cgdconfig.c revision 1.23
1 /* $NetBSD: cgdconfig.c,v 1.23 2008/05/11 03:15:21 elric Exp $ */ 2 3 /*- 4 * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Roland C. Dowdeswell. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 #ifndef lint 34 __COPYRIGHT( 35 "@(#) Copyright (c) 2002, 2003\ 36 The NetBSD Foundation, Inc. All rights reserved."); 37 __RCSID("$NetBSD: cgdconfig.c,v 1.23 2008/05/11 03:15:21 elric Exp $"); 38 #endif 39 40 #include <err.h> 41 #include <errno.h> 42 #include <fcntl.h> 43 #include <libgen.h> 44 #include <stdio.h> 45 #include <stdlib.h> 46 #include <string.h> 47 #include <unistd.h> 48 #include <util.h> 49 50 #include <sys/ioctl.h> 51 #include <sys/disklabel.h> 52 #include <sys/mman.h> 53 #include <sys/param.h> 54 #include <sys/resource.h> 55 56 #include <dev/cgdvar.h> 57 58 #include <ufs/ffs/fs.h> 59 60 #include "params.h" 61 #include "pkcs5_pbkdf2.h" 62 #include "utils.h" 63 64 #define CGDCONFIG_DIR "/etc/cgd" 65 #define CGDCONFIG_CFILE CGDCONFIG_DIR "/cgd.conf" 66 67 enum action { 68 ACTION_DEFAULT, /* default -> configure */ 69 ACTION_CONFIGURE, /* configure, with paramsfile */ 70 ACTION_UNCONFIGURE, /* unconfigure */ 71 ACTION_GENERATE, /* generate a paramsfile */ 72 ACTION_GENERATE_CONVERT, /* generate a ``dup'' paramsfile */ 73 ACTION_CONFIGALL, /* configure all from config file */ 74 ACTION_UNCONFIGALL, /* unconfigure all from config file */ 75 ACTION_CONFIGSTDIN /* configure, key from stdin */ 76 }; 77 78 /* if nflag is set, do not configure/unconfigure the cgd's */ 79 80 int nflag = 0; 81 82 /* if pflag is set to PFLAG_STDIN read from stdin rather than getpass(3) */ 83 84 #define PFLAG_GETPASS 0x01 85 #define PFLAG_STDIN 0x02 86 int pflag = PFLAG_GETPASS; 87 88 static int configure(int, char **, struct params *, int); 89 static int configure_stdin(struct params *, int argc, char **); 90 static int generate(struct params *, int, char **, const char *); 91 static int generate_convert(struct params *, int, char **, const char *); 92 static int unconfigure(int, char **, struct params *, int); 93 static int do_all(const char *, int, char **, 94 int (*)(int, char **, struct params *, int)); 95 96 #define CONFIG_FLAGS_FROMALL 1 /* called from configure_all() */ 97 #define CONFIG_FLAGS_FROMMAIN 2 /* called from main() */ 98 99 static int configure_params(int, const char *, const char *, 100 struct params *); 101 static void eliminate_cores(void); 102 static bits_t *getkey(const char *, struct keygen *, size_t); 103 static bits_t *getkey_storedkey(const char *, struct keygen *, size_t); 104 static bits_t *getkey_randomkey(const char *, struct keygen *, size_t, int); 105 static bits_t *getkey_pkcs5_pbkdf2(const char *, struct keygen *, size_t, 106 int); 107 static bits_t *getkey_shell_cmd(const char *, struct keygen *, size_t); 108 static char *maybe_getpass(char *); 109 static int opendisk_werror(const char *, char *, size_t); 110 static int unconfigure_fd(int); 111 static int verify(struct params *, int); 112 static int verify_disklabel(int); 113 static int verify_ffs(int); 114 static int verify_reenter(struct params *); 115 116 static void usage(void); 117 118 /* Verbose Framework */ 119 unsigned verbose = 0; 120 121 #define VERBOSE(x,y) if (verbose >= x) y 122 #define VPRINTF(x,y) if (verbose >= x) (void)printf y 123 124 static void 125 usage(void) 126 { 127 128 (void)fprintf(stderr, "usage: %s [-nv] [-V vmeth] cgd dev [paramsfile]\n", 129 getprogname()); 130 (void)fprintf(stderr, " %s -C [-nv] [-f configfile]\n", getprogname()); 131 (void)fprintf(stderr, " %s -U [-nv] [-f configfile]\n", getprogname()); 132 (void)fprintf(stderr, " %s -G [-nv] [-i ivmeth] [-k kgmeth] " 133 "[-o outfile] paramsfile\n", getprogname()); 134 (void)fprintf(stderr, " %s -g [-nv] [-i ivmeth] [-k kgmeth] " 135 "[-o outfile] alg [keylen]\n", getprogname()); 136 (void)fprintf(stderr, " %s -s [-nv] [-i ivmeth] cgd dev alg " 137 "[keylen]\n", getprogname()); 138 (void)fprintf(stderr, " %s -u [-nv] cgd\n", getprogname()); 139 exit(EXIT_FAILURE); 140 } 141 142 static int 143 parse_size_t(const char *s, size_t *l) 144 { 145 char *endptr; 146 long v; 147 148 errno = 0; 149 v = strtol(s, &endptr, 10); 150 if ((v == LONG_MIN || v == LONG_MAX) && errno) 151 return -1; 152 if (v < INT_MIN || v > INT_MAX) { 153 errno = ERANGE; 154 return -1; 155 } 156 if (endptr == s) { 157 errno = EINVAL; 158 return -1; 159 } 160 *l = (size_t)v; 161 return 0; 162 } 163 164 static void 165 set_action(enum action *action, enum action value) 166 { 167 if (*action != ACTION_DEFAULT) 168 usage(); 169 *action = value; 170 } 171 172 int 173 main(int argc, char **argv) 174 { 175 struct params *p; 176 struct params *tp; 177 struct keygen *kg; 178 enum action action = ACTION_DEFAULT; 179 int ch; 180 const char *cfile = NULL; 181 const char *outfile = NULL; 182 183 setprogname(*argv); 184 eliminate_cores(); 185 if (mlockall(MCL_FUTURE)) 186 err(EXIT_FAILURE, "Can't lock memory"); 187 p = params_new(); 188 kg = NULL; 189 190 while ((ch = getopt(argc, argv, "CGUV:b:f:gi:k:no:spuv")) != -1) 191 switch (ch) { 192 case 'C': 193 set_action(&action, ACTION_CONFIGALL); 194 break; 195 case 'G': 196 set_action(&action, ACTION_GENERATE_CONVERT); 197 break; 198 case 'U': 199 set_action(&action, ACTION_UNCONFIGALL); 200 break; 201 case 'V': 202 tp = params_verify_method(string_fromcharstar(optarg)); 203 if (!tp) 204 usage(); 205 p = params_combine(p, tp); 206 break; 207 case 'b': 208 { 209 size_t size; 210 211 if (parse_size_t(optarg, &size) == -1) 212 usage(); 213 tp = params_bsize(size); 214 if (!tp) 215 usage(); 216 p = params_combine(p, tp); 217 } 218 break; 219 case 'f': 220 if (cfile) 221 usage(); 222 cfile = estrdup(optarg); 223 break; 224 case 'g': 225 set_action(&action, ACTION_GENERATE); 226 break; 227 case 'i': 228 tp = params_ivmeth(string_fromcharstar(optarg)); 229 p = params_combine(p, tp); 230 break; 231 case 'k': 232 kg = keygen_method(string_fromcharstar(optarg)); 233 if (!kg) 234 usage(); 235 keygen_addlist(&p->keygen, kg); 236 break; 237 case 'n': 238 nflag = 1; 239 break; 240 case 'o': 241 if (outfile) 242 usage(); 243 outfile = estrdup(optarg); 244 break; 245 case 'p': 246 pflag = PFLAG_STDIN; 247 break; 248 case 's': 249 set_action(&action, ACTION_CONFIGSTDIN); 250 break; 251 252 case 'u': 253 set_action(&action, ACTION_UNCONFIGURE); 254 break; 255 case 'v': 256 verbose++; 257 break; 258 default: 259 usage(); 260 /* NOTREACHED */ 261 } 262 263 argc -= optind; 264 argv += optind; 265 266 if (!outfile) 267 outfile = ""; 268 if (!cfile) 269 cfile = ""; 270 271 /* validate the consistency of the arguments */ 272 273 switch (action) { 274 case ACTION_DEFAULT: /* ACTION_CONFIGURE is the default */ 275 case ACTION_CONFIGURE: 276 return configure(argc, argv, p, CONFIG_FLAGS_FROMMAIN); 277 case ACTION_UNCONFIGURE: 278 return unconfigure(argc, argv, NULL, CONFIG_FLAGS_FROMMAIN); 279 case ACTION_GENERATE: 280 return generate(p, argc, argv, outfile); 281 case