PR/58212: Malte Dehling: Add zfs verification method

branches: 1.22.2;
cgdconfig(8): Add support for shared keys.

New clause `shared <id> algorithm <alg> subkey <info>' in a keygen
block enables `cgdconfig -C' to reuse a key between different params
files, so you can, e.g., use a single password for multiple disks.
This is better than simply caching the password itself because:

- Hashing the password is expensive, so it should only be done once.

Suppose your budget is time t before you get bored, and you
calibrate password hash parameters to unlock n disks before you get
bored waiting for `cgdconfig -C'.

. With n password hashings the adversary's cost goes up only by a
factor of t/n.
. With one password hashing and n subkeys the adversary's cost goes
up by a factor of n.

And if you ever add a disk, rehashing it will make `cgdconfig -C'
go over budget, whereas another subkey adds negligible cost to you.

- Subkeys work for other types of keygen blocks, like shell_cmd,
which could be used to get a key from a hardware token that needs a
button press.

The <info> parameter must be different for each params file;
everything else in the keygen block must be the same. With this
clause, the keygen block determines a shared key used only to derive
keys; the actual key used by cgdconfig is derived from the shared key
by the specified algorithm.

The only supported algorithm is hkdf-hmac-sha256, which uses
HKDF-Expand of RFC 5869 instantiated with SHA-256.

Example:

algorithm aes-cbc;
iv-method encblkno1;
keylength 128;
verify_method none;
keygen pkcs5_pbkdf2/sha1 {
iterations 39361;
salt AAAAgMoHiYonye6KogdYJAobCHE=;
shared "pw" algorithm hkdf-hmac-sha256
subkey AAAAgFlw0BMQ5gY+haYkZ6JC+yY=;
};

The key used for this disk will be derived by

HKDF-HMAC-SHA256_k(WXDQExDmBj6FpiRnokL7Jg==),

where k is the outcome of PBKDF2-SHA1 with the given parameters.

Note that <info> encodes a four-byte prefix giving the big-endian
length in bits of the info argument to HKDF, just like all other bit
strings in cgdconfig parameters files.

If you have multiple disks configured using the same keygen block
except for the info parameter, `cgdconfig -C' will only prompt once
for your passphrase, generate a shared key k with PBKDF2 as usual,
and then reuse it for each of the disks.

Use the Makefile.inc from libargon2 (fixes the vax build that requires
a compiler hack).

make things behave just like before the libcrypt symbol renaming:
The normal cgdconfig binary is built with threads and the crunched one
in rescue without.

Re-enable threads; apparently we get different results depending if we are
threaded or not... This tastes like a bug.

Build argon2 inline so that crunched programs work. I also disabled threads
for now; we can put them back if needed.

-lpthread to LDADD (fixes lint build)

cgdconfig(8): Add an argon2id password-based key generation method

This provides an extra level of side-channel and cracking resistance
compared to the pre-existing pkcs5_pbkdf2/sha1 method used for
password-based disk encryption.

Several new keygen parameters are supported:

memory (integer, in kilobytes)
parallelism (integer, usually the number of CPU cores)
version (integer, usually 19...)

We do our best to calibrate these automatically when the paramsfile
is initially generated.

lgtm riastradh@

replace openssl HMAC(3) with our hmac(3).

Convert from the oldstyle cgd_kops.op_open to the newstyle prog_open
and define RUMPPRG. Get rid of the Makefile.inc stuff, since it was
useful only for the oldstyle regime.

Use RUMP_ACTION to avoid having to specify the same information
in the Makefiles of all the consumers.

* allow specification of kernel operations vector
* make it possible to build cgdconfig as a library

define YY_NO_INPUT where appropriate, from Kurt J. Lidl per PR misc/41160

branches: 1.10.4;
Adjust this to not need -Wno-pointer-sign.

Add HAVE_PCC tests for -Wno-pointer-sign.

branches: 1.8.4; 1.8.8;
Change incorrect usage of CFLAGS to CPPFLAGS

branches: 1.7.10; 1.7.12;
sprinkle some -fno-strict-aliasing and -Wno-pointer-sign with GCC4.

We link against libl and liby, so depend on them too.

Add -lcrypt where -lcrypto is specified.

We need -I., too.

-I. -> -I${.CURDIR}

substantial rototill of the code.

o added new features:
o -G: generate a new paramsfile that produces the same
key as the old paramsfile,
o ffs verify_method,
o multiple keygen methods that are xor'ed together
(for n-factor authentication), and
o calibrating the iteration count of PKCS#5 PBKDF2 to
the current machine's speed.
o changed paramsfile format to allow for the new features.
o replaced open-coded parser with yacc grammar.
o lots of supporting changes.
o updated documentation to reflect new features and new
paramsfile format.

Initial checkin of cgdconfig(8), a program to configure a cgd.

Convert from the oldstyle cgd_kops.op_open to the newstyle prog_open
and define RUMPPRG. Get rid of the Makefile.inc stuff, since it was
useful only for the oldstyle regime.

mirror change of -lrumpcrypto ==> -lrumpkern_crypto

Use RUMP_ACTION to avoid having to specify the same information
in the Makefiles of all the consumers.

* allow specification of kernel operations vector
* make it possible to build cgdconfig as a library

cgdconfig(8): Add an argon2id password-based key generation method

This provides an extra level of side-channel and cracking resistance
compared to the pre-existing pkcs5_pbkdf2/sha1 method used for
password-based disk encryption.

Several new keygen parameters are supported:

memory (integer, in kilobytes)
parallelism (integer, usually the number of CPU cores)
version (integer, usually 19...)

We do our best to calibrate these automatically when the paramsfile
is initially generated.

lgtm riastradh@

cgdconfig(8): Add an argon2id password-based key generation method

This provides an extra level of side-channel and cracking resistance
compared to the pre-existing pkcs5_pbkdf2/sha1 method used for
password-based disk encryption.

Several new keygen parameters are supported:

memory (integer, in kilobytes)
parallelism (integer, usually the number of CPU cores)
version (integer, usually 19...)

We do our best to calibrate these automatically when the paramsfile
is initially generated.

lgtm riastradh@

Convert from the oldstyle cgd_kops.op_open to the newstyle prog_open
and define RUMPPRG. Get rid of the Makefile.inc stuff, since it was
useful only for the oldstyle regime.

fix prototypes of function pointers to varargs syscalls

* allow specification of kernel operations vector
* make it possible to build cgdconfig as a library

Convert from the oldstyle cgd_kops.op_open to the newstyle prog_open
and define RUMPPRG. Get rid of the Makefile.inc stuff, since it was
useful only for the oldstyle regime.

fix prototypes of function pointers to varargs syscalls

fix LP64 builds. yay, C type system.

patch from Joachim Kuebart

* allow specification of kernel operations vector
* make it possible to build cgdconfig as a library

Convert from the oldstyle cgd_kops.op_open to the newstyle prog_open
and define RUMPPRG. Get rid of the Makefile.inc stuff, since it was
useful only for the oldstyle regime.

Use RUMP_ACTION to avoid having to specify the same information
in the Makefiles of all the consumers.

cgdconfig(8): Estimate verify methods' false accept probabilities.

An addendum following discussion around:

PR bin/58212: cgdconfig(8): Add zfs verification method

branches: 1.58.2;
PR/58212: Malte Dehling: Add zfs verification method

branches: 1.57.2;
cgdconfig(8): Handle -P/-S for shared keys with -G too.

