cgdconfig.c revision 1.22
1 /* $NetBSD: cgdconfig.c,v 1.22 2008/05/10 21:38:40 elric Exp $ */ 2 3 /*- 4 * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Roland C. Dowdeswell. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 #ifndef lint 34 __COPYRIGHT( 35 "@(#) Copyright (c) 2002, 2003\ 36 The NetBSD Foundation, Inc. All rights reserved."); 37 __RCSID("$NetBSD: cgdconfig.c,v 1.22 2008/05/10 21:38:40 elric Exp $"); 38 #endif 39 40 #include <err.h> 41 #include <errno.h> 42 #include <fcntl.h> 43 #include <libgen.h> 44 #include <stdio.h> 45 #include <stdlib.h> 46 #include <string.h> 47 #include <unistd.h> 48 #include <util.h> 49 50 #include <sys/ioctl.h> 51 #include <sys/disklabel.h> 52 #include <sys/mman.h> 53 #include <sys/param.h> 54 #include <sys/resource.h> 55 56 #include <dev/cgdvar.h> 57 58 #include <ufs/ffs/fs.h> 59 60 #include "params.h" 61 #include "pkcs5_pbkdf2.h" 62 #include "utils.h" 63 64 #define CGDCONFIG_DIR "/etc/cgd" 65 #define CGDCONFIG_CFILE CGDCONFIG_DIR "/cgd.conf" 66 67 enum action { 68 ACTION_DEFAULT, /* default -> configure */ 69 ACTION_CONFIGURE, /* configure, with paramsfile */ 70 ACTION_UNCONFIGURE, /* unconfigure */ 71 ACTION_GENERATE, /* generate a paramsfile */ 72 ACTION_GENERATE_CONVERT, /* generate a ``dup'' paramsfile */ 73 ACTION_CONFIGALL, /* configure all from config file */ 74 ACTION_UNCONFIGALL, /* unconfigure all from config file */ 75 ACTION_CONFIGSTDIN /* configure, key from stdin */ 76 }; 77 78 /* if nflag is set, do not configure/unconfigure the cgd's */ 79 80 int nflag = 0; 81 82 /* if pflag is set to PFLAG_STDIN read from stdin rather than getpass(3) */ 83 84 #define PFLAG_GETPASS 0x01 85 #define PFLAG_STDIN 0x02 86 int pflag = PFLAG_GETPASS; 87 88 static int configure(int, char **, struct params *, int); 89 static int configure_stdin(struct params *, int argc, char **); 90 static int generate(struct params *, int, char **, const char *); 91 static int generate_convert(struct params *, int, char **, const char *); 92 static int unconfigure(int, char **, struct params *, int); 93 static int do_all(const char *, int, char **, 94 int (*)(int, char **, struct params *, int)); 95 96 #define CONFIG_FLAGS_FROMALL 1 /* called from configure_all() */ 97 #define CONFIG_FLAGS_FROMMAIN 2 /* called from main() */ 98 99 static int configure_params(int, const char *, const char *, 100 struct params *); 101 static void eliminate_cores(void); 102 static bits_t *getkey(const char *, struct keygen *, size_t); 103 static bits_t *getkey_storedkey(const char *, struct keygen *, size_t); 104 static bits_t *getkey_randomkey(const char *, struct keygen *, size_t, int); 105 static bits_t *getkey_pkcs5_pbkdf2(const char *, struct keygen *, size_t, int); 106 static char *maybe_getpass(char *); 107 static int opendisk_werror(const char *, char *, size_t); 108 static int unconfigure_fd(int); 109 static int verify(struct params *, int); 110 static int verify_disklabel(int); 111 static int verify_ffs(int); 112 static int verify_reenter(struct params *); 113 114 static void usage(void); 115 116 /* Verbose Framework */ 117 unsigned verbose = 0; 118 119 #define VERBOSE(x,y) if (verbose >= x) y 120 #define VPRINTF(x,y) if (verbose >= x) (void)printf y 121 122 static void 123 usage(void) 124 { 125 126 (void)fprintf(stderr, "usage: %s [-nv] [-V vmeth] cgd dev [paramsfile]\n", 127 getprogname()); 128 (void)fprintf(stderr, " %s -C [-nv] [-f configfile]\n", getprogname()); 129 (void)fprintf(stderr, " %s -U [-nv] [-f configfile]\n", getprogname()); 130 (void)fprintf(stderr, " %s -G [-nv] [-i ivmeth] [-k kgmeth] " 131 "[-o outfile] paramsfile\n", getprogname()); 132 (void)fprintf(stderr, " %s -g [-nv] [-i ivmeth] [-k kgmeth] " 133 "[-o outfile] alg [keylen]\n", getprogname()); 134 (void)fprintf(stderr, " %s -s [-nv] [-i ivmeth] cgd dev alg " 135 "[keylen]\n", getprogname()); 136 (void)fprintf(stderr, " %s -u [-nv] cgd\n", getprogname()); 137 exit(EXIT_FAILURE); 138 } 139 140 static int 141 parse_size_t(const char *s, size_t *l) 142 { 143 char *endptr; 144 long v; 145 146 errno = 0; 147 v = strtol(s, &endptr, 10); 148 if ((v == LONG_MIN || v == LONG_MAX) && errno) 149 return -1; 150 if (v < INT_MIN || v > INT_MAX) { 151 errno = ERANGE; 152 return -1; 153 } 154 if (endptr == s) { 155 errno = EINVAL; 156 return -1; 157 } 158 *l = (size_t)v; 159 return 0; 160 } 161 162 static void 163 set_action(enum action *action, enum action value) 164 { 165 if (*action != ACTION_DEFAULT) 166 usage(); 167 *action = value; 168 } 169 170 int 171 main(int argc, char **argv) 172 { 173 struct params *p; 174 struct params *tp; 175 struct keygen *kg; 176 enum action action = ACTION_DEFAULT; 177 int ch; 178 const char *cfile = NULL; 179 const char *outfile = NULL; 180 181 setprogname(*argv); 182 eliminate_cores(); 183 if (mlockall(MCL_FUTURE)) 184 err(EXIT_FAILURE, "Can't lock memory"); 185 p = params_new(); 186 kg = NULL; 187 188 while ((ch = getopt(argc, argv, "CGUV:b:f:gi:k:no:spuv")) != -1) 189 switch (ch) { 190 case 'C': 191 set_action(&action, ACTION_CONFIGALL); 192 break; 193 case 'G': 194 set_action(&action, ACTION_GENERATE_CONVERT); 195 break; 196 case 'U': 197 set_action(&action, ACTION_UNCONFIGALL); 198 break; 199 case 'V': 200 tp = params_verify_method(string_fromcharstar(optarg)); 201 if (!tp) 202 usage(); 203 p = params_combine(p, tp); 204 break; 205 case 'b': 206 { 207 size_t size; 208 209 if (parse_size_t(optarg, &size) == -1) 210 usage(); 211 tp = params_bsize(size); 212 if (!tp) 213 usage(); 214 p = params_combine(p, tp); 215 } 216 break; 217 case 'f': 218 if (cfile) 219 usage(); 220 cfile = estrdup(optarg); 221 break; 222 case 'g': 223 set_action(&action, ACTION_GENERATE); 224 break; 225 case 'i': 226 tp = params_ivmeth(string_fromcharstar(optarg)); 227 p = params_combine(p, tp); 228 break; 229 case 'k': 230 kg = keygen_method(string_fromcharstar(optarg)); 231 if (!kg) 232 usage(); 233 keygen_addlist(&p->keygen, kg); 234 break; 235 case 'n': 236 nflag = 1; 237 break; 238 case 'o': 239 if (outfile) 240 usage(); 241 outfile = estrdup(optarg); 242 break; 243 case 'p': 244 pflag = PFLAG_STDIN; 245 break; 246 case 's': 247 set_action(&action, ACTION_CONFIGSTDIN); 248 break; 249 250 case 'u': 251 set_action(&action, ACTION_UNCONFIGURE); 252 break; 253 case 'v': 254 verbose++; 255 break; 256 default: 257 usage(); 258 /* NOTREACHED */ 259 } 260 261 argc -= optind; 262 argv += optind; 263 264 if (!outfile) 265 outfile = ""; 266 if (!cfile) 267 cfile = ""; 268 269 /* validate the consistency of the arguments */ 270 271 switch (action) { 272 case ACTION_DEFAULT: /* ACTION_CONFIGURE is the default */ 273 case ACTION_CONFIGURE: 274 return configure(argc, argv, p, CONFIG_FLAGS_FROMMAIN); 275 case ACTION_UNCONFIGURE: 276 return unconfigure(argc, argv, NULL, CONFIG_FLAGS_FROMMAIN); 277 case ACTION_GENERATE: 278 return generate(p, argc, argv, outfile); 279 case ACTION_GENERATE_CONVERT: 280 return generate_convert(p, argc, argv, outfile); 281 case ACTION_CONFIGALL: 282 return do_all(cfile, argc, argv, configure); 283 case ACTION_UNCONFIGALL: 284 return do_all(cfile, argc, argv, unconfigure); 285 case ACTION_CONFIGSTDIN: 286 return configure_stdin(p, argc, argv); 287 default: 288 errx(EXIT_FAILURE, "undefined action"); 289 /* NOTREACHED */ 290 } 291 } 292 293 static bits_t * 294 getkey(const char *dev, struct keygen *kg, size_t len) 295 { 296 bits_t *ret = NULL; 297 bits_t *tmp; 298 299 VPRINTF(3, ("getkey(\"%s\", %p, %zu) called\n", dev, kg, len)); 300 for (; kg; kg=kg->next) { 301 switch (kg->kg_method) { 302 case KEYGEN_STOREDKEY: 303 tmp = getkey_storedkey(dev, kg, len); 304 break; 305 case KEYGEN_RANDOMKEY: 306 tmp = getkey_randomkey(dev, kg, len, 1); 307 break; 308 case KEYGEN_URANDOMKEY: 309 tmp = getkey_randomkey(dev, kg, len, 0); 310 break; 311 case KEYGEN_PKCS5_PBKDF2_SHA1: 312 tmp = getkey_pkcs5_pbkdf2(dev, kg, len, 0); 313 break; 314 /* provide backwards compatibility for old config files */ 315 case KEYGEN_PKCS5_PBKDF2_OLD: 316 tmp = getkey_pkcs5_pbkdf2(dev, kg, len, 1); 317 break; 318 default: 319 warnx("unrecognised keygen method %d in getkey()", 320 kg->kg_method); 321 if (ret) 322 bits_free(ret); 323 return NULL; 324 } 325 326 if (ret) 327 ret = bits_xor_d(tmp, ret); 328 else 329 ret = tmp; 330 } 331 332 return ret; 333 } 334 335 /*ARGSUSED*/ 336 static bits_t * 337 getkey_storedkey(const char *target, struct keygen *kg, size_t keylen) 338 { 339 return bits_dup(kg->kg_key); 340 } 341 342 /*ARGSUSED*/ 343 static bits_t * 344 getkey_randomkey(const char *target, struct keygen *kg, size_t keylen, int hard) 345 { 346 return bits_getrandombits(keylen, hard); 347 } 348 349 static char * 350 maybe_getpass(char *prompt) 351 { 352 char buf[1024]; 353 char *p = buf; 354 char *tmp; 355 356 switch (pflag) { 357 case PFLAG_GETPASS: 358 p = getpass(prompt); 359 break; 360 361 case PFLAG_STDIN: 362 p = fgets(buf, sizeof(buf), stdin); 363 if (p) { 364 tmp = strchr(p, '\n'); 365 if (tmp) 366 *tmp = '\0'; 367 } 368 break; 369 370 default: 371 errx(EXIT_FAILURE, "pflag set inappropriately?"); 372 } 373 374 if (!p) 375 err(EXIT_FAILURE, "failed to read passphrase"); 376 377 return estrdup(p); 378 } 379 380 /*ARGSUSED*/ 381 /* 382 * XXX take, and pass through, a compat flag that indicates whether we 383 * provide backwards compatibility with a previous bug. The previous 384 * behaviour is indicated by the keygen method pkcs5_pbkdf2, and a 385 * non-zero compat flag. The new default, and correct keygen method is 386 * called pcks5_pbkdf2/sha1. When the old method is removed, so will 387 * be the compat argument. 