /* Provider uses native byte-order for IV generation. */
 #define	G_ELI_FLAG_NATIVE_BYTE_ORDER	0x00040000
 /* Provider uses single encryption key. */
 #define	G_ELI_FLAG_SINGLE_KEY		0x00080000
 /* Device suspended. */
 #define	G_ELI_FLAG_SUSPEND		0x00100000
 /* Provider uses first encryption key. */
 #define	G_ELI_FLAG_FIRST_KEY		0x00200000
 /* Provider uses IV-Key for encryption key generation. */
 #define	G_ELI_FLAG_ENC_IVKEY		0x00400000
 
 #define	G_ELI_NEW_BIO	255
 
 #define	SHA512_MDLEN		64
 #define	G_ELI_AUTH_SECKEYLEN	SHA256_DIGEST_LENGTH
 
 #define	G_ELI_MAXMKEYS		2
 #define	G_ELI_MAXKEYLEN		64
 #define	G_ELI_USERKEYLEN	G_ELI_MAXKEYLEN
 #define	G_ELI_DATAKEYLEN	G_ELI_MAXKEYLEN
 #define	G_ELI_AUTHKEYLEN	G_ELI_MAXKEYLEN
 #define	G_ELI_IVKEYLEN		G_ELI_MAXKEYLEN
 #define	G_ELI_SALTLEN		64
 #define	G_ELI_DATAIVKEYLEN	(G_ELI_DATAKEYLEN + G_ELI_IVKEYLEN)
 /* Data-Key, IV-Key, HMAC_SHA512(Derived-Key, Data-Key+IV-Key) */
 #define	G_ELI_MKEYLEN		(G_ELI_DATAIVKEYLEN + SHA512_MDLEN)
 #define	G_ELI_OVERWRITES	5
 /* Switch data encryption key every 2^20 blocks. */
 #define	G_ELI_KEY_SHIFT		20
 
 #define	G_ELI_CRYPTO_UNKNOWN	0
 #define	G_ELI_CRYPTO_HW		1
 #define	G_ELI_CRYPTO_SW		2
 
 #ifdef _KERNEL
 extern int g_eli_debug;
 extern u_int g_eli_overwrites;
 extern u_int g_eli_batch;
 
 #define	G_ELI_DEBUG(lvl, ...)	do {					\
 	if (g_eli_debug >= (lvl)) {					\
 		printf("GEOM_ELI");					\
 		if (g_eli_debug > 0)					\
 			printf("[%u]", lvl);				\
 		printf(": ");						\
 		printf(__VA_ARGS__);					\
 		printf("\n");						\
 	}								\
 } while (0)
 #define	G_ELI_LOGREQ(lvl, bp, ...)	do {				\
 	if (g_eli_debug >= (lvl)) {					\
 		printf("GEOM_ELI");					\
 		if (g_eli_debug > 0)					\
 			printf("[%u]", lvl);				\
 		printf(": ");						\
 		printf(__VA_ARGS__);					\
 		printf(" ");						\
 		g_print_bio(bp);					\
 		printf("\n");						\
 	}								\
 } while (0)
 
 struct g_eli_worker {
 	struct g_eli_softc	*w_softc;
 	struct proc		*w_proc;
 	u_int			 w_number;
 	uint64_t		 w_sid;
 	boolean_t		 w_active;
 	LIST_ENTRY(g_eli_worker) w_next;
 };
 
 #endif	/* _KERNEL */
 
 struct g_eli_softc {
 	struct g_geom	*sc_geom;
 	u_int		 sc_version;
 	u_int		 sc_crypto;
 	uint8_t		 sc_mkey[G_ELI_DATAIVKEYLEN];
 	uint8_t		 sc_ekey[G_ELI_DATAKEYLEN];
 	TAILQ_HEAD(, g_eli_key) sc_ekeys_queue;
 	RB_HEAD(g_eli_key_tree, g_eli_key) sc_ekeys_tree;
 	struct mtx	 sc_ekeys_lock;
 	uint64_t	 sc_ekeys_total;
 	uint64_t	 sc_ekeys_allocated;
 	u_int		 sc_ealgo;
 	u_int		 sc_ekeylen;
 	uint8_t		 sc_akey[G_ELI_AUTHKEYLEN];
 	u_int		 sc_aalgo;
 	u_int		 sc_akeylen;
 	u_int		 sc_alen;
 	SHA256_CTX	 sc_akeyctx;
 	uint8_t		 sc_ivkey[G_ELI_IVKEYLEN];
 	SHA256_CTX	 sc_ivctx;
 	int		 sc_nkey;
 	uint32_t	 sc_flags;
 	int		 sc_inflight;
 	off_t		 sc_mediasize;
 	size_t		 sc_sectorsize;
 	u_int		 sc_bytes_per_sector;
 	u_int		 sc_data_per_sector;
 #ifndef _KERNEL
 	int		 sc_cpubind;
 #else /* _KERNEL */
 	boolean_t	 sc_cpubind;
 
 	/* Only for software cryptography. */
 	struct bio_queue_head sc_queue;
 	struct mtx	 sc_queue_mtx;
 	LIST_HEAD(, g_eli_worker) sc_workers;
 #endif /* _KERNEL */
 };
 #define	sc_name		 sc_geom->name
 
 #define	G_ELI_KEY_MAGIC	0xe11341c
 
 struct g_eli_key {
 	/* Key value, must be first in the structure. */
 	uint8_t		gek_key[G_ELI_DATAKEYLEN];
 	/* Magic. */
 	int		gek_magic;
 	/* Key number. */
 	uint64_t	gek_keyno;
 	/* Reference counter. */
 	int		gek_count;
 	/* Keeps keys sorted by most recent use. */
 	TAILQ_ENTRY(g_eli_key) gek_next;
 	/* Keeps keys sorted by number. */
 	RB_ENTRY(g_eli_key) gek_link;
 };
 