This way you can convert an existing parameters file to one that is
derived from a shared key, and derive other subkeys for other disks
from the same shared key.

cgdconfig -G -S -o /etc/cgd/wd0.shared /etc/cgd/wd0
cgdconfig -G -S -o /etc/cgd/wd1.shared \
-P /etc/cgd/wd0.shared /etc/cgd/wd1

This way, if you enter the same new password both times, wd0.shared
and wd1.shared generate the same keys as wd0 and wd1, but only need
one password entry with `cgdconfig -C'.

cgdconfig(8): Add support for generating shared-key parameters files.

Usage model:

- Generate a parameters file that supports sharing its main key:

cgdconfig -g -S -o /etc/cgd/wd0e -V gpt adiantum

- Make another parameters file that uses the same shared main key but
derives an independent subkey from it:

cgdconfig -g -S -P /etc/cgd/wd0e -o /etc/cgd/ld1e \
-V disklabel aes-cbc 256

cgdconfig(8): Add support for shared keys.

New clause `shared <id> algorithm <alg> subkey <info>' in a keygen
block enables `cgdconfig -C' to reuse a key between different params
files, so you can, e.g., use a single password for multiple disks.
This is better than simply caching the password itself because:

- Hashing the password is expensive, so it should only be done once.

Suppose your budget is time t before you get bored, and you
calibrate password hash parameters to unlock n disks before you get
bored waiting for `cgdconfig -C'.

. With n password hashings the adversary's cost goes up only by a
factor of t/n.
. With one password hashing and n subkeys the adversary's cost goes
up by a factor of n.

And if you ever add a disk, rehashing it will make `cgdconfig -C'
go over budget, whereas another subkey adds negligible cost to you.

- Subkeys work for other types of keygen blocks, like shell_cmd,
which could be used to get a key from a hardware token that needs a
button press.

The <info> parameter must be different for each params file;
everything else in the keygen block must be the same. With this
clause, the keygen block determines a shared key used only to derive
keys; the actual key used by cgdconfig is derived from the shared key
by the specified algorithm.

The only supported algorithm is hkdf-hmac-sha256, which uses
HKDF-Expand of RFC 5869 instantiated with SHA-256.

Example:

algorithm aes-cbc;
iv-method encblkno1;
keylength 128;
verify_method none;
keygen pkcs5_pbkdf2/sha1 {
iterations 39361;
salt AAAAgMoHiYonye6KogdYJAobCHE=;
shared "pw" algorithm hkdf-hmac-sha256
subkey AAAAgFlw0BMQ5gY+haYkZ6JC+yY=;
};

The key used for this disk will be derived by

HKDF-HMAC-SHA256_k(WXDQExDmBj6FpiRnokL7Jg==),

where k is the outcome of PBKDF2-SHA1 with the given parameters.

Note that <info> encodes a four-byte prefix giving the big-endian
length in bits of the info argument to HKDF, just like all other bit
strings in cgdconfig parameters files.

If you have multiple disks configured using the same keygen block
except for the info parameter, `cgdconfig -C' will only prompt once
for your passphrase, generate a shared key k with PBKDF2 as usual,
and then reuse it for each of the disks.

cgdconfig(8): New -T operation prints all generated keys in cgd.conf.

For testing purposes.

cgdconfig(8): New -t operation just prints the derived key in base64.

For testing purposes.

cgdconfig.8: Use argon2id in examples

cgdconfig(8): Add an argon2id password-based key generation method

This provides an extra level of side-channel and cracking resistance
compared to the pre-existing pkcs5_pbkdf2/sha1 method used for
password-based disk encryption.

Several new keygen parameters are supported:

memory (integer, in kilobytes)
parallelism (integer, usually the number of CPU cores)
version (integer, usually 19...)

We do our best to calibrate these automatically when the paramsfile
is initially generated.

lgtm riastradh@

cgdconfig.8: use gpt in examples, it's more versatile for this use case

The -n flag is useless with -g, don't mention it.

From rudolf in PR misc/36243

Touch up cgdconfig(8) man page.

- Suggest adiantum first.
- Remove references to Blowfish.
- Clarify that ivmethod is relevant only for ancient compatibility.

Use Nm.

cgdconfig.8: remove references to using cgd for swap

this is potentially misleading now that the kernel does swap encryption

cgdconfig.8: Reflect actual behaviour of /dev/(u)random

Sort SEE ALSO.

s/Dec/December/.

Document that cgd.conf supports NAME=label and ROOT.<suffix> targets.

XXX Default paramsfile for NAME=label is /etc/cgd/dkNN (resolved wedge
partition) and /etc/cgd/ROOT.<suffix> for ROOT.<suffix>. This isn't yet
documented. IMO, it should be the other way around: /etc/cgd/label
for the former and /et/cgd/[root-device] for the latter.

typo

branches: 1.40.2;

With the change to use getpass_r the 128 byte passphrase limit no
longer applies, so update the BUGS section here to reflect that change.
The limit now is 1023 whichever method is used to fetch the passphrase.

Add '-e' option (echo the passphrase) and wipe the passphrase after use.

XXX Using memset for wiping isn't a good idea because memset is likely
optimised away by gcc. This should be revisited.

Add commas in enumeration.

Fix missing -p in usage message (noted by Christoph Badura, thanks),
and update -l usage as well.

While here fix man page synopses and a few other odds and ends.

branches: 1.36.6; 1.36.12;
Spelling mistake.
Bump date.

Bump date for previous. Fix typo.

Add validation methods "mbr" and "gpt" for disks without a valid disklabel.

Whitespace.
New sentence, new line.

add cgdconfig -l like vnconfig -l

branches: 1.31.2; 1.31.8;
fix typo

\\ -> \e

Document -n, from Jukka Ruohonen in private mail.
Bump date.

PR/39525: Joachim Schueth, Frederik Sausmikat:
cgd inadvertently encrypts blkno eight times to generate IV

Bump date for previous.

Add a new keygen method which will execute an external command and
take its output as the key. I've been meaning to do this for quite
a while...

Add -p flag to retrieve passphrases from stdin. This is mainly aimed
at programatic use where the caller wants to be able to use PKCS#5.

Disable looping on invalid verifications unless both a passphrase method
is in use and the -p flag is not specified.

Update man page to document -p flag.

branches: 1.24.2;
Convert TNF licenses to new 2 clause variant

branches: 1.23.12; 1.23.14;
Add a DIAGNOSTICS section and explain that the error message "could not
calibrate pkcs5_pbkdf2" could have resulted due to dynamic changes in cpu
clock frequency.

Correct the omission in 're-enter' verification method addition in EXAMPLES.

Bump date for previous, and re-add some flags that were removed in the
previous commit without a mention in the commit message, and which are
still in the usage.

Add "urandomkey" key generation method as described in PR kern/22766;
useful for configuring a throwaway key for cgd-on-swap at boot time.

Add options to SYNOPSIS.

Addresses PR misc/26065.

branches: 1.18.2;
Drop trailing whitespace; new sentence, new line.

Fix a longstanding algorithmic flaw in PKCS#5 key generation.

The existing pkcs5_pbdkf2 keygen method is retained functionally
as-is, for compatibility with existing params files. The corrected
algorithm, which is now the default for new params file generation, is
called pkcs5_pbkdf2/sha1.

NB. The backwards compatibility for the miscreant keygen method will
be removed at the same time as support for the previous parameters
file syntax. Sometime between now and then, users should update their
params files using -G, which will create a new params file including
an xor value so that the resulting generated key is the same; they
should also

Problem discovery and 2-char algorithm fix by Charles Blundell, messy
compat goop by me, long complicated names by Roland Dowdeswell.

Update manpage accordingly and bump date.