388 */ 389 static bits_t * 390 getkey_pkcs5_pbkdf2(const char *target, struct keygen *kg, size_t keylen, 391 int compat) 392 { 393 bits_t *ret; 394 u_int8_t *passp; 395 char buf[1024]; 396 u_int8_t *tmp; 397 398 snprintf(buf, sizeof(buf), "%s's passphrase:", target); 399 passp = (u_int8_t *)maybe_getpass(buf); 400 if (pkcs5_pbkdf2(&tmp, BITS2BYTES(keylen), passp, strlen(passp), 401 bits_getbuf(kg->kg_salt), BITS2BYTES(bits_len(kg->kg_salt)), 402 kg->kg_iterations, compat)) { 403 warnx("failed to generate PKCS#5 PBKDF2 key"); 404 return NULL; 405 } 406 407 ret = bits_new(tmp, keylen); 408 kg->kg_key = bits_dup(ret); 409 free(passp); 410 free(tmp); 411 return ret; 412 } 413 414 /*ARGSUSED*/ 415 static int 416 unconfigure(int argc, char **argv, struct params *inparams, int flags) 417 { 418 int fd; 419 int ret; 420 char buf[MAXPATHLEN] = ""; 421 422 /* only complain about additional arguments, if called from main() */ 423 if (flags == CONFIG_FLAGS_FROMMAIN && argc != 1) 424 usage(); 425 426 /* if called from do_all(), then ensure that 2 or 3 args exist */ 427 if (flags == CONFIG_FLAGS_FROMALL && (argc < 2 || argc > 3)) 428 return -1; 429 430 fd = opendisk(*argv, O_RDWR, buf, sizeof(buf), 1); 431 if (fd == -1) { 432 int saved_errno = errno; 433 434 warn("can't open cgd \"%s\", \"%s\"", *argv, buf); 435 436 /* this isn't fatal with nflag != 0 */ 437 if (!nflag) 438 return saved_errno; 439 } 440 441 VPRINTF(1, ("%s (%s): clearing\n", *argv, buf)); 442 443 if (nflag) 444 return 0; 445 446 ret = unconfigure_fd(fd); 447 (void)close(fd); 448 return ret; 449 } 450 451 static int 452 unconfigure_fd(int fd) 453 { 454 struct cgd_ioctl ci; 455 456 if (ioctl(fd, CGDIOCCLR, &ci) == -1) { 457 warn("ioctl"); 458 return -1; 459 } 460 461 return 0; 462 } 463 464 /*ARGSUSED*/ 465 static int 466 configure(int argc, char **argv, struct params *inparams, int flags) 467 { 468 struct params *p; 469 struct keygen *kg; 470 int fd; 471 int loop = 0; 472 int ret; 473 char cgdname[PATH_MAX]; 474 475 if (argc == 2) { 476 char *pfile; 477 478 if (asprintf(&pfile, "%s/%s", 479 CGDCONFIG_DIR, basename(argv[1])) == -1) 480 return -1; 481 482 p = params_cget(pfile); 483 free(pfile); 484 } else if (argc == 3) { 485 p = params_cget(argv[2]); 486 } else { 487 /* print usage and exit, only if called from main() */ 488 if (flags == CONFIG_FLAGS_FROMMAIN) { 489 warnx("wrong number of args"); 490 usage(); 491 } 492 return -1; 493 } 494 495 if (!p) 496 return -1; 497 498 /* 499 * over-ride with command line specifications and fill in default 500 * values. 501 */ 502 503 p = params_combine(p, inparams); 504 ret = params_filldefaults(p); 505 if (ret) { 506 params_free(p); 507 return ret; 508 } 509 510 if (!params_verify(p)) { 511 warnx("params invalid"); 512 return -1; 513 } 514 515 /* 516 * loop over configuring the disk and checking to see if it 517 * verifies properly. We open and close the disk device each 518 * time, because if the user passes us the block device we 519 * need to flush the buffer cache. 520 * 521 * We only loop if one of the verification methods prompts for 522 * a password. 