 struct g_eli_metadata {
 	char		md_magic[16];	/* Magic value. */
 	uint32_t	md_version;	/* Version number. */
 	uint32_t	md_flags;	/* Additional flags. */
 	uint16_t	md_ealgo;	/* Encryption algorithm. */
 	uint16_t	md_keylen;	/* Key length. */
 	uint16_t	md_aalgo;	/* Authentication algorithm. */
 	uint64_t	md_provsize;	/* Provider's size. */
 	uint32_t	md_sectorsize;	/* Sector size. */
 	uint8_t		md_keys;	/* Available keys. */
 	int32_t		md_iterations;	/* Number of iterations for PKCS#5v2. */
 	uint8_t		md_salt[G_ELI_SALTLEN]; /* Salt. */
 			/* Encrypted master key (IV-key, Data-key, HMAC). */
 	uint8_t		md_mkeys[G_ELI_MAXMKEYS * G_ELI_MKEYLEN];
 	u_char		md_hash[16];	/* MD5 hash. */
 } __packed;
 #ifndef _OpenSSL_
 static __inline void
 eli_metadata_encode_v0(struct g_eli_metadata *md, u_char **datap)
 {
 	u_char *p;
 
 	p = *datap;
 	le32enc(p, md->md_flags);	p += sizeof(md->md_flags);
 	le16enc(p, md->md_ealgo);	p += sizeof(md->md_ealgo);
 	le16enc(p, md->md_keylen);	p += sizeof(md->md_keylen);
 	le64enc(p, md->md_provsize);	p += sizeof(md->md_provsize);
 	le32enc(p, md->md_sectorsize);	p += sizeof(md->md_sectorsize);
 	*p = md->md_keys;		p += sizeof(md->md_keys);
 	le32enc(p, md->md_iterations);	p += sizeof(md->md_iterations);
 	bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt);
 	bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
 	*datap = p;
 }
 static __inline void
 eli_metadata_encode_v1v2v3v4v5v6v7(struct g_eli_metadata *md, u_char **datap)
 {
 	u_char *p;
 
 	p = *datap;
 	le32enc(p, md->md_flags);	p += sizeof(md->md_flags);
 	le16enc(p, md->md_ealgo);	p += sizeof(md->md_ealgo);
 	le16enc(p, md->md_keylen);	p += sizeof(md->md_keylen);
 	le16enc(p, md->md_aalgo);	p += sizeof(md->md_aalgo);
 	le64enc(p, md->md_provsize);	p += sizeof(md->md_provsize);
 	le32enc(p, md->md_sectorsize);	p += sizeof(md->md_sectorsize);
 	*p = md->md_keys;		p += sizeof(md->md_keys);
 	le32enc(p, md->md_iterations);	p += sizeof(md->md_iterations);
 	bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt);
 	bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
 	*datap = p;
 }
 static __inline void
 eli_metadata_encode(struct g_eli_metadata *md, u_char *data)
 {
+	uint32_t hash[4];
 	MD5_CTX ctx;
 	u_char *p;
 
 	p = data;
 	bcopy(md->md_magic, p, sizeof(md->md_magic));
 	p += sizeof(md->md_magic);
 	le32enc(p, md->md_version);
 	p += sizeof(md->md_version);
 	switch (md->md_version) {
 	case G_ELI_VERSION_00:
 		eli_metadata_encode_v0(md, &p);
 		break;
 	case G_ELI_VERSION_01:
 	case G_ELI_VERSION_02:
 	case G_ELI_VERSION_03:
 	case G_ELI_VERSION_04:
 	case G_ELI_VERSION_05:
 	case G_ELI_VERSION_06:
 	case G_ELI_VERSION_07:
 		eli_metadata_encode_v1v2v3v4v5v6v7(md, &p);
 		break;
 	default:
 #ifdef _KERNEL
 		panic("%s: Unsupported version %u.", __func__,
 		    (u_int)md->md_version);
 #else
 		assert(!"Unsupported metadata version.");
 #endif
 	}
 	MD5Init(&ctx);
 	MD5Update(&ctx, data, p - data);
-	MD5Final(md->md_hash, &ctx);
+	MD5Final((void *)hash, &ctx);
+	bcopy(hash, md->md_hash, sizeof(md->md_hash));
 	bcopy(md->md_hash, p, sizeof(md->md_hash));
 }
 static __inline int
 eli_metadata_decode_v0(const u_char *data, struct g_eli_metadata *md)
 {
+	uint32_t hash[4];
 	MD5_CTX ctx;
 	const u_char *p;
 
 	p = data + sizeof(md->md_magic) + sizeof(md->md_version);
 	md->md_flags = le32dec(p);	p += sizeof(md->md_flags);
 	md->md_ealgo = le16dec(p);	p += sizeof(md->md_ealgo);
 	md->md_keylen = le16dec(p);	p += sizeof(md->md_keylen);
 	md->md_provsize = le64dec(p);	p += sizeof(md->md_provsize);
 	md->md_sectorsize = le32dec(p);	p += sizeof(md->md_sectorsize);
 	md->md_keys = *p;		p += sizeof(md->md_keys);
 	md->md_iterations = le32dec(p);	p += sizeof(md->md_iterations);
 	bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt);
 	bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
 	MD5Init(&ctx);
 	MD5Update(&ctx, data, p - data);
-	MD5Final(md->md_hash, &ctx);
+	MD5Final((void *)hash, &ctx);
+	bcopy(hash, md->md_hash, sizeof(md->md_hash));
 	if (bcmp(md->md_hash, p, 16) != 0)
 		return (EINVAL);
 	return (0);
 }
 
 static __inline int
 eli_metadata_decode_v1v2v3v4v5v6v7(const u_char *data, struct g_eli_metadata *md)
 {
+	uint32_t hash[4];
 	MD5_CTX ctx;
 	const u_char *p;
 
 	p = data + sizeof(md->md_magic) + sizeof(md->md_version);
 	md->md_flags = le32dec(p);	p += sizeof(md->md_flags);
 	md->md_ealgo = le16dec(p);	p += sizeof(md->md_ealgo);
 	md->md_keylen = le16dec(p);	p += sizeof(md->md_keylen);
 	md->md_aalgo = le16dec(p);	p += sizeof(md->md_aalgo);
 	md->md_provsize = le64dec(p);	p += sizeof(md->md_provsize);
 	md->md_sectorsize = le32dec(p);	p += sizeof(md->md_sectorsize);
 	md->md_keys = *p;		p += sizeof(md->md_keys);
 	md->md_iterations = le32dec(p);	p += sizeof(md->md_iterations);
 	bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt);
 	bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys);
 	MD5Init(&ctx);
 	MD5Update(&ctx, data, p - data);
-	MD5Final(md->md_hash, &ctx);
+	MD5Final((void *)hash, &ctx);
+	bcopy(hash, md->md_hash, sizeof(md->md_hash));
 	if (bcmp(md->md_hash, p, 16) != 0)
 		return (EINVAL);
 	return (0);
 }
 static __inline int
 eli_metadata_decode(const u_char *data, struct g_eli_metadata *md)
 {
 	int error;
 