Add article.

add a new verification method that prompts for the pkcs#5 pbkdf2
passphrase again and checks the generated key against the original.

Remove superfluous "".

Bump date for last-but-one; remove superfluous .Pp.

Fix typo. params files are not stored in /dev/cgd/

substantial rototill of the code.

o added new features:
o -G: generate a new paramsfile that produces the same
key as the old paramsfile,
o ffs verify_method,
o multiple keygen methods that are xor'ed together
(for n-factor authentication), and
o calibrating the iteration count of PKCS#5 PBKDF2 to
the current machine's speed.
o changed paramsfile format to allow for the new features.
o replaced open-coded parser with yacc grammar.
o lots of supporting changes.
o updated documentation to reflect new features and new
paramsfile format.

.Nm does not need a dummy argument ("") before punctuation or
for correct formatting of the SYNOPSIS any longer.

The next release will be 2.0, not 1.7.

At the suggestion of wiz@, we remove the lines that mention that the
lack of the feature added earlier today was a bug.

Add documentation for verification methods. Specify defaults for IV
method, keygen method and verification method.

Begin new sentence in upper case.

cgdconfig first appeared in NetBSD 1.7 (for now).

New sentence, new line. Some mdoc cleanup, other minor nits.

note some other caveats and uses

channelling wiz

Initial checkin of cgdconfig(8), a program to configure a cgd.

PR/58212: Malte Dehling: Add zfs verification method

cgdconfig(8): KNF in cgdconfig.c.

No functional change intended.

branches: 1.61.2;
Restore backward compatibility of UFS2 with previous NetBSD releases by
disabling support in UFS2 for extended attributes (including ACLs).
Add a new variant of UFS2 called "UFS2ea" that does support extended attributes.
Add new fsck_ffs operations "-c ea" and "-c no-ea" to convert file systems
from UFS2 to UFS2ea and vice-versa (both of which delete all existing extended
attributes in the process).

cgdconfig(8): Restore loop for password re-entry for non-shared keys.

Fixes mistake in previous which changed the semantics in the case
where _no_ keys are shared.

cgdconfig(8): Gracefully handle failed verification with shared keys.

The first time each key is verified, if verification fails, we chuck
the failed key and try again with passphrase re-entry.

But if a key has already been verified, and verification fails,
assume something is wrong with the disk and fail.

cgdconfig(8): Handle -P/-S for shared keys with -G too.

This way you can convert an existing parameters file to one that is
derived from a shared key, and derive other subkeys for other disks
from the same shared key.

cgdconfig -G -S -o /etc/cgd/wd0.shared /etc/cgd/wd0
cgdconfig -G -S -o /etc/cgd/wd1.shared \
-P /etc/cgd/wd0.shared /etc/cgd/wd1

This way, if you enter the same new password both times, wd0.shared
and wd1.shared generate the same keys as wd0 and wd1, but only need
one password entry with `cgdconfig -C'.

cgdconfig(8): Add support for generating shared-key parameters files.

Usage model:

- Generate a parameters file that supports sharing its main key:

cgdconfig -g -S -o /etc/cgd/wd0e -V gpt adiantum

- Make another parameters file that uses the same shared main key but
derives an independent subkey from it:

cgdconfig -g -S -P /etc/cgd/wd0e -o /etc/cgd/ld1e \
-V disklabel aes-cbc 256

cgdconfig(8): Add support for shared keys.

New clause `shared <id> algorithm <alg> subkey <info>' in a keygen
block enables `cgdconfig -C' to reuse a key between different params
files, so you can, e.g., use a single password for multiple disks.
This is better than simply caching the password itself because:

- Hashing the password is expensive, so it should only be done once.

Suppose your budget is time t before you get bored, and you
calibrate password hash parameters to unlock n disks before you get
bored waiting for `cgdconfig -C'.

. With n password hashings the adversary's cost goes up only by a
factor of t/n.
. With one password hashing and n subkeys the adversary's cost goes
up by a factor of n.

And if you ever add a disk, rehashing it will make `cgdconfig -C'
go over budget, whereas another subkey adds negligible cost to you.

- Subkeys work for other types of keygen blocks, like shell_cmd,
which could be used to get a key from a hardware token that needs a
button press.

The <info> parameter must be different for each params file;
everything else in the keygen block must be the same. With this
clause, the keygen block determines a shared key used only to derive
keys; the actual key used by cgdconfig is derived from the shared key
by the specified algorithm.

The only supported algorithm is hkdf-hmac-sha256, which uses
HKDF-Expand of RFC 5869 instantiated with SHA-256.

Example:

algorithm aes-cbc;
iv-method encblkno1;
keylength 128;
verify_method none;
keygen pkcs5_pbkdf2/sha1 {
iterations 39361;
salt AAAAgMoHiYonye6KogdYJAobCHE=;
shared "pw" algorithm hkdf-hmac-sha256
subkey AAAAgFlw0BMQ5gY+haYkZ6JC+yY=;
};

The key used for this disk will be derived by

HKDF-HMAC-SHA256_k(WXDQExDmBj6FpiRnokL7Jg==),

where k is the outcome of PBKDF2-SHA1 with the given parameters.

Note that <info> encodes a four-byte prefix giving the big-endian
length in bits of the info argument to HKDF, just like all other bit
strings in cgdconfig parameters files.

If you have multiple disks configured using the same keygen block
except for the info parameter, `cgdconfig -C' will only prompt once
for your passphrase, generate a shared key k with PBKDF2 as usual,
and then reuse it for each of the disks.

cgdconfig(8): New -T operation prints all generated keys in cgd.conf.

For testing purposes.

cgdconfig(8): New -t operation just prints the derived key in base64.

For testing purposes.

cgdconfig(8): Add an argon2id password-based key generation method

This provides an extra level of side-channel and cracking resistance
compared to the pre-existing pkcs5_pbkdf2/sha1 method used for
password-based disk encryption.

Several new keygen parameters are supported:

memory (integer, in kilobytes)
parallelism (integer, usually the number of CPU cores)
version (integer, usually 19...)

We do our best to calibrate these automatically when the paramsfile
is initially generated.

lgtm riastradh@

cgdconfig(8): Fail more gracefully than SIGSEGV if shell_cmd fails.

The -n flag is useless with -g, don't mention it.

From rudolf in PR misc/36243

KNF, 80 column police, a few other tidy ups (use if (ret == 0) rather
than if (!ret) when ret is not a boolean, and test fopen result against
NULL, for example).

NFCI.

PR bin/53999 from rudolf (eq.cz)

Fix cgdconfig to report verification failures with gpt and mbr
verification methods (and not treat them as silent hard errors).
This also causes the cgd to be unconfigured when one of those
verification methods fails.

Add ATF tests to check that bad verification is reported, and
does not leave the cgd configured.

Patches from the PR applied.

branches: 1.48.2;
use explicit_memset(3)

Missed one change when doing a manual merge of my patch with kre's commit.

Add '-e' option (echo the passphrase) and wipe the passphrase after use.

XXX Using memset for wiping isn't a good idea because memset is likely
optimised away by gcc. This should be revisited.

Fix missing -p in usage message (noted by Christoph Badura, thanks),
and update -l usage as well.

While here fix man page synopses and a few other odds and ends.

Check arg count in configure() at entry, rather than later.
This avoids the stupid null deref I added a couple of commits
ago (on bad usage) and also simplifies the rest of the routine
which no longer needs to check the arg count nearly as much.

Thanks to Alexander Nasonov for finding the null deref bug.

Fix usage for rump. Fixes test breakage caused by previous commit.