ACTION_GENERATE_CONVERT: 282 return generate_convert(p, argc, argv, outfile); 283 case ACTION_CONFIGALL: 284 return do_all(cfile, argc, argv, configure); 285 case ACTION_UNCONFIGALL: 286 return do_all(cfile, argc, argv, unconfigure); 287 case ACTION_CONFIGSTDIN: 288 return configure_stdin(p, argc, argv); 289 default: 290 errx(EXIT_FAILURE, "undefined action"); 291 /* NOTREACHED */ 292 } 293 } 294 295 static bits_t * 296 getkey(const char *dev, struct keygen *kg, size_t len) 297 { 298 bits_t *ret = NULL; 299 bits_t *tmp; 300 301 VPRINTF(3, ("getkey(\"%s\", %p, %zu) called\n", dev, kg, len)); 302 for (; kg; kg=kg->next) { 303 switch (kg->kg_method) { 304 case KEYGEN_STOREDKEY: 305 tmp = getkey_storedkey(dev, kg, len); 306 break; 307 case KEYGEN_RANDOMKEY: 308 tmp = getkey_randomkey(dev, kg, len, 1); 309 break; 310 case KEYGEN_URANDOMKEY: 311 tmp = getkey_randomkey(dev, kg, len, 0); 312 break; 313 case KEYGEN_PKCS5_PBKDF2_SHA1: 314 tmp = getkey_pkcs5_pbkdf2(dev, kg, len, 0); 315 break; 316 /* provide backwards compatibility for old config files */ 317 case KEYGEN_PKCS5_PBKDF2_OLD: 318 tmp = getkey_pkcs5_pbkdf2(dev, kg, len, 1); 319 break; 320 case KEYGEN_SHELL_CMD: 321 tmp = getkey_shell_cmd(dev, kg, len); 322 break; 323 default: 324 warnx("unrecognised keygen method %d in getkey()", 325 kg->kg_method); 326 if (ret) 327 bits_free(ret); 328 return NULL; 329 } 330 331 if (ret) 332 ret = bits_xor_d(tmp, ret); 333 else 334 ret = tmp; 335 } 336 337 return ret; 338 } 339 340 /*ARGSUSED*/ 341 static bits_t * 342 getkey_storedkey(const char *target, struct keygen *kg, size_t keylen) 343 { 344 return bits_dup(kg->kg_key); 345 } 346 347 /*ARGSUSED*/ 348 static bits_t * 349 getkey_randomkey(const char *target, struct keygen *kg, size_t keylen, int hard) 350 { 351 return bits_getrandombits(keylen, hard); 352 } 353 354 static char * 355 maybe_getpass(char *prompt) 356 { 357 char buf[1024]; 358 char *p = buf; 359 char *tmp; 360 361 switch (pflag) { 362 case PFLAG_GETPASS: 363 p = getpass(prompt); 364 break; 365 366 case PFLAG_STDIN: 367 p = fgets(buf, sizeof(buf), stdin); 368 if (p) { 369 tmp = strchr(p, '\n'); 370 if (tmp) 371 *tmp = '\0'; 372 } 373 break; 374 375 default: 376 errx(EXIT_FAILURE, "pflag set inappropriately?"); 377 } 378 379 if (!p) 380 err(EXIT_FAILURE, "failed to read passphrase"); 381 382 return estrdup(p); 383 } 384 385 /*ARGSUSED*/ 386 /* 387 * XXX take, and pass through, a compat flag that indicates whether we 388 * provide backwards compatibility with a previous bug. The previous 389 * behaviour is indicated by the keygen method pkcs5_pbkdf2, and a 390 * non-zero compat flag. The new default, and correct keygen method is 391 * called pcks5_pbkdf2/sha1. When the old method is removed, so will 392 * be the compat argument. 393 */ 394 static bits_t * 395 getkey_pkcs5_pbkdf2(const char *target, struct keygen *kg, size_t keylen, 396 int compat) 397 { 398 bits_t *ret; 399 u_int8_t *passp; 400 char buf[1024]; 401 u_int8_t *tmp; 402 403 snprintf(buf, sizeof(buf), "%s's passphrase:", target); 404 passp = (u_int8_t *)maybe_getpass(buf); 405 if (pkcs5_pbkdf2(&tmp, BITS2BYTES(keylen), passp, strlen(passp), 406 bits_getbuf(kg->kg_salt), BITS2BYTES(bits_len(kg->kg_salt)), 407 kg->kg_iterations, compat)) { 408 warnx("failed to generate PKCS#5 PBKDF2 key"); 409 return NULL; 410 } 411 412 ret = bits_new(tmp, keylen); 413 kg->kg_key = bits_dup(ret); 414 free(passp); 415 free(tmp); 416 return ret; 417 } 418 419 /*ARGSUSED*/ 420 static bits_t * 