 	bcopy(data, md->md_magic, sizeof(md->md_magic));
 	if (strcmp(md->md_magic, G_ELI_MAGIC) != 0)
 		return (EINVAL);
 	md->md_version = le32dec(data + sizeof(md->md_magic));
 	switch (md->md_version) {
 	case G_ELI_VERSION_00:
 		error = eli_metadata_decode_v0(data, md);
 		break;
 	case G_ELI_VERSION_01:
 	case G_ELI_VERSION_02:
 	case G_ELI_VERSION_03:
 	case G_ELI_VERSION_04:
 	case G_ELI_VERSION_05:
 	case G_ELI_VERSION_06:
 	case G_ELI_VERSION_07:
 		error = eli_metadata_decode_v1v2v3v4v5v6v7(data, md);
 		break;
 	default:
 		error = EOPNOTSUPP;
 		break;
 	}
 	return (error);
 }
 #endif	/* !_OpenSSL */
 
 static __inline u_int
 g_eli_str2ealgo(const char *name)
 {
 
 	if (strcasecmp("null", name) == 0)
 		return (CRYPTO_NULL_CBC);
 	else if (strcasecmp("null-cbc", name) == 0)
 		return (CRYPTO_NULL_CBC);
 	else if (strcasecmp("aes", name) == 0)
 		return (CRYPTO_AES_XTS);
 	else if (strcasecmp("aes-cbc", name) == 0)
 		return (CRYPTO_AES_CBC);
 	else if (strcasecmp("aes-xts", name) == 0)
 		return (CRYPTO_AES_XTS);
 	else if (strcasecmp("blowfish", name) == 0)
 		return (CRYPTO_BLF_CBC);
 	else if (strcasecmp("blowfish-cbc", name) == 0)
 		return (CRYPTO_BLF_CBC);
 	else if (strcasecmp("camellia", name) == 0)
 		return (CRYPTO_CAMELLIA_CBC);
 	else if (strcasecmp("camellia-cbc", name) == 0)
 		return (CRYPTO_CAMELLIA_CBC);
 	else if (strcasecmp("3des", name) == 0)
 		return (CRYPTO_3DES_CBC);
 	else if (strcasecmp("3des-cbc", name) == 0)
 		return (CRYPTO_3DES_CBC);
 	return (CRYPTO_ALGORITHM_MIN - 1);
 }
 
 static __inline u_int
 g_eli_str2aalgo(const char *name)
 {
 
 	if (strcasecmp("hmac/md5", name) == 0)
 		return (CRYPTO_MD5_HMAC);
 	else if (strcasecmp("hmac/sha1", name) == 0)
 		return (CRYPTO_SHA1_HMAC);
 	else if (strcasecmp("hmac/ripemd160", name) == 0)
 		return (CRYPTO_RIPEMD160_HMAC);
 	else if (strcasecmp("hmac/sha256", name) == 0)
 		return (CRYPTO_SHA2_256_HMAC);
 	else if (strcasecmp("hmac/sha384", name) == 0)
 		return (CRYPTO_SHA2_384_HMAC);
 	else if (strcasecmp("hmac/sha512", name) == 0)
 		return (CRYPTO_SHA2_512_HMAC);
 	return (CRYPTO_ALGORITHM_MIN - 1);
 }
 
 static __inline const char *
 g_eli_algo2str(u_int algo)
 {
 
 	switch (algo) {
 	case CRYPTO_NULL_CBC:
 		return ("NULL");
 	case CRYPTO_AES_CBC:
 		return ("AES-CBC");
 	case CRYPTO_AES_XTS:
 		return ("AES-XTS");
 	case CRYPTO_BLF_CBC:
 		return ("Blowfish-CBC");
 	case CRYPTO_CAMELLIA_CBC:
 		return ("CAMELLIA-CBC");
 	case CRYPTO_3DES_CBC:
 		return ("3DES-CBC");
 	case CRYPTO_MD5_HMAC:
 		return ("HMAC/MD5");
 	case CRYPTO_SHA1_HMAC:
 		return ("HMAC/SHA1");
 	case CRYPTO_RIPEMD160_HMAC:
 		return ("HMAC/RIPEMD160");
 	case CRYPTO_SHA2_256_HMAC:
 		return ("HMAC/SHA256");
 	case CRYPTO_SHA2_384_HMAC:
 		return ("HMAC/SHA384");
 	case CRYPTO_SHA2_512_HMAC:
 		return ("HMAC/SHA512");
 	}
 	return ("unknown");
 }
 
 static __inline void
 eli_metadata_dump(const struct g_eli_metadata *md)
 {
 	static const char hex[] = "0123456789abcdef";
 	char str[sizeof(md->md_mkeys) * 2 + 1];
 	u_int i;
 
 	printf("     magic: %s\n", md->md_magic);
 	printf("   version: %u\n", (u_int)md->md_version);
 	printf("     flags: 0x%x\n", (u_int)md->md_flags);
 	printf("     ealgo: %s\n", g_eli_algo2str(md->md_ealgo));
 	printf("    keylen: %u\n", (u_int)md->md_keylen);
 	if (md->md_flags & G_ELI_FLAG_AUTH)
 		printf("     aalgo: %s\n", g_eli_algo2str(md->md_aalgo));
 	printf("  provsize: %ju\n", (uintmax_t)md->md_provsize);
 	printf("sectorsize: %u\n", (u_int)md->md_sectorsize);
 	printf("      keys: 0x%02x\n", (u_int)md->md_keys);
 	printf("iterations: %u\n", (u_int)md->md_iterations);
 	bzero(str, sizeof(str));
 	for (i = 0; i < sizeof(md->md_salt); i++) {
 		str[i * 2] = hex[md->md_salt[i] >> 4];
 		str[i * 2 + 1] = hex[md->md_salt[i] & 0x0f];
 	}
 	printf("      Salt: %s\n", str);
 	bzero(str, sizeof(str));
 	for (i = 0; i < sizeof(md->md_mkeys); i++) {
 		str[i * 2] = hex[md->md_mkeys[i] >> 4];
 		str[i * 2 + 1] = hex[md->md_mkeys[i] & 0x0f];
 	}
 	printf("Master Key: %s\n", str);
 	bzero(str, sizeof(str));
 	for (i = 0; i < 16; i++) {
 		str[i * 2] = hex[md->md_hash[i] >> 4];
 		str[i * 2 + 1] = hex[md->md_hash[i] & 0x0f];
 	}
 	printf("  MD5 hash: %s\n", str);
 }
 