Check whether the cgd device selected is available to be
configured,that is, not already in use, before requesting
passwords from the user (or elsewhere).

branches: 1.41.6; 1.41.12;
Need <sys/stat.h> for S_IFBLK.

branches: 1.40.2;
Don't chdir to the config directory; just form the parameters file with a
path if needed.

fix possibly uninitialized variable.

avoid local variable shadowing devname.

Add validation methods "mbr" and "gpt" for disks without a valid disklabel.

support wedge names.

The default param file for a wedge is still named after the device (dkN)
which might be unpredictable. Use an explicit param file instead.

List all cgd's no matter if they are not contiguously allocated

add cgdconfig -l like vnconfig -l

branches: 1.33.2; 1.33.8;
Use __dead

Convert from the oldstyle cgd_kops.op_open to the newstyle prog_open
and define RUMPPRG. Get rid of the Makefile.inc stuff, since it was
useful only for the oldstyle regime.

Remove a line that was intended only for my personal testing and that
breaks things.

In -G, refuse to operate if KEYGEN_URANDOM is specified as we already do
for KEYGEN_RANDOMKEY.

Print a warning if such a refusal is made---this will help the user understand
why there is an error.

Patch provided by: Taylor R Campbell <campbell+netbsd@mumble.net>.

Remove trailing whitespace (patch provided by: Taylor R Campbell
<campbell+netbsd@mumble.net>)

* allow specification of kernel operations vector
* make it possible to build cgdconfig as a library

PR/39525: Joachim Schueth, Frederik Sausmikat:
cgd inadvertently encrypts blkno eight times to generate IV

Add "encblkno1" IV type to encrypt only once, rename old "encblkno" to
"encblkno8" for clarity, and make "encblkno" an alias for "encblkno8"
for backward compatibility.

bzero the passphrase before freeing it, to discourage chill attacks.

Adjust this to not need -Wno-pointer-sign.

Remove the \n and tabs from the __COPYRIGHT() strings.
(Tweak some to use a consistent format.)

Add a new keygen method which will execute an external command and
take its output as the key. I've been meaning to do this for quite
a while...

Add -p flag to retrieve passphrases from stdin. This is mainly aimed
at programatic use where the caller wants to be able to use PKCS#5.

Disable looping on invalid verifications unless both a passphrase method
is in use and the -p flag is not specified.

Update man page to document -p flag.

branches: 1.21.2;
Remove clause 3 and 4 from TNF licenses

branches: 1.20.8; 1.20.10;
Do not use %d for size_t

3 month roland feedback timeout:
- Pass lint
- knf
- convert ints to size_t's

branches: 1.18.4;
Fixed format string in opendisk_werror() which was wrong since my previous
commit.

* 1 -> EXIT_FAILURE.
* Replaced atoi() with parse_int().
* Use an enum for ACTION_* instead of #define.
* Use strdup() or asnprintf() instead of strlcpy() to avoid truncation.
* pread() returns ssize_t not int.
* Suppress "unused parameter" warnings.
* verify_disklabel(): Pass the correct size to disklabel_scan().
* verify_ffs():
* Don't indicate success if pread() fails.
* Check the amount of bytes read.
* Don't cast buf to (struct fs *), it's not aligned.
* eliminate_cores(): No need for a temporary variable.

- constify.
- don't dup extern declarations on each file because they end up being
inconsistent (yyerror).

setprogname(3) needs to come before calls to err(3).

Lock all memory.

Turn off core dumps.

Add "urandomkey" key generation method as described in PR kern/22766;
useful for configuring a throwaway key for cgd-on-swap at boot time.

In getkey(), check the return values of the various keygen functions
and abort if necessary. Also, check for errors in its callers and
handle them gracefully.

OK'd by elric.

branches: 1.10.2;
Fix a longstanding algorithmic flaw in PKCS#5 key generation.

The existing pkcs5_pbdkf2 keygen method is retained functionally
as-is, for compatibility with existing params files. The corrected
algorithm, which is now the default for new params file generation, is
called pkcs5_pbkdf2/sha1.

NB. The backwards compatibility for the miscreant keygen method will
be removed at the same time as support for the previous parameters
file syntax. Sometime between now and then, users should update their
params files using -G, which will create a new params file including
an xor value so that the resulting generated key is the same; they
should also

Problem discovery and 2-char algorithm fix by Charles Blundell, messy
compat goop by me, long complicated names by Roland Dowdeswell.

Update manpage accordingly and bump date.

add a new verification method that prompts for the pkcs#5 pbkdf2
passphrase again and checks the generated key against the original.

use strlcpy

Add support for UFS2. UFS2 is an enhanced FFS, adding support for
64 bit block pointers, extended attribute storage, and a few
other things.

This commit does not yet include the code to manipulate the extended
storage (for e.g. ACLs), this will be done later.

Originally written by Kirk McKusick and Network Associates Laboratories for
FreeBSD.

Quick bugfix:
o need to do keygen_filldefaults() in generate_convert no
matter what, not only if there are no existing keygen
methods in the new parameters.

substantial rototill of the code.

o added new features:
o -G: generate a new paramsfile that produces the same
key as the old paramsfile,
o ffs verify_method,
o multiple keygen methods that are xor'ed together
(for n-factor authentication), and
o calibrating the iteration count of PKCS#5 PBKDF2 to
the current machine's speed.
o changed paramsfile format to allow for the new features.
o replaced open-coded parser with yacc grammar.
o lots of supporting changes.
o updated documentation to reflect new features and new
paramsfile format.

bugfix: was still pulling random bits from /dev/random when generating
a paramsfile of type randomkey which does not need them. Pointed out
by dan@netbsd.org.

Add the concept of a verification method which allows cgdconfig(8)
to reprompt for the passphrase if the key does not meet certain
criteria. The currently implemented methods are ``none'' and
``disklabel''. The first behaves in the original fashion, the
second will scan for a disklabel on the cgd after configuration
and if it does not find a disklabel then it will reprompt for the
password and reconfigure the disk.

Small usage enhancement: open the cgd before prompting for the passphrase
so that errors can be reported w/o asking for the passphrase unnec.

Initial checkin of cgdconfig(8), a program to configure a cgd.

Don't chdir to the config directory; just form the parameters file with a
path if needed.

Remember to add cgdconfig.h too.

Convert from the oldstyle cgd_kops.op_open to the newstyle prog_open
and define RUMPPRG. Get rid of the Makefile.inc stuff, since it was
useful only for the oldstyle regime.

Convert from the oldstyle cgd_kops.op_open to the newstyle prog_open
and define RUMPPRG. Get rid of the Makefile.inc stuff, since it was
useful only for the oldstyle regime.

cgdconfig(8): Add support for shared keys.

New clause `shared <id> algorithm <alg> subkey <info>' in a keygen
block enables `cgdconfig -C' to reuse a key between different params
files, so you can, e.g., use a single password for multiple disks.
This is better than simply caching the password itself because:

- Hashing the password is expensive, so it should only be done once.

Suppose your budget is time t before you get bored, and you
calibrate password hash parameters to unlock n disks before you get
bored waiting for `cgdconfig -C'.

. With n password hashings the adversary's cost goes up only by a
factor of t/n.
. With one password hashing and n subkeys the adversary's cost goes
up by a factor of n.

And if you ever add a disk, rehashing it will make `cgdconfig -C'
go over budget, whereas another subkey adds negligible cost to you.

- Subkeys work for other types of keygen blocks, like shell_cmd,
which could be used to get a key from a hardware token that needs a
button press.

The <info> parameter must be different for each params file;
everything else in the keygen block must be the same. With this
clause, the keygen block determines a shared key used only to derive
keys; the actual key used by cgdconfig is derived from the shared key
by the specified algorithm.