523 */ 524 525 for (kg = p->keygen; pflag == PFLAG_GETPASS && kg; kg = kg->next) 526 if ((kg->kg_method == KEYGEN_PKCS5_PBKDF2_SHA1) || 527 (kg->kg_method == KEYGEN_PKCS5_PBKDF2_OLD )) { 528 loop = 1; 529 break; 530 } 531 532 for (;;) { 533 fd = opendisk_werror(argv[0], cgdname, sizeof(cgdname)); 534 if (fd == -1) 535 return -1; 536 537 if (p->key) 538 bits_free(p->key); 539 540 p->key = getkey(argv[1], p->keygen, p->keylen); 541 if (!p->key) 542 goto bail_err; 543 544 ret = configure_params(fd, cgdname, argv[1], p); 545 if (ret) 546 goto bail_err; 547 548 ret = verify(p, fd); 549 if (ret == -1) 550 goto bail_err; 551 if (!ret) 552 break; 553 554 (void)unconfigure_fd(fd); 555 (void)close(fd); 556 557 if (!loop) { 558 warnx("verification failed permanently"); 559 goto bail_err; 560 } 561 562 warnx("verification failed, please reenter passphrase"); 563 } 564 565 params_free(p); 566 (void)close(fd); 567 return 0; 568 bail_err: 569 params_free(p); 570 (void)close(fd); 571 return -1; 572 } 573 574 static int 575 configure_stdin(struct params *p, int argc, char **argv) 576 { 577 int fd; 578 int ret; 579 char cgdname[PATH_MAX]; 580 581 if (argc < 3 || argc > 4) 582 usage(); 583 584 p->algorithm = string_fromcharstar(argv[2]); 585 if (argc > 3) { 586 size_t keylen; 587 588 if (parse_size_t(argv[3], &keylen) == -1) { 589 warn("failed to parse key length"); 590 return -1; 591 } 592 p->keylen = keylen; 593 } 594 595 ret = params_filldefaults(p); 596 if (ret) 597 return ret; 598 599 fd = opendisk_werror(argv[0], cgdname, sizeof(cgdname)); 600 if (fd == -1) 601 return -1; 602 603 p->key = bits_fget(stdin, p->keylen); 604 if (!p->key) { 605 warnx("failed to read key from stdin"); 606 return -1; 607 } 608 609 return configure_params(fd, cgdname, argv[1], p); 610 } 611 612 static int 613 opendisk_werror(const char *cgd, char *buf, size_t buflen) 614 { 615 int fd; 616 617 VPRINTF(3, ("opendisk_werror(%s, %s, %zu) called.\n", cgd, buf, buflen)); 618 619 /* sanity */ 620 if (!cgd || !buf) 621 return -1; 622 623 if (nflag) { 624 if (strlcpy(buf, cgd, buflen) >= buflen) 625 return -1; 626 return 0; 627 } 628 629 fd = opendisk(cgd, O_RDWR, buf, buflen, 0); 630 if (fd == -1) 631 warnx("can't open cgd \"%s\", \"%s\"", cgd, buf); 632 633 return fd; 634 } 635 636 static int 637 configure_params(int fd, const char *cgd, const char *dev, struct params *p) 638 { 639 struct cgd_ioctl ci; 640 641 /* sanity */ 642 if (!cgd || !dev) 643 return -1; 644 645 (void)memset(&ci, 0x0, sizeof(ci)); 646 ci.ci_disk = dev; 647 ci.ci_alg = string_tocharstar(p->algorithm); 648 ci.ci_ivmethod = string_tocharstar(p->ivmeth); 649 ci.ci_key = bits_getbuf(p->key); 650 ci.ci_keylen = p->keylen; 651 ci.ci_blocksize = p->bsize; 652 653 VPRINTF(1, (" with alg %s keylen %zu blocksize %zu ivmethod %s\n", 654 string_tocharstar(p->algorithm), p->keylen, p->bsize, 655 string_tocharstar(p->ivmeth))); 656 VPRINTF(2, ("key: ")); 657 VERBOSE(2, bits_fprint(stdout, p->key)); 658 VPRINTF(2, ("\n")); 659 660 if (nflag) 661 return 0; 662 663 if (ioctl(fd, CGDIOCSET, &ci) == -1) { 664 int saved_errno = errno; 665 warn("ioctl"); 666 return saved_errno; 667 } 668 669 return 0; 670 } 671 672 /* 673 * verify returns 0 for success, -1 for unrecoverable error, or 1 for retry. 