 static __inline u_int
 g_eli_keylen(u_int algo, u_int keylen)
 {
 
 	switch (algo) {
 	case CRYPTO_NULL_CBC:
 		if (keylen == 0)
 			keylen = 64 * 8;
 		else {
 			if (keylen > 64 * 8)
 				keylen = 0;
 		}
 		return (keylen);
 	case CRYPTO_AES_CBC:
 	case CRYPTO_CAMELLIA_CBC:
 		switch (keylen) {
 		case 0:
 			return (128);
 		case 128:
 		case 192:
 		case 256:
 			return (keylen);
 		default:
 			return (0);
 		}
 	case CRYPTO_AES_XTS:
 		switch (keylen) {
 		case 0:
 			return (128);
 		case 128:
 		case 256:
 			return (keylen);
 		default:
 			return (0);
 		}
 	case CRYPTO_BLF_CBC:
 		if (keylen == 0)
 			return (128);
 		if (keylen < 128 || keylen > 448)
 			return (0);
 		if ((keylen % 32) != 0)
 			return (0);
 		return (keylen);
 	case CRYPTO_3DES_CBC:
 		if (keylen == 0 || keylen == 192)
 			return (192);
 		return (0);
 	default:
 		return (0);
 	}
 }
 
 static __inline u_int
 g_eli_hashlen(u_int algo)
 {
 
 	switch (algo) {
 	case CRYPTO_MD5_HMAC:
 		return (16);
 	case CRYPTO_SHA1_HMAC:
 		return (20);
 	case CRYPTO_RIPEMD160_HMAC:
 		return (20);
 	case CRYPTO_SHA2_256_HMAC:
 		return (32);
 	case CRYPTO_SHA2_384_HMAC:
 		return (48);
 	case CRYPTO_SHA2_512_HMAC:
 		return (64);
 	}
 	return (0);
 }
 
 static __inline void
 eli_metadata_softc(struct g_eli_softc *sc, const struct g_eli_metadata *md,
     u_int sectorsize, off_t mediasize)
 {
 
 	sc->sc_version = md->md_version;
 	sc->sc_inflight = 0;
 	sc->sc_crypto = G_ELI_CRYPTO_UNKNOWN;
 	sc->sc_flags = md->md_flags;
 	/* Backward compatibility. */
 	if (md->md_version < G_ELI_VERSION_04)
 		sc->sc_flags |= G_ELI_FLAG_NATIVE_BYTE_ORDER;
 	if (md->md_version < G_ELI_VERSION_05)
 		sc->sc_flags |= G_ELI_FLAG_SINGLE_KEY;
 	if (md->md_version < G_ELI_VERSION_06 &&
 	    (sc->sc_flags & G_ELI_FLAG_AUTH) != 0) {
 		sc->sc_flags |= G_ELI_FLAG_FIRST_KEY;
 	}
 	if (md->md_version < G_ELI_VERSION_07)
 		sc->sc_flags |= G_ELI_FLAG_ENC_IVKEY;
 	sc->sc_ealgo = md->md_ealgo;
 
 	if (sc->sc_flags & G_ELI_FLAG_AUTH) {
 		sc->sc_akeylen = sizeof(sc->sc_akey) * 8;
 		sc->sc_aalgo = md->md_aalgo;
 		sc->sc_alen = g_eli_hashlen(sc->sc_aalgo);
 
 		sc->sc_data_per_sector = sectorsize - sc->sc_alen;
 		/*
 		 * Some hash functions (like SHA1 and RIPEMD160) generates hash
 		 * which length is not multiple of 128 bits, but we want data
 		 * length to be multiple of 128, so we can encrypt without
 		 * padding. The line below rounds down data length to multiple
 		 * of 128 bits.
 		 */
 		sc->sc_data_per_sector -= sc->sc_data_per_sector % 16;
 
 		sc->sc_bytes_per_sector =
 		    (md->md_sectorsize - 1) / sc->sc_data_per_sector + 1;
 		sc->sc_bytes_per_sector *= sectorsize;
 	}
 	sc->sc_sectorsize = md->md_sectorsize;
 	sc->sc_mediasize = mediasize;
 	if (!(sc->sc_flags & G_ELI_FLAG_ONETIME))
 		sc->sc_mediasize -= sectorsize;
 	if (!(sc->sc_flags & G_ELI_FLAG_AUTH))
 		sc->sc_mediasize -= (sc->sc_mediasize % sc->sc_sectorsize);
 	else {
 		sc->sc_mediasize /= sc->sc_bytes_per_sector;
 		sc->sc_mediasize *= sc->sc_sectorsize;
 	}
 	sc->sc_ekeylen = md->md_keylen;
 }
 
 #ifdef _KERNEL
 int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp,
     struct g_eli_metadata *md);
 struct g_geom *g_eli_create(struct gctl_req *req, struct g_class *mp,
     struct g_provider *bpp, const struct g_eli_metadata *md,
     const u_char *mkey, int nkey);
 int g_eli_destroy(struct g_eli_softc *sc, boolean_t force);
 
 int g_eli_access(struct g_provider *pp, int dr, int dw, int de);
 void g_eli_config(struct gctl_req *req, struct g_class *mp, const char *verb);
 
 void g_eli_read_done(struct bio *bp);
 void g_eli_write_done(struct bio *bp);
 int g_eli_crypto_rerun(struct cryptop *crp);
 
 void g_eli_crypto_read(struct g_eli_softc *sc, struct bio *bp, boolean_t fromworker);
 void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp);
 
 void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp);
 void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp);
 #endif
 void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv,
     size_t size);
 
 void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key);
 int g_eli_mkey_decrypt(const struct g_eli_metadata *md,
     const unsigned char *key, unsigned char *mkey, unsigned *nkeyp);
 int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen,
     unsigned char *mkey);
 #ifdef _KERNEL
 void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey);
 #endif
 