421 getkey_shell_cmd(const char *target, struct keygen *kg, size_t keylen) 422 { 423 FILE *f; 424 bits_t *ret; 425 426 f = popen(string_tocharstar(kg->kg_cmd), "r"); 427 ret = bits_fget(f, keylen); 428 pclose(f); 429 430 return ret; 431 } 432 433 /*ARGSUSED*/ 434 static int 435 unconfigure(int argc, char **argv, struct params *inparams, int flags) 436 { 437 int fd; 438 int ret; 439 char buf[MAXPATHLEN] = ""; 440 441 /* only complain about additional arguments, if called from main() */ 442 if (flags == CONFIG_FLAGS_FROMMAIN && argc != 1) 443 usage(); 444 445 /* if called from do_all(), then ensure that 2 or 3 args exist */ 446 if (flags == CONFIG_FLAGS_FROMALL && (argc < 2 || argc > 3)) 447 return -1; 448 449 fd = opendisk(*argv, O_RDWR, buf, sizeof(buf), 1); 450 if (fd == -1) { 451 int saved_errno = errno; 452 453 warn("can't open cgd \"%s\", \"%s\"", *argv, buf); 454 455 /* this isn't fatal with nflag != 0 */ 456 if (!nflag) 457 return saved_errno; 458 } 459 460 VPRINTF(1, ("%s (%s): clearing\n", *argv, buf)); 461 462 if (nflag) 463 return 0; 464 465 ret = unconfigure_fd(fd); 466 (void)close(fd); 467 return ret; 468 } 469 470 static int 471 unconfigure_fd(int fd) 472 { 473 struct cgd_ioctl ci; 474 475 if (ioctl(fd, CGDIOCCLR, &ci) == -1) { 476 warn("ioctl"); 477 return -1; 478 } 479 480 return 0; 481 } 482 483 /*ARGSUSED*/ 484 static int 485 configure(int argc, char **argv, struct params *inparams, int flags) 486 { 487 struct params *p; 488 struct keygen *kg; 489 int fd; 490 int loop = 0; 491 int ret; 492 char cgdname[PATH_MAX]; 493 494 if (argc == 2) { 495 char *pfile; 496 497 if (asprintf(&pfile, "%s/%s", 498 CGDCONFIG_DIR, basename(argv[1])) == -1) 499 return -1; 500 501 p = params_cget(pfile); 502 free(pfile); 503 } else if (argc == 3) { 504 p = params_cget(argv[2]); 505 } else { 506 /* print usage and exit, only if called from main() */ 507 if (flags == CONFIG_FLAGS_FROMMAIN) { 508 warnx("wrong number of args"); 509 usage(); 510 } 511 return -1; 512 } 513 514 if (!p) 515 return -1; 516 517 /* 518 * over-ride with command line specifications and fill in default 519 * values. 520 */ 521 522 p = params_combine(p, inparams); 523 ret = params_filldefaults(p); 524 if (ret) { 525 params_free(p); 526 return ret; 527 } 528 529 if (!params_verify(p)) { 530 warnx("params invalid"); 531 return -1; 532 } 533 534 /* 535 * loop over configuring the disk and checking to see if it 536 * verifies properly. We open and close the disk device each 537 * time, because if the user passes us the block device we 538 * need to flush the buffer cache. 539 * 540 * We only loop if one of the verification methods prompts for 541 * a password. 542 */ 543 544 for (kg = p->keygen; pflag == PFLAG_GETPASS && kg; kg = kg->next) 545 if ((kg->kg_method == KEYGEN_PKCS5_PBKDF2_SHA1) || 546 (kg->kg_method == KEYGEN_PKCS5_PBKDF2_OLD )) { 547 loop = 1; 548 break; 549 } 550 551 for (;;) { 552 fd = opendisk_werror(argv[0], cgdname, sizeof(cgdname)); 553 if (fd == -1) 554 return -1; 555 556 if (p->key) 557 bits_free(p->key); 558 559 p->key = getkey(argv[1], p->keygen, p->keylen); 560 if (!p->key) 561 goto bail_err; 562 563 ret = configure_params(fd, cgdname, argv[1], p); 564 if (ret) 565 goto bail_err; 566 567 ret = verify(p, fd); 568 if (ret == -1) 569 goto bail_err; 570 if (!ret) 571 break; 572 573 (void)unconfigure_fd(fd); 574 (void)close(fd); 575 576 if (!loop) { 577 warnx("verification failed permanently"); 578 goto bail_err; 579 } 580 581 warnx("verification