674 */ 675 676 #define SCANSIZE 8192 677 678 static int 679 verify(struct params *p, int fd) 680 { 681 682 switch (p->verify_method) { 683 case VERIFY_NONE: 684 return 0; 685 case VERIFY_DISKLABEL: 686 return verify_disklabel(fd); 687 case VERIFY_FFS: 688 return verify_ffs(fd); 689 case VERIFY_REENTER: 690 return verify_reenter(p); 691 default: 692 warnx("unimplemented verification method"); 693 return -1; 694 } 695 } 696 697 static int 698 verify_disklabel(int fd) 699 { 700 struct disklabel l; 701 ssize_t ret; 702 char buf[SCANSIZE]; 703 704 /* 705 * we simply scan the first few blocks for a disklabel, ignoring 706 * any MBR/filecore sorts of logic. MSDOS and RiscOS can't read 707 * a cgd, anyway, so it is unlikely that there will be non-native 708 * partition information. 709 */ 710 711 ret = pread(fd, buf, 8192, 0); 712 if (ret < 0) { 713 warn("can't read disklabel area"); 714 return -1; 715 } 716 717 /* now scan for the disklabel */ 718 719 return disklabel_scan(&l, buf, (size_t)ret); 720 } 721 722 static off_t sblock_try[] = SBLOCKSEARCH; 723 724 static int 725 verify_ffs(int fd) 726 { 727 size_t i; 728 729 for (i = 0; sblock_try[i] != -1; i++) { 730 union { 731 char buf[SBLOCKSIZE]; 732 struct fs fs; 733 } u; 734 ssize_t ret; 735 736 ret = pread(fd, &u, sizeof(u), sblock_try[i]); 737 if (ret < 0) { 738 warn("pread"); 739 break; 740 } else if ((size_t)ret < sizeof(u)) { 741 warnx("pread: incomplete block"); 742 break; 743 } 744 switch (u.fs.fs_magic) { 745 case FS_UFS1_MAGIC: 746 case FS_UFS2_MAGIC: 747 case FS_UFS1_MAGIC_SWAPPED: 748 case FS_UFS2_MAGIC_SWAPPED: 749 return 0; 750 default: 751 continue; 752 } 753 } 754 755 return 1; /* failure */ 756 } 757 758 static int 759 verify_reenter(struct params *p) 760 { 761 struct keygen *kg; 762 bits_t *orig_key, *key; 763 int ret; 764 765 ret = 0; 766 for (kg = p->keygen; kg && !ret; kg = kg->next) { 767 if ((kg->kg_method != KEYGEN_PKCS5_PBKDF2_SHA1) && 768 (kg->kg_method != KEYGEN_PKCS5_PBKDF2_OLD )) 769 continue; 770 771 orig_key = kg->kg_key; 772 kg->kg_key = NULL; 773 774 /* add a compat flag till the _OLD method goes away */ 775 key = getkey_pkcs5_pbkdf2("re-enter device", kg, 776 bits_len(orig_key), kg->kg_method == KEYGEN_PKCS5_PBKDF2_OLD); 777 ret = !bits_match(key, orig_key); 778 779 bits_free(key); 780 bits_free(kg->kg_key); 781 kg->kg_key = orig_key; 782 } 783 784 return ret; 785 } 786 787 static int 788 generate(struct params *p, int argc, char **argv, const char *outfile) 789 { 790 int ret; 791 792 if (argc < 1 || argc > 2) 793 usage(); 794 795 p->algorithm = string_fromcharstar(argv[0]); 796 if (argc > 1) { 797 size_t keylen; 798 799 if (parse_size_t(argv[1], &keylen) == -1) { 800 warn("Failed to parse key length"); 801 return -1; 802 } 803 p->keylen = keylen; 804 } 805 806 ret = params_filldefaults(p); 807 if (ret) 808 return ret; 809 810 if (!p->keygen) { 811 p->keygen = keygen_generate(KEYGEN_PKCS5_PBKDF2_SHA1); 812 if (!p->keygen) 813 return -1; 814 } 815 816 if (keygen_filldefaults(p->keygen, p->keylen)) { 817 warnx("Failed to generate defaults for keygen"); 818 