 int g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize,
     const u_char *key, size_t keysize);
 int g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize,
     const u_char *key, size_t keysize);
 
 struct hmac_ctx {
 	SHA512_CTX	shactx;
 	u_char		k_opad[128];
 };
 
 void g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey,
     size_t hkeylen);
 void g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data,
     size_t datasize);
 void g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize);
 void g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize,
     const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize);
 
 void g_eli_key_fill(struct g_eli_softc *sc, struct g_eli_key *key,
     uint64_t keyno);
 #ifdef _KERNEL
 void g_eli_key_init(struct g_eli_softc *sc);
 void g_eli_key_destroy(struct g_eli_softc *sc);
 uint8_t *g_eli_key_hold(struct g_eli_softc *sc, off_t offset, size_t blocksize);
 void g_eli_key_drop(struct g_eli_softc *sc, uint8_t *rawkey);
 #endif
 #endif	/* !_G_ELI_H_ */
Index: head/sys/geom/eli/g_eli_integrity.c
===================================================================
--- head/sys/geom/eli/g_eli_integrity.c	(revision 308136)
+++ head/sys/geom/eli/g_eli_integrity.c	(revision 308137)
@@ -1,525 +1,530 @@
 /*-
  * Copyright (c) 2005-2011 Pawel Jakub Dawidek <pawel@dawidek.net>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
 #include <sys/linker.h>
 #include <sys/module.h>
 #include <sys/lock.h>
 #include <sys/mutex.h>
 #include <sys/bio.h>
 #include <sys/sysctl.h>
 #include <sys/malloc.h>
 #include <sys/kthread.h>
 #include <sys/proc.h>
 #include <sys/sched.h>
 #include <sys/smp.h>
 #include <sys/vnode.h>
 
 #include <vm/uma.h>
 
 #include <geom/geom.h>
 #include <geom/eli/g_eli.h>
 #include <geom/eli/pkcs5v2.h>
 
 /*
  * The data layout description when integrity verification is configured.
  *
  * One of the most important assumption here is that authenticated data and its
  * HMAC has to be stored in the same place (namely in the same sector) to make
  * it work reliable.
  * The problem is that file systems work only with sectors that are multiple of
  * 512 bytes and a power of two number.
  * My idea to implement it is as follows.
  * Let's store HMAC in sector. This is a must. This leaves us 480 bytes for
  * data. We can't use that directly (ie. we can't create provider with 480 bytes
  * sector size). We need another sector from where we take only 32 bytes of data
  * and we store HMAC of this data as well. This takes two sectors from the
  * original provider at the input and leaves us one sector of authenticated data
  * at the output. Not very efficient, but you got the idea.
  * Now, let's assume, we want to create provider with 4096 bytes sector.
  * To output 4096 bytes of authenticated data we need 8x480 plus 1x256, so we
  * need nine 512-bytes sectors at the input to get one 4096-bytes sector at the
  * output. That's better. With 4096 bytes sector we can use 89% of size of the
  * original provider. I find it as an acceptable cost.
  * The reliability comes from the fact, that every HMAC stored inside the sector
  * is calculated only for the data in the same sector, so its impossible to
  * write new data and leave old HMAC or vice versa.
  *
  * And here is the picture:
  *
  * da0: +----+----+ +----+----+ +----+----+ +----+----+ +----+----+ +----+----+ +----+----+ +----+----+ +----+-----+
  *      |32b |480b| |32b |480b| |32b |480b| |32b |480b| |32b |480b| |32b |480b| |32b |480b| |32b |480b| |32b |256b |
  *      |HMAC|Data| |HMAC|Data| |HMAC|Data| |HMAC|Data| |HMAC|Data| |HMAC|Data| |HMAC|Data| |HMAC|Data| |HMAC|Data |
  *      +----+----+ +----+----+ +----+----+ +----+----+ +----+----+ +----+----+ +----+----+ +----+----+ +----+-----+
  *      |512 bytes| |512 bytes| |512 bytes| |512 bytes| |512 bytes| |512 bytes| |512 bytes| |512 bytes| |288 bytes |
  *      +---------+ +---------+ +---------+ +---------+ +---------+ +---------+ +---------+ +---------+ |224 unused|
  *                                                                                                      +----------+
  * da0.eli: +----+----+----+----+----+----+----+----+----+
  *          |480b|480b|480b|480b|480b|480b|480b|480b|256b|
  *          +----+----+----+----+----+----+----+----+----+
  *          |                 4096 bytes                 |
  *          +--------------------------------------------+
  *
  * PS. You can use any sector size with geli(8). My example is using 4kB,
  *     because it's most efficient. For 8kB sectors you need 2 extra sectors,
  *     so the cost is the same as for 4kB sectors.
  */
 
 /*
  * Code paths:
  * BIO_READ:
  *	g_eli_start -> g_eli_auth_read -> g_io_request -> g_eli_read_done -> g_eli_auth_run -> g_eli_auth_read_done -> g_io_deliver
  * BIO_WRITE:
  *	g_eli_start -> g_eli_auth_run -> g_eli_auth_write_done -> g_io_request -> g_eli_write_done -> g_io_deliver
  */
 
 MALLOC_DECLARE(M_ELI);
 
 /*
  * Here we generate key for HMAC. Every sector has its own HMAC key, so it is
  * not possible to copy sectors.
  * We cannot depend on fact, that every sector has its own IV, because different
  * IV doesn't change HMAC, when we use encrypt-then-authenticate method.
  */
 static void
 g_eli_auth_keygen(struct g_eli_softc *sc, off_t offset, u_char *key)
 {
 	SHA256_CTX ctx;
 
 	/* Copy precalculated SHA256 context. */
 	bcopy(&sc->sc_akeyctx, &ctx, sizeof(ctx));
 	SHA256_Update(&ctx, (uint8_t *)&offset, sizeof(offset));
 	SHA256_Final(key, &ctx);
 }
 