The only supported algorithm is hkdf-hmac-sha256, which uses
HKDF-Expand of RFC 5869 instantiated with SHA-256.

Example:

algorithm aes-cbc;
iv-method encblkno1;
keylength 128;
verify_method none;
keygen pkcs5_pbkdf2/sha1 {
iterations 39361;
salt AAAAgMoHiYonye6KogdYJAobCHE=;
shared "pw" algorithm hkdf-hmac-sha256
subkey AAAAgFlw0BMQ5gY+haYkZ6JC+yY=;
};

The key used for this disk will be derived by

HKDF-HMAC-SHA256_k(WXDQExDmBj6FpiRnokL7Jg==),

where k is the outcome of PBKDF2-SHA1 with the given parameters.

Note that <info> encodes a four-byte prefix giving the big-endian
length in bits of the info argument to HKDF, just like all other bit
strings in cgdconfig parameters files.

If you have multiple disks configured using the same keygen block
except for the info parameter, `cgdconfig -C' will only prompt once
for your passphrase, generate a shared key k with PBKDF2 as usual,
and then reuse it for each of the disks.

cgdconfig(8): Add an argon2id password-based key generation method

This provides an extra level of side-channel and cracking resistance
compared to the pre-existing pkcs5_pbkdf2/sha1 method used for
password-based disk encryption.

Several new keygen parameters are supported:

memory (integer, in kilobytes)
parallelism (integer, usually the number of CPU cores)
version (integer, usually 19...)

We do our best to calibrate these automatically when the paramsfile
is initially generated.

lgtm riastradh@

use %option instead of #define YY_NO_...

no unput

Add a new keygen method which will execute an external command and
take its output as the key. I've been meaning to do this for quite
a while...

branches: 1.2.2;
Remove clause 3 and 4 from TNF licenses

branches: 1.1.32; 1.1.34;
substantial rototill of the code.

o added new features:
o -G: generate a new paramsfile that produces the same
key as the old paramsfile,
o ffs verify_method,
o multiple keygen methods that are xor'ed together
(for n-factor authentication), and
o calibrating the iteration count of PKCS#5 PBKDF2 to
the current machine's speed.
o changed paramsfile format to allow for the new features.
o replaced open-coded parser with yacc grammar.
o lots of supporting changes.
o updated documentation to reflect new features and new
paramsfile format.

cgdconfig(8): Add support for shared keys.

New clause `shared <id> algorithm <alg> subkey <info>' in a keygen
block enables `cgdconfig -C' to reuse a key between different params
files, so you can, e.g., use a single password for multiple disks.
This is better than simply caching the password itself because:

- Hashing the password is expensive, so it should only be done once.

Suppose your budget is time t before you get bored, and you
calibrate password hash parameters to unlock n disks before you get
bored waiting for `cgdconfig -C'.

. With n password hashings the adversary's cost goes up only by a
factor of t/n.
. With one password hashing and n subkeys the adversary's cost goes
up by a factor of n.

And if you ever add a disk, rehashing it will make `cgdconfig -C'
go over budget, whereas another subkey adds negligible cost to you.

- Subkeys work for other types of keygen blocks, like shell_cmd,
which could be used to get a key from a hardware token that needs a
button press.

The <info> parameter must be different for each params file;
everything else in the keygen block must be the same. With this
clause, the keygen block determines a shared key used only to derive
keys; the actual key used by cgdconfig is derived from the shared key
by the specified algorithm.

The only supported algorithm is hkdf-hmac-sha256, which uses
HKDF-Expand of RFC 5869 instantiated with SHA-256.

Example:

algorithm aes-cbc;
iv-method encblkno1;
keylength 128;
verify_method none;
keygen pkcs5_pbkdf2/sha1 {
iterations 39361;
salt AAAAgMoHiYonye6KogdYJAobCHE=;
shared "pw" algorithm hkdf-hmac-sha256
subkey AAAAgFlw0BMQ5gY+haYkZ6JC+yY=;
};

The key used for this disk will be derived by

HKDF-HMAC-SHA256_k(WXDQExDmBj6FpiRnokL7Jg==),

where k is the outcome of PBKDF2-SHA1 with the given parameters.

Note that <info> encodes a four-byte prefix giving the big-endian
length in bits of the info argument to HKDF, just like all other bit
strings in cgdconfig parameters files.

If you have multiple disks configured using the same keygen block
except for the info parameter, `cgdconfig -C' will only prompt once
for your passphrase, generate a shared key k with PBKDF2 as usual,
and then reuse it for each of the disks.

cgdconfig(8): Add an argon2id password-based key generation method

This provides an extra level of side-channel and cracking resistance
compared to the pre-existing pkcs5_pbkdf2/sha1 method used for
password-based disk encryption.

Several new keygen parameters are supported:

memory (integer, in kilobytes)
parallelism (integer, usually the number of CPU cores)
version (integer, usually 19...)

We do our best to calibrate these automatically when the paramsfile
is initially generated.

lgtm riastradh@

include <stdlib.h> explicitely, for exit(), getprogname() etc.
(it happens to be pulled in by the yacc skeleton, but we shouldn't
rely on this)

Add a new keygen method which will execute an external command and
take its output as the key. I've been meaning to do this for quite
a while...

branches: 1.3.2;
Remove clause 3 and 4 from TNF licenses

branches: 1.2.20; 1.2.22;
- constify.
- don't dup extern declarations on each file because they end up being
inconsistent (yyerror).

substantial rototill of the code.

o added new features:
o -G: generate a new paramsfile that produces the same
key as the old paramsfile,
o ffs verify_method,
o multiple keygen methods that are xor'ed together
(for n-factor authentication), and
o calibrating the iteration count of PKCS#5 PBKDF2 to
the current machine's speed.
o changed paramsfile format to allow for the new features.
o replaced open-coded parser with yacc grammar.
o lots of supporting changes.
o updated documentation to reflect new features and new
paramsfile format.

yyerror returns void, not int

branches: 1.1.10; 1.1.12;
- constify.
- don't dup extern declarations on each file because they end up being
inconsistent (yyerror).

cgdconfig(8): Add support for shared keys.

New clause `shared <id> algorithm <alg> subkey <info>' in a keygen
block enables `cgdconfig -C' to reuse a key between different params
files, so you can, e.g., use a single password for multiple disks.
This is better than simply caching the password itself because:

- Hashing the password is expensive, so it should only be done once.

Suppose your budget is time t before you get bored, and you
calibrate password hash parameters to unlock n disks before you get
bored waiting for `cgdconfig -C'.

. With n password hashings the adversary's cost goes up only by a
factor of t/n.
. With one password hashing and n subkeys the adversary's cost goes
up by a factor of n.

And if you ever add a disk, rehashing it will make `cgdconfig -C'
go over budget, whereas another subkey adds negligible cost to you.

- Subkeys work for other types of keygen blocks, like shell_cmd,
which could be used to get a key from a hardware token that needs a
button press.

The <info> parameter must be different for each params file;
everything else in the keygen block must be the same. With this
clause, the keygen block determines a shared key used only to derive
keys; the actual key used by cgdconfig is derived from the shared key
by the specified algorithm.

The only supported algorithm is hkdf-hmac-sha256, which uses
HKDF-Expand of RFC 5869 instantiated with SHA-256.