return -1; 819 } 820 821 if (!params_verify(p)) { 822 warnx("invalid parameters generated"); 823 return -1; 824 } 825 826 return params_cput(p, outfile); 827 } 828 829 static int 830 generate_convert(struct params *p, int argc, char **argv, const char *outfile) 831 { 832 struct params *oldp; 833 struct keygen *kg; 834 835 if (argc != 1) 836 usage(); 837 838 oldp = params_cget(*argv); 839 if (!oldp) 840 return -1; 841 842 /* for sanity, we ensure that none of the keygens are randomkey */ 843 for (kg=p->keygen; kg; kg=kg->next) 844 if (kg->kg_method == KEYGEN_RANDOMKEY) 845 goto bail; 846 for (kg=oldp->keygen; kg; kg=kg->next) 847 if (kg->kg_method == KEYGEN_RANDOMKEY) 848 goto bail; 849 850 if (!params_verify(oldp)) { 851 warnx("invalid old parameters file \"%s\"", *argv); 852 return -1; 853 } 854 855 oldp->key = getkey("old file", oldp->keygen, oldp->keylen); 856 857 /* we copy across the non-keygen info, here. */ 858 859 string_free(p->algorithm); 860 string_free(p->ivmeth); 861 862 p->algorithm = string_dup(oldp->algorithm); 863 p->ivmeth = string_dup(oldp->ivmeth); 864 p->keylen = oldp->keylen; 865 p->bsize = oldp->bsize; 866 if (p->verify_method == VERIFY_UNKNOWN) 867 p->verify_method = oldp->verify_method; 868 869 params_free(oldp); 870 871 if (!p->keygen) { 872 p->keygen = keygen_generate(KEYGEN_PKCS5_PBKDF2_SHA1); 873 if (!p->keygen) 874 return -1; 875 } 876 (void)params_filldefaults(p); 877 (void)keygen_filldefaults(p->keygen, p->keylen); 878 p->key = getkey("new file", p->keygen, p->keylen); 879 880 kg = keygen_generate(KEYGEN_STOREDKEY); 881 kg->kg_key = bits_xor(p->key, oldp->key); 882 keygen_addlist(&p->keygen, kg); 883 884 if (!params_verify(p)) { 885 warnx("can't generate new parameters file"); 886 return -1; 887 } 888 889 return params_cput(p, outfile); 890 bail: 891 params_free(oldp); 892 return -1; 893 } 894 895 static int 896 /*ARGSUSED*/ 897 do_all(const char *cfile, int argc, char **argv, 898 int (*conf)(int, char **, struct params *, int)) 899 { 900 FILE *f; 901 size_t len; 902 size_t lineno; 903 int my_argc; 904 int ret; 905 const char *fn; 906 char *line; 907 char **my_argv; 908 909 if (argc > 0) 910 usage(); 911 912 if (!cfile[0]) 913 fn = CGDCONFIG_CFILE; 914 else 915 fn = cfile; 916 917 f = fopen(fn, "r"); 918 if (!f) { 919 warn("could not open config file \"%s\"", fn); 920 return -1; 921 } 922 923 ret = chdir(CGDCONFIG_DIR); 924 if (ret == -1) 925 warn("could not chdir to %s", CGDCONFIG_DIR); 926 927 ret = 0; 928 lineno = 0; 929 for (;;) { 930 line = fparseln(f, &len, &lineno, "\\\\#", FPARSELN_UNESCALL); 931 if (!line) 932 break; 933 if (!*line) 934 continue; 935 936 my_argv = words(line, &my_argc); 937 ret = conf(my_argc, my_argv, NULL, CONFIG_FLAGS_FROMALL); 938 if (ret) { 939 warnx("action failed on \"%s\" line %lu", fn, 940 (u_long)lineno); 941 break; 942 } 943 words_free(my_argv, my_argc); 944 } 945 return ret; 946 } 947 948 static void 949 eliminate_cores(void) 950 { 951 struct rlimit rlp; 952 953 rlp.rlim_cur = 0; 954 rlp.rlim_max = 0; 955 if (setrlimit(RLIMIT_CORE, &rlp) == -1) 956 err(EXIT_FAILURE, "Can't disable cores"); 957 } 958
Indexes created Tue Sep 30 10:09:55 GMT 2025