 /*
  * The function is called after we read and decrypt data.
  *
  * g_eli_start -> g_eli_auth_read -> g_io_request -> g_eli_read_done -> g_eli_auth_run -> G_ELI_AUTH_READ_DONE -> g_io_deliver
  */
 static int
 g_eli_auth_read_done(struct cryptop *crp)
 {
 	struct g_eli_softc *sc;
 	struct bio *bp;
 
 	if (crp->crp_etype == EAGAIN) {
 		if (g_eli_crypto_rerun(crp) == 0)
 			return (0);
 	}
 	bp = (struct bio *)crp->crp_opaque;
 	bp->bio_inbed++;
 	if (crp->crp_etype == 0) {
 		bp->bio_completed += crp->crp_olen;
 		G_ELI_DEBUG(3, "Crypto READ request done (%d/%d) (add=%jd completed=%jd).",
 		    bp->bio_inbed, bp->bio_children, (intmax_t)crp->crp_olen, (intmax_t)bp->bio_completed);
 	} else {
 		G_ELI_DEBUG(1, "Crypto READ request failed (%d/%d) error=%d.",
 		    bp->bio_inbed, bp->bio_children, crp->crp_etype);
 		if (bp->bio_error == 0)
 			bp->bio_error = crp->crp_etype;
 	}
 	sc = bp->bio_to->geom->softc;
 	g_eli_key_drop(sc, crp->crp_desc->crd_next->crd_key);
 	/*
 	 * Do we have all sectors already?
 	 */
 	if (bp->bio_inbed < bp->bio_children)
 		return (0);
 	if (bp->bio_error == 0) {
 		u_int i, lsec, nsec, data_secsize, decr_secsize, encr_secsize;
 		u_char *srcdata, *dstdata, *auth;
 		off_t coroff, corsize;
 
 		/*
 		 * Verify data integrity based on calculated and read HMACs.
 		 */
 		/* Sectorsize of decrypted provider eg. 4096. */
 		decr_secsize = bp->bio_to->sectorsize;
 		/* The real sectorsize of encrypted provider, eg. 512. */
 		encr_secsize = LIST_FIRST(&sc->sc_geom->consumer)->provider->sectorsize;
 		/* Number of data bytes in one encrypted sector, eg. 480. */
 		data_secsize = sc->sc_data_per_sector;
 		/* Number of sectors from decrypted provider, eg. 2. */
 		nsec = bp->bio_length / decr_secsize;
 		/* Number of sectors from encrypted provider, eg. 18. */
 		nsec = (nsec * sc->sc_bytes_per_sector) / encr_secsize;
 		/* Last sector number in every big sector, eg. 9. */
 		lsec = sc->sc_bytes_per_sector / encr_secsize;
 
 		srcdata = bp->bio_driver2;
 		dstdata = bp->bio_data;
 		auth = srcdata + encr_secsize * nsec;
 		coroff = -1;
 		corsize = 0;
 
 		for (i = 1; i <= nsec; i++) {
 			data_secsize = sc->sc_data_per_sector;
 			if ((i % lsec) == 0)
 				data_secsize = decr_secsize % data_secsize;
 			if (bcmp(srcdata, auth, sc->sc_alen) != 0) {
 				/*
 				 * Curruption detected, remember the offset if
 				 * this is the first corrupted sector and
 				 * increase size.
 				 */
 				if (bp->bio_error == 0)
 					bp->bio_error = -1;
 				if (coroff == -1) {
 					coroff = bp->bio_offset +
 					    (dstdata - (u_char *)bp->bio_data);
 				}
 				corsize += data_secsize;
 			} else {
 				/*
 				 * No curruption, good.
 				 * Report previous corruption if there was one.
 				 */
 				if (coroff != -1) {
 					G_ELI_DEBUG(0, "%s: Failed to authenticate %jd "
 					    "bytes of data at offset %jd.",
 					    sc->sc_name, (intmax_t)corsize,
 					    (intmax_t)coroff);
 					coroff = -1;
 					corsize = 0;
 				}
 				bcopy(srcdata + sc->sc_alen, dstdata,
 				    data_secsize);
 			}
 			srcdata += encr_secsize;
 			dstdata += data_secsize;
 			auth += sc->sc_alen;
 		}
 		/* Report previous corruption if there was one. */
 		if (coroff != -1) {
 			G_ELI_DEBUG(0, "%s: Failed to authenticate %jd "
 			    "bytes of data at offset %jd.",
 			    sc->sc_name, (intmax_t)corsize, (intmax_t)coroff);
 		}
 	}
 	free(bp->bio_driver2, M_ELI);
 	bp->bio_driver2 = NULL;
 	if (bp->bio_error != 0) {
 		if (bp->bio_error == -1)
 			bp->bio_error = EINVAL;
 		else {
 			G_ELI_LOGREQ(0, bp,
 			    "Crypto READ request failed (error=%d).",
 			    bp->bio_error);
 		}
 		bp->bio_completed = 0;
 	}
 	/*
 	 * Read is finished, send it up.
 	 */
 	g_io_deliver(bp, bp->bio_error);
 	atomic_subtract_int(&sc->sc_inflight, 1);
 	return (0);
 }
 
 /*
  * The function is called after data encryption.
  *
  * g_eli_start -> g_eli_auth_run -> G_ELI_AUTH_WRITE_DONE -> g_io_request -> g_eli_write_done -> g_io_deliver
  */
 static int
 g_eli_auth_write_done(struct cryptop *crp)
 {
 	struct g_eli_softc *sc;
 	struct g_consumer *cp;
 	struct bio *bp, *cbp, *cbp2;
 	u_int nsec;
 
 	if (crp->crp_etype == EAGAIN) {
 		if (g_eli_crypto_rerun(crp) == 0)
 			return (0);
 	}
 	bp = (struct bio *)crp->crp_opaque;
 	bp->bio_inbed++;
 	if (crp->crp_etype == 0) {
 		G_ELI_DEBUG(3, "Crypto WRITE request done (%d/%d).",
 		    bp->bio_inbed, bp->bio_children);
 	} else {
 		G_ELI_DEBUG(1, "Crypto WRITE request failed (%d/%d) error=%d.",
 		    bp->bio_inbed, bp->bio_children, crp->crp_etype);
 		if (bp->bio_error == 0)
 			bp->bio_error = crp->crp_etype;
 	}
 	sc = bp->bio_to->geom->softc;
 	g_eli_key_drop(sc, crp->crp_desc->crd_key);
 	/*
 	 * All sectors are already encrypted?
 	 */
 	if (bp->bio_inbed < bp->bio_children)
 		return (0);
 	if (bp->bio_error != 0) {
 		G_ELI_LOGREQ(0, bp, "Crypto WRITE request failed (error=%d).",
 		    bp->bio_error);
 		free(bp->bio_driver2, M_ELI);
 		bp->bio_driver2 = NULL;
 		cbp = bp->bio_driver1;
 		bp->bio_driver1 = NULL;
 		g_destroy_bio(cbp);
 		g_io_deliver(bp, bp->bio_error);
 		atomic_subtract_int(&sc->sc_inflight, 1);
 		return (0);
 	}
 	cp = LIST_FIRST(&sc->sc_geom->consumer);
 	cbp = bp->bio_driver1;
 	bp->bio_driver1 = NULL;
 	cbp->bio_to = cp->provider;
 	cbp->bio_done = g_eli_write_done;
 