Example:

algorithm aes-cbc;
iv-method encblkno1;
keylength 128;
verify_method none;
keygen pkcs5_pbkdf2/sha1 {
iterations 39361;
salt AAAAgMoHiYonye6KogdYJAobCHE=;
shared "pw" algorithm hkdf-hmac-sha256
subkey AAAAgFlw0BMQ5gY+haYkZ6JC+yY=;
};

The key used for this disk will be derived by

HKDF-HMAC-SHA256_k(WXDQExDmBj6FpiRnokL7Jg==),

where k is the outcome of PBKDF2-SHA1 with the given parameters.

Note that <info> encodes a four-byte prefix giving the big-endian
length in bits of the info argument to HKDF, just like all other bit
strings in cgdconfig parameters files.

If you have multiple disks configured using the same keygen block
except for the info parameter, `cgdconfig -C' will only prompt once
for your passphrase, generate a shared key k with PBKDF2 as usual,
and then reuse it for each of the disks.

cgdconfig(8): Add support for shared keys.

New clause `shared <id> algorithm <alg> subkey <info>' in a keygen
block enables `cgdconfig -C' to reuse a key between different params
files, so you can, e.g., use a single password for multiple disks.
This is better than simply caching the password itself because:

- Hashing the password is expensive, so it should only be done once.

Suppose your budget is time t before you get bored, and you
calibrate password hash parameters to unlock n disks before you get
bored waiting for `cgdconfig -C'.

. With n password hashings the adversary's cost goes up only by a
factor of t/n.
. With one password hashing and n subkeys the adversary's cost goes
up by a factor of n.

And if you ever add a disk, rehashing it will make `cgdconfig -C'
go over budget, whereas another subkey adds negligible cost to you.

- Subkeys work for other types of keygen blocks, like shell_cmd,
which could be used to get a key from a hardware token that needs a
button press.

The <info> parameter must be different for each params file;
everything else in the keygen block must be the same. With this
clause, the keygen block determines a shared key used only to derive
keys; the actual key used by cgdconfig is derived from the shared key
by the specified algorithm.

The only supported algorithm is hkdf-hmac-sha256, which uses
HKDF-Expand of RFC 5869 instantiated with SHA-256.

Example:

algorithm aes-cbc;
iv-method encblkno1;
keylength 128;
verify_method none;
keygen pkcs5_pbkdf2/sha1 {
iterations 39361;
salt AAAAgMoHiYonye6KogdYJAobCHE=;
shared "pw" algorithm hkdf-hmac-sha256
subkey AAAAgFlw0BMQ5gY+haYkZ6JC+yY=;
};

The key used for this disk will be derived by

HKDF-HMAC-SHA256_k(WXDQExDmBj6FpiRnokL7Jg==),

where k is the outcome of PBKDF2-SHA1 with the given parameters.

Note that <info> encodes a four-byte prefix giving the big-endian
length in bits of the info argument to HKDF, just like all other bit
strings in cgdconfig parameters files.

If you have multiple disks configured using the same keygen block
except for the info parameter, `cgdconfig -C' will only prompt once
for your passphrase, generate a shared key k with PBKDF2 as usual,
and then reuse it for each of the disks.

PR/58212: Malte Dehling: Add zfs verification method

branches: 1.34.2;
cgdconfig(8): Add support for generating shared-key parameters files.

Usage model:

- Generate a parameters file that supports sharing its main key:

cgdconfig -g -S -o /etc/cgd/wd0e -V gpt adiantum

- Make another parameters file that uses the same shared main key but
derives an independent subkey from it:

cgdconfig -g -S -P /etc/cgd/wd0e -o /etc/cgd/ld1e \
-V disklabel aes-cbc 256

cgdconfig(8): Add support for shared keys.

New clause `shared <id> algorithm <alg> subkey <info>' in a keygen
block enables `cgdconfig -C' to reuse a key between different params
files, so you can, e.g., use a single password for multiple disks.
This is better than simply caching the password itself because:

- Hashing the password is expensive, so it should only be done once.

Suppose your budget is time t before you get bored, and you
calibrate password hash parameters to unlock n disks before you get
bored waiting for `cgdconfig -C'.

. With n password hashings the adversary's cost goes up only by a
factor of t/n.
. With one password hashing and n subkeys the adversary's cost goes
up by a factor of n.

And if you ever add a disk, rehashing it will make `cgdconfig -C'
go over budget, whereas another subkey adds negligible cost to you.

- Subkeys work for other types of keygen blocks, like shell_cmd,
which could be used to get a key from a hardware token that needs a
button press.

The <info> parameter must be different for each params file;
everything else in the keygen block must be the same. With this
clause, the keygen block determines a shared key used only to derive
keys; the actual key used by cgdconfig is derived from the shared key
by the specified algorithm.

The only supported algorithm is hkdf-hmac-sha256, which uses
HKDF-Expand of RFC 5869 instantiated with SHA-256.

Example:

algorithm aes-cbc;
iv-method encblkno1;
keylength 128;
verify_method none;
keygen pkcs5_pbkdf2/sha1 {
iterations 39361;
salt AAAAgMoHiYonye6KogdYJAobCHE=;
shared "pw" algorithm hkdf-hmac-sha256
subkey AAAAgFlw0BMQ5gY+haYkZ6JC+yY=;
};

The key used for this disk will be derived by

HKDF-HMAC-SHA256_k(WXDQExDmBj6FpiRnokL7Jg==),

where k is the outcome of PBKDF2-SHA1 with the given parameters.

Note that <info> encodes a four-byte prefix giving the big-endian
length in bits of the info argument to HKDF, just like all other bit
strings in cgdconfig parameters files.

If you have multiple disks configured using the same keygen block
except for the info parameter, `cgdconfig -C' will only prompt once
for your passphrase, generate a shared key k with PBKDF2 as usual,
and then reuse it for each of the disks.

cgdconfig(8): Add an argon2id password-based key generation method

This provides an extra level of side-channel and cracking resistance
compared to the pre-existing pkcs5_pbkdf2/sha1 method used for
password-based disk encryption.

Several new keygen parameters are supported:

memory (integer, in kilobytes)
parallelism (integer, usually the number of CPU cores)
version (integer, usually 19...)

We do our best to calibrate these automatically when the paramsfile
is initially generated.

lgtm riastradh@

Make adiantum a first class citizen

branches: 1.30.8;
Avoid crash when no algorithm is specified in parameter file.

branches: 1.29.12; 1.29.14;
Add aes-xts to cgdconfig(8).

branches: 1.28.2;
CID 1340063: fix TOCTOU

Don't chdir to the config directory; just form the parameters file with a
path if needed.

fix error messages containing \n

Add validation methods "mbr" and "gpt" for disks without a valid disklabel.

PR/39525: Joachim Schueth, Frederik Sausmikat:
cgd inadvertently encrypts blkno eight times to generate IV

Add a new keygen method which will execute an external command and
take its output as the key. I've been meaning to do this for quite
a while...

branches: 1.22.2;
Remove clause 3 and 4 from TNF licenses

branches: 1.21.8; 1.21.10;
simplify and fix the combination code. Hi pooka.

3 month roland feedback timeout:
- Pass lint
- knf
- convert ints to size_t's

branches: 1.19.4;
Use warn() and warnx().

crypt_defaults_lookup():
* Avoid comparison of int with unsigned.
* Simplified.

Remove more duplicate #includes,
from Slava Semushin <slava.semushin@gmail.com>

Programs that use efun.

Proper bounds check, found by Coverity, CID 1468.

- constify.
- don't dup extern declarations on each file because they end up being
inconsistent (yyerror).

Centralize error checking for malloc,calloc,strdup.

Fix comment. We're using microseconds not milliseconds.

Fix bits vs. bytes problem in call to calibration routine.

Add "urandomkey" key generation method as described in PR kern/22766;
useful for configuring a throwaway key for cgd-on-swap at boot time.

branches: 1.9.2;
Fix a longstanding algorithmic flaw in PKCS#5 key generation.

The existing pkcs5_pbdkf2 keygen method is retained functionally
as-is, for compatibility with existing params files. The corrected
algorithm, which is now the default for new params file generation, is
called pkcs5_pbkdf2/sha1.

NB. The backwards compatibility for the miscreant keygen method will
be removed at the same time as support for the previous parameters
file syntax. Sometime between now and then, users should update their
params files using -G, which will create a new params file including
an xor value so that the resulting generated key is the same; they
should also

Problem discovery and 2-char algorithm fix by Charles Blundell, messy
compat goop by me, long complicated names by Roland Dowdeswell.

Update manpage accordingly and bump date.

add a new verification method that prompts for the pkcs#5 pbkdf2
passphrase again and checks the generated key against the original.

die if asprintf fails to malloc

If reading an old style parameters file then default a missing
keygen_iteration to 128. This will not default the iteration count
on a new style parameter file as it is an error in the new style
to fail to specify the iteration count.

Addresses PR: bin/21056

substantial rototill of the code.

o added new features:
o -G: generate a new paramsfile that produces the same
key as the old paramsfile,
o ffs verify_method,
o multiple keygen methods that are xor'ed together
(for n-factor authentication), and
o calibrating the iteration count of PKCS#5 PBKDF2 to
the current machine's speed.
o changed paramsfile format to allow for the new features.
o replaced open-coded parser with yacc grammar.
o lots of supporting changes.
o updated documentation to reflect new features and new
paramsfile format.

Make iteration count for PKCS#5 settable in the parameters files.

tweaks for fparseln(3) move from libutil to libc:
- remove #include <util.h> if nothing else needed it
- remove LDFLAGS+=-lutil if nothing else needed it

Add the concept of a verification method which allows cgdconfig(8)
to reprompt for the passphrase if the key does not meet certain
criteria. The currently implemented methods are ``none'' and
``disklabel''. The first behaves in the original fashion, the
second will scan for a disklabel on the cgd after configuration
and if it does not find a disklabel then it will reprompt for the
password and reconfigure the disk.

Initial checkin of cgdconfig(8), a program to configure a cgd.

PR/58212: Malte Dehling: Add zfs verification method

branches: 1.14.2;
cgdconfig(8): Add support for generating shared-key parameters files.

Usage model:

- Generate a parameters file that supports sharing its main key:

cgdconfig -g -S -o /etc/cgd/wd0e -V gpt adiantum

- Make another parameters file that uses the same shared main key but
derives an independent subkey from it:

cgdconfig -g -S -P /etc/cgd/wd0e -o /etc/cgd/ld1e \
-V disklabel aes-cbc 256

cgdconfig(8): Add support for shared keys.

New clause `shared <id> algorithm <alg> subkey <info>' in a keygen
block enables `cgdconfig -C' to reuse a key between different params
files, so you can, e.g., use a single password for multiple disks.
This is better than simply caching the password itself because:

- Hashing the password is expensive, so it should only be done once.

Suppose your budget is time t before you get bored, and you
calibrate password hash parameters to unlock n disks before you get
bored waiting for `cgdconfig -C'.

. With n password hashings the adversary's cost goes up only by a
factor of t/n.
. With one password hashing and n subkeys the adversary's cost goes
up by a factor of n.

And if you ever add a disk, rehashing it will make `cgdconfig -C'
go over budget, whereas another subkey adds negligible cost to you.

- Subkeys work for other types of keygen blocks, like shell_cmd,
which could be used to get a key from a hardware token that needs a
button press.

The <info> parameter must be different for each params file;
everything else in the keygen block must be the same. With this
clause, the keygen block determines a shared key used only to derive
keys; the actual key used by cgdconfig is derived from the shared key
by the specified algorithm.

The only supported algorithm is hkdf-hmac-sha256, which uses
HKDF-Expand of RFC 5869 instantiated with SHA-256.

Example:

algorithm aes-cbc;
iv-method encblkno1;
keylength 128;
verify_method none;
keygen pkcs5_pbkdf2/sha1 {
iterations 39361;
salt AAAAgMoHiYonye6KogdYJAobCHE=;
shared "pw" algorithm hkdf-hmac-sha256
subkey AAAAgFlw0BMQ5gY+haYkZ6JC+yY=;
};

The key used for this disk will be derived by

HKDF-HMAC-SHA256_k(WXDQExDmBj6FpiRnokL7Jg==),

where k is the outcome of PBKDF2-SHA1 with the given parameters.

Note that <info> encodes a four-byte prefix giving the big-endian
length in bits of the info argument to HKDF, just like all other bit
strings in cgdconfig parameters files.

If you have multiple disks configured using the same keygen block
except for the info parameter, `cgdconfig -C' will only prompt once
for your passphrase, generate a shared key k with PBKDF2 as usual,
and then reuse it for each of the disks.

cgdconfig(8): Add an argon2id password-based key generation method

This provides an extra level of side-channel and cracking resistance
compared to the pre-existing pkcs5_pbkdf2/sha1 method used for
password-based disk encryption.

Several new keygen parameters are supported:

memory (integer, in kilobytes)
parallelism (integer, usually the number of CPU cores)
version (integer, usually 19...)

We do our best to calibrate these automatically when the paramsfile
is initially generated.

lgtm riastradh@

Add validation methods "mbr" and "gpt" for disks without a valid disklabel.

Add a new keygen method which will execute an external command and
take its output as the key. I've been meaning to do this for quite
a while...

branches: 1.9.2;
Remove clause 3 and 4 from TNF licenses

branches: 1.8.8; 1.8.10;
3 month roland feedback timeout:
- Pass lint
- knf
- convert ints to size_t's

branches: 1.7.16;
Add "urandomkey" key generation method as described in PR kern/22766;
useful for configuring a throwaway key for cgd-on-swap at boot time.

branches: 1.6.2;
Fix a longstanding algorithmic flaw in PKCS#5 key generation.

The existing pkcs5_pbdkf2 keygen method is retained functionally
as-is, for compatibility with existing params files. The corrected
algorithm, which is now the default for new params file generation, is
called pkcs5_pbkdf2/sha1.

NB. The backwards compatibility for the miscreant keygen method will
be removed at the same time as support for the previous parameters
file syntax. Sometime between now and then, users should update their
params files using -G, which will create a new params file including
an xor value so that the resulting generated key is the same; they
should also

Problem discovery and 2-char algorithm fix by Charles Blundell, messy
compat goop by me, long complicated names by Roland Dowdeswell.

Update manpage accordingly and bump date.

add a new verification method that prompts for the pkcs#5 pbkdf2
passphrase again and checks the generated key against the original.

substantial rototill of the code.

o added new features:
o -G: generate a new paramsfile that produces the same
key as the old paramsfile,
o ffs verify_method,
o multiple keygen methods that are xor'ed together
(for n-factor authentication), and
o calibrating the iteration count of PKCS#5 PBKDF2 to
the current machine's speed.
o changed paramsfile format to allow for the new features.
o replaced open-coded parser with yacc grammar.
o lots of supporting changes.
o updated documentation to reflect new features and new
paramsfile format.

Make iteration count for PKCS#5 settable in the parameters files.

Add the concept of a verification method which allows cgdconfig(8)
to reprompt for the passphrase if the key does not meet certain
criteria. The currently implemented methods are ``none'' and
``disklabel''. The first behaves in the original fashion, the
second will scan for a disklabel on the cgd after configuration
and if it does not find a disklabel then it will reprompt for the
password and reconfigure the disk.