 	/* Number of sectors from decrypted provider, eg. 1. */
 	nsec = bp->bio_length / bp->bio_to->sectorsize;
 	/* Number of sectors from encrypted provider, eg. 9. */
 	nsec = (nsec * sc->sc_bytes_per_sector) / cp->provider->sectorsize;
 
 	cbp->bio_length = cp->provider->sectorsize * nsec;
 	cbp->bio_offset = (bp->bio_offset / bp->bio_to->sectorsize) * sc->sc_bytes_per_sector;
 	cbp->bio_data = bp->bio_driver2;
 
 	/*
 	 * We write more than what is requested, so we have to be ready to write
 	 * more than MAXPHYS.
 	 */
 	cbp2 = NULL;
 	if (cbp->bio_length > MAXPHYS) {
 		cbp2 = g_duplicate_bio(bp);
 		cbp2->bio_length = cbp->bio_length - MAXPHYS;
 		cbp2->bio_data = cbp->bio_data + MAXPHYS;
 		cbp2->bio_offset = cbp->bio_offset + MAXPHYS;
 		cbp2->bio_to = cp->provider;
 		cbp2->bio_done = g_eli_write_done;
 		cbp->bio_length = MAXPHYS;
 	}
 	/*
 	 * Send encrypted data to the provider.
 	 */
 	G_ELI_LOGREQ(2, cbp, "Sending request.");
 	bp->bio_inbed = 0;
 	bp->bio_children = (cbp2 != NULL ? 2 : 1);
 	g_io_request(cbp, cp);
 	if (cbp2 != NULL) {
 		G_ELI_LOGREQ(2, cbp2, "Sending request.");
 		g_io_request(cbp2, cp);
 	}
 	return (0);
 }
 
 void
 g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp)
 {
 	struct g_consumer *cp;
 	struct bio *cbp, *cbp2;
 	size_t size;
 	off_t nsec;
 
 	bp->bio_pflags = 0;
 
 	cp = LIST_FIRST(&sc->sc_geom->consumer);
 	cbp = bp->bio_driver1;
 	bp->bio_driver1 = NULL;
 	cbp->bio_to = cp->provider;
 	cbp->bio_done = g_eli_read_done;
 
 	/* Number of sectors from decrypted provider, eg. 1. */
 	nsec = bp->bio_length / bp->bio_to->sectorsize;
 	/* Number of sectors from encrypted provider, eg. 9. */
 	nsec = (nsec * sc->sc_bytes_per_sector) / cp->provider->sectorsize;
 
 	cbp->bio_length = cp->provider->sectorsize * nsec;
 	size = cbp->bio_length;
 	size += sc->sc_alen * nsec;
 	size += sizeof(struct cryptop) * nsec;
 	size += sizeof(struct cryptodesc) * nsec * 2;
 	size += G_ELI_AUTH_SECKEYLEN * nsec;
 	cbp->bio_offset = (bp->bio_offset / bp->bio_to->sectorsize) * sc->sc_bytes_per_sector;
 	bp->bio_driver2 = malloc(size, M_ELI, M_WAITOK);
 	cbp->bio_data = bp->bio_driver2;
 
 	/*
 	 * We read more than what is requested, so we have to be ready to read
 	 * more than MAXPHYS.
 	 */
 	cbp2 = NULL;
 	if (cbp->bio_length > MAXPHYS) {
 		cbp2 = g_duplicate_bio(bp);
 		cbp2->bio_length = cbp->bio_length - MAXPHYS;
 		cbp2->bio_data = cbp->bio_data + MAXPHYS;
 		cbp2->bio_offset = cbp->bio_offset + MAXPHYS;
 		cbp2->bio_to = cp->provider;
 		cbp2->bio_done = g_eli_read_done;
 		cbp->bio_length = MAXPHYS;
 	}
 	/*
 	 * Read encrypted data from provider.
 	 */
 	G_ELI_LOGREQ(2, cbp, "Sending request.");
 	g_io_request(cbp, cp);
 	if (cbp2 != NULL) {
 		G_ELI_LOGREQ(2, cbp2, "Sending request.");
 		g_io_request(cbp2, cp);
 	}
 }
 
 /*
  * This is the main function responsible for cryptography (ie. communication
  * with crypto(9) subsystem).
  *
  * BIO_READ:
  *	g_eli_start -> g_eli_auth_read -> g_io_request -> g_eli_read_done -> G_ELI_AUTH_RUN -> g_eli_auth_read_done -> g_io_deliver
  * BIO_WRITE:
  *	g_eli_start -> G_ELI_AUTH_RUN -> g_eli_auth_write_done -> g_io_request -> g_eli_write_done -> g_io_deliver
  */
 void
 g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp)
 {
 	struct g_eli_softc *sc;
 	struct cryptop *crp;
 	struct cryptodesc *crde, *crda;
 	u_int i, lsec, nsec, data_secsize, decr_secsize, encr_secsize;
 	off_t dstoff;
 	u_char *p, *data, *auth, *authkey, *plaindata;
 	int error;
 