Initial checkin of cgdconfig(8), a program to configure a cgd.

cgdconfig(8): add some console feedback when calculating the number
of pkcs5_pbkdf2 iterations

replace openssl HMAC(3) with our hmac(3).

Remove trailing whitespace (patch provided by: Taylor R Campbell
<campbell+netbsd@mumble.net>)

Remove clause 3 and 4 from TNF licenses

PR/28627: Andreas Gustafsson: Try 5 times to calibrate before failing. Should
fix issues with CPU's that don't produce consistent timing output due to code
morphing or power-savings.

branches: 1.12.8; 1.12.10;
size_t != unsigned int - so don't pass the address of the former when a
pointer to the latter is expected.

3 month roland feedback timeout:
- Pass lint
- knf
- convert ints to size_t's

branches: 1.10.4;
Replaced int_encode() with be32enc().

Programs that use efun.

HMAC() wants unsigned int pointer for the final argument; make it so.

Centralize error checking for malloc,calloc,strdup.

s/milliseconds/microseconds/ in comments and a variable because it is
misleading to say one when we've been meaning the other.

Fix a longstanding algorithmic flaw in PKCS#5 key generation.

The existing pkcs5_pbdkf2 keygen method is retained functionally
as-is, for compatibility with existing params files. The corrected
algorithm, which is now the default for new params file generation, is
called pkcs5_pbkdf2/sha1.

NB. The backwards compatibility for the miscreant keygen method will
be removed at the same time as support for the previous parameters
file syntax. Sometime between now and then, users should update their
params files using -G, which will create a new params file including
an xor value so that the resulting generated key is the same; they
should also

Problem discovery and 2-char algorithm fix by Charles Blundell, messy
compat goop by me, long complicated names by Roland Dowdeswell.

Update manpage accordingly and bump date.

back out revision 1.3. this should not have been committed yet,
since it breaks backward compatibility.

noticed by recht@

add a new verification method that prompts for the pkcs#5 pbkdf2
passphrase again and checks the generated key against the original.

substantial rototill of the code.

o added new features:
o -G: generate a new paramsfile that produces the same
key as the old paramsfile,
o ffs verify_method,
o multiple keygen methods that are xor'ed together
(for n-factor authentication), and
o calibrating the iteration count of PKCS#5 PBKDF2 to
the current machine's speed.
o changed paramsfile format to allow for the new features.
o replaced open-coded parser with yacc grammar.
o lots of supporting changes.
o updated documentation to reflect new features and new
paramsfile format.

Initial checkin of cgdconfig(8), a program to configure a cgd.

Remove clause 3 and 4 from TNF licenses

branches: 1.4.8; 1.4.10;
3 month roland feedback timeout:
- Pass lint
- knf
- convert ints to size_t's

branches: 1.3.22;
Fix a longstanding algorithmic flaw in PKCS#5 key generation.

The existing pkcs5_pbdkf2 keygen method is retained functionally
as-is, for compatibility with existing params files. The corrected
algorithm, which is now the default for new params file generation, is
called pkcs5_pbkdf2/sha1.

NB. The backwards compatibility for the miscreant keygen method will
be removed at the same time as support for the previous parameters
file syntax. Sometime between now and then, users should update their
params files using -G, which will create a new params file including
an xor value so that the resulting generated key is the same; they
should also

Problem discovery and 2-char algorithm fix by Charles Blundell, messy
compat goop by me, long complicated names by Roland Dowdeswell.

Update manpage accordingly and bump date.

substantial rototill of the code.

o added new features:
o -G: generate a new paramsfile that produces the same
key as the old paramsfile,
o ffs verify_method,
o multiple keygen methods that are xor'ed together
(for n-factor authentication), and
o calibrating the iteration count of PKCS#5 PBKDF2 to
the current machine's speed.
o changed paramsfile format to allow for the new features.
o replaced open-coded parser with yacc grammar.
o lots of supporting changes.
o updated documentation to reflect new features and new
paramsfile format.

Initial checkin of cgdconfig(8), a program to configure a cgd.

Convert from the oldstyle cgd_kops.op_open to the newstyle prog_open
and define RUMPPRG. Get rid of the Makefile.inc stuff, since it was
useful only for the oldstyle regime.

Convert to C89 function definitions

branches: 1.20.6;
fix sign-compare issues

branches: 1.19.4;
Add a new keygen method which will execute an external command and
take its output as the key. I've been meaning to do this for quite
a while...

branches: 1.18.2;
Remove clause 3 and 4 from TNF licenses

branches: 1.17.8; 1.17.10;
3 month roland feedback timeout:
- Pass lint
- knf
- convert ints to size_t's

branches: 1.16.4;
memxor(): Fixed size_t/int mismatch.

Programs that use efun.

__b64_pton() wants unsigned char *.

Coverity CID 2753: Free the correct variable.

fix compile problem.

Coverity CID 1593: Plug memory leak

Coverity CID 1203: Check return code of b64_ntop().

- constify.
- don't dup extern declarations on each file because they end up being
inconsistent (yyerror).

Avoid dereferencing/free()ing invalid pointers if the random device
cannot be opened.
Detected with gcc -Wuninitialized.
(The bug was fixed in rev 1.4 by rumble but reintroduced in rev 1.5 by tv !)

one more malloc -> emalloc.

Centralize error checking for malloc,calloc,strdup.

branches: 1.5.2;
Add "urandomkey" key generation method as described in PR kern/22766;
useful for configuring a throwaway key for cgd-on-swap at boot time.

Avoid dereferencing/free()ing invalid pointers if the random device
cannot be opened.

OK'd by elric.

branches: 1.3.2;
add a new verification method that prompts for the pkcs#5 pbkdf2
passphrase again and checks the generated key against the original.

substantial rototill of the code.

o added new features:
o -G: generate a new paramsfile that produces the same
key as the old paramsfile,
o ffs verify_method,
o multiple keygen methods that are xor'ed together
(for n-factor authentication), and
o calibrating the iteration count of PKCS#5 PBKDF2 to
the current machine's speed.
o changed paramsfile format to allow for the new features.
o replaced open-coded parser with yacc grammar.
o lots of supporting changes.
o updated documentation to reflect new features and new
paramsfile format.

Initial checkin of cgdconfig(8), a program to configure a cgd.

Add a new keygen method which will execute an external command and
take its output as the key. I've been meaning to do this for quite
a while...

branches: 1.8.2;
Remove clause 3 and 4 from TNF licenses

branches: 1.7.8; 1.7.10;
3 month roland feedback timeout:
- Pass lint
- knf
- convert ints to size_t's

branches: 1.6.8;
Programs that use efun.

Centralize error checking for malloc,calloc,strdup.

Add "urandomkey" key generation method as described in PR kern/22766;
useful for configuring a throwaway key for cgd-on-swap at boot time.

branches: 1.3.2;
add a new verification method that prompts for the pkcs#5 pbkdf2
passphrase again and checks the generated key against the original.

substantial rototill of the code.

o added new features:
o -G: generate a new paramsfile that produces the same
key as the old paramsfile,
o ffs verify_method,
o multiple keygen methods that are xor'ed together
(for n-factor authentication), and
o calibrating the iteration count of PKCS#5 PBKDF2 to
the current machine's speed.
o changed paramsfile format to allow for the new features.
o replaced open-coded parser with yacc grammar.
o lots of supporting changes.
o updated documentation to reflect new features and new
paramsfile format.

Initial checkin of cgdconfig(8), a program to configure a cgd.