 	G_ELI_LOGREQ(3, bp, "%s", __func__);
 
 	bp->bio_pflags = wr->w_number;
 	sc = wr->w_softc;
 	/* Sectorsize of decrypted provider eg. 4096. */
 	decr_secsize = bp->bio_to->sectorsize;
 	/* The real sectorsize of encrypted provider, eg. 512. */
 	encr_secsize = LIST_FIRST(&sc->sc_geom->consumer)->provider->sectorsize;
 	/* Number of data bytes in one encrypted sector, eg. 480. */
 	data_secsize = sc->sc_data_per_sector;
 	/* Number of sectors from decrypted provider, eg. 2. */
 	nsec = bp->bio_length / decr_secsize;
 	/* Number of sectors from encrypted provider, eg. 18. */
 	nsec = (nsec * sc->sc_bytes_per_sector) / encr_secsize;
 	/* Last sector number in every big sector, eg. 9. */
 	lsec = sc->sc_bytes_per_sector / encr_secsize;
 	/* Destination offset, used for IV generation. */
 	dstoff = (bp->bio_offset / bp->bio_to->sectorsize) * sc->sc_bytes_per_sector;
 
 	auth = NULL;	/* Silence compiler warning. */
 	plaindata = bp->bio_data;
 	if (bp->bio_cmd == BIO_READ) {
 		data = bp->bio_driver2;
 		auth = data + encr_secsize * nsec;
 		p = auth + sc->sc_alen * nsec;
 	} else {
 		size_t size;
 
 		size = encr_secsize * nsec;
 		size += sizeof(*crp) * nsec;
 		size += sizeof(*crde) * nsec;
 		size += sizeof(*crda) * nsec;
 		size += G_ELI_AUTH_SECKEYLEN * nsec;
+		size += sizeof(uintptr_t);	/* Space for alignment. */
 		data = malloc(size, M_ELI, M_WAITOK);
 		bp->bio_driver2 = data;
 		p = data + encr_secsize * nsec;
 	}
 	bp->bio_inbed = 0;
 	bp->bio_children = nsec;
+
+#if defined(__mips_n64) || defined(__mips_o64)
+	p = (char *)roundup((uintptr_t)p, sizeof(uintptr_t));
+#endif
 
 	for (i = 1; i <= nsec; i++, dstoff += encr_secsize) {
 		crp = (struct cryptop *)p;	p += sizeof(*crp);
 		crde = (struct cryptodesc *)p;	p += sizeof(*crde);
 		crda = (struct cryptodesc *)p;	p += sizeof(*crda);
 		authkey = (u_char *)p;		p += G_ELI_AUTH_SECKEYLEN;
 
 		data_secsize = sc->sc_data_per_sector;
 		if ((i % lsec) == 0)
 			data_secsize = decr_secsize % data_secsize;
 
 		if (bp->bio_cmd == BIO_READ) {
 			/* Remember read HMAC. */
 			bcopy(data, auth, sc->sc_alen);
 			auth += sc->sc_alen;
 			/* TODO: bzero(9) can be commented out later. */
 			bzero(data, sc->sc_alen);
 		} else {
 			bcopy(plaindata, data + sc->sc_alen, data_secsize);
 			plaindata += data_secsize;
 		}
 
 		crp->crp_sid = wr->w_sid;
 		crp->crp_ilen = sc->sc_alen + data_secsize;
 		crp->crp_olen = data_secsize;
 		crp->crp_opaque = (void *)bp;
 		crp->crp_buf = (void *)data;
 		data += encr_secsize;
 		crp->crp_flags = CRYPTO_F_CBIFSYNC;
 		if (g_eli_batch)
 			crp->crp_flags |= CRYPTO_F_BATCH;
 		if (bp->bio_cmd == BIO_WRITE) {
 			crp->crp_callback = g_eli_auth_write_done;
 			crp->crp_desc = crde;
 			crde->crd_next = crda;
 			crda->crd_next = NULL;
 		} else {
 			crp->crp_callback = g_eli_auth_read_done;
 			crp->crp_desc = crda;
 			crda->crd_next = crde;
 			crde->crd_next = NULL;
 		}
 
 		crde->crd_skip = sc->sc_alen;
 		crde->crd_len = data_secsize;
 		crde->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT;
 		if ((sc->sc_flags & G_ELI_FLAG_FIRST_KEY) == 0)
 			crde->crd_flags |= CRD_F_KEY_EXPLICIT;
 		if (bp->bio_cmd == BIO_WRITE)
 			crde->crd_flags |= CRD_F_ENCRYPT;
 		crde->crd_alg = sc->sc_ealgo;
 		crde->crd_key = g_eli_key_hold(sc, dstoff, encr_secsize);
 		crde->crd_klen = sc->sc_ekeylen;
 		if (sc->sc_ealgo == CRYPTO_AES_XTS)
 			crde->crd_klen <<= 1;
 		g_eli_crypto_ivgen(sc, dstoff, crde->crd_iv,
 		    sizeof(crde->crd_iv));
 
 		crda->crd_skip = sc->sc_alen;
 		crda->crd_len = data_secsize;
 		crda->crd_inject = 0;
 		crda->crd_flags = CRD_F_KEY_EXPLICIT;
 		crda->crd_alg = sc->sc_aalgo;
 		g_eli_auth_keygen(sc, dstoff, authkey);
 		crda->crd_key = authkey;
 		crda->crd_klen = G_ELI_AUTH_SECKEYLEN * 8;
 
 		crp->crp_etype = 0;
 		error = crypto_dispatch(crp);
 		KASSERT(error == 0, ("crypto_dispatch() failed (error=%d)",
 		    error));
 	}
 }
Index: head/sys/modules/geom/Makefile
===================================================================
--- head/sys/modules/geom/Makefile	(revision 308136)
+++ head/sys/modules/geom/Makefile	(revision 308137)
@@ -1,37 +1,33 @@
 # $FreeBSD$
 
 SYSDIR?=${.CURDIR}/../..
 .include "${SYSDIR}/conf/kern.opts.mk"
 
 SUBDIR=	geom_bde \
 	geom_cache \
 	geom_concat \
+	geom_eli \
 	geom_gate \
 	geom_journal \
 	geom_label \
 	geom_linux_lvm \
 	geom_mirror \
 	geom_mountver \
 	geom_multipath \
 	geom_nop \
 	geom_part \
 	geom_raid \
 	geom_raid3 \
 	geom_sched \
 	geom_shsec \
 	geom_stripe \
 	geom_uzip \
 	geom_vinum \
 	geom_virstor \
 	geom_zero
 
 .if ${MK_CCD} != "no" || defined(ALL_MODULES)
 SUBDIR+=	geom_ccd
-.endif
-
-# Alignment issues in g_eli_auth_run() on MIPS64 causes kernel panic
-.if ${MACHINE_ARCH} != "mips64" && ${MACHINE_ARCH} != "mips64el"
-SUBDIR+=	geom_eli
 .endif
 
 .include <bsd.subdir.mk>