failed, please reenter passphrase"); 582 } 583 584 params_free(p); 585 (void)close(fd); 586 return 0; 587 bail_err: 588 params_free(p); 589 (void)close(fd); 590 return -1; 591 } 592 593 static int 594 configure_stdin(struct params *p, int argc, char **argv) 595 { 596 int fd; 597 int ret; 598 char cgdname[PATH_MAX]; 599 600 if (argc < 3 || argc > 4) 601 usage(); 602 603 p->algorithm = string_fromcharstar(argv[2]); 604 if (argc > 3) { 605 size_t keylen; 606 607 if (parse_size_t(argv[3], &keylen) == -1) { 608 warn("failed to parse key length"); 609 return -1; 610 } 611 p->keylen = keylen; 612 } 613 614 ret = params_filldefaults(p); 615 if (ret) 616 return ret; 617 618 fd = opendisk_werror(argv[0], cgdname, sizeof(cgdname)); 619 if (fd == -1) 620 return -1; 621 622 p->key = bits_fget(stdin, p->keylen); 623 if (!p->key) { 624 warnx("failed to read key from stdin"); 625 return -1; 626 } 627 628 return configure_params(fd, cgdname, argv[1], p); 629 } 630 631 static int 632 opendisk_werror(const char *cgd, char *buf, size_t buflen) 633 { 634 int fd; 635 636 VPRINTF(3, ("opendisk_werror(%s, %s, %zu) called.\n", cgd, buf, buflen)); 637 638 /* sanity */ 639 if (!cgd || !buf) 640 return -1; 641 642 if (nflag) { 643 if (strlcpy(buf, cgd, buflen) >= buflen) 644 return -1; 645 return 0; 646 } 647 648 fd = opendisk(cgd, O_RDWR, buf, buflen, 0); 649 if (fd == -1) 650 warnx("can't open cgd \"%s\", \"%s\"", cgd, buf); 651 652 return fd; 653 } 654 655 static int 656 configure_params(int fd, const char *cgd, const char *dev, struct params *p) 657 { 658 struct cgd_ioctl ci; 659 660 /* sanity */ 661 if (!cgd || !dev) 662 return -1; 663 664 (void)memset(&ci, 0x0, sizeof(ci)); 665 ci.ci_disk = dev; 666 ci.ci_alg = string_tocharstar(p->algorithm); 667 ci.ci_ivmethod = string_tocharstar(p->ivmeth); 668 ci.ci_key = bits_getbuf(p->key); 669 ci.ci_keylen = p->keylen; 670 ci.ci_blocksize = p->bsize; 671 672 VPRINTF(1, (" with alg %s keylen %zu blocksize %zu ivmethod %s\n", 673 string_tocharstar(p->algorithm), p->keylen, p->bsize, 674 string_tocharstar(p->ivmeth))); 675 VPRINTF(2, ("key: ")); 676 VERBOSE(2, bits_fprint(stdout, p->key)); 677 VPRINTF(2, ("\n")); 678 679 if (nflag) 680 return 0; 681 682 if (ioctl(fd, CGDIOCSET, &ci) == -1) { 683 int saved_errno = errno; 684 warn("ioctl"); 685 return saved_errno; 686 } 687 688 return 0; 689 } 690 691 /* 692 * verify returns 0 for success, -1 for unrecoverable error, or 1 for retry. 693 */ 694 695 #define SCANSIZE 8192 696 697 static int 698 verify(struct params *p, int fd) 699 { 700 701 switch (p->verify_method) { 702 case VERIFY_NONE: 703 return 0; 704 case VERIFY_DISKLABEL: 705 return verify_disklabel(fd); 706 case VERIFY_FFS: 707 return verify_ffs(fd); 708 case VERIFY_REENTER: 709 return verify_reenter(p); 710 default: 711 warnx("unimplemented verification method"); 712 return -1; 713 } 714 } 715 716 static int 717 verify_disklabel(int fd) 718 { 719 struct disklabel l; 720 ssize_t ret; 721 char buf[SCANSIZE]; 722 723 /* 724 * we simply scan the first few blocks for a disklabel, ignoring 725 * any MBR/filecore sorts of logic. MSDOS and RiscOS can't read 726 * a cgd, anyway, so it is unlikely that there will be non-native 727 * partition information. 728 */ 729 730 ret = pread(fd, buf, 8192, 0); 731 if (ret < 0) { 732 warn("can't read disklabel area"); 733 return -1; 734 } 735 736 /* now scan for the disklabel */ 737 738 return disklabel_scan(&l, buf, (size_t)ret); 739 } 740 741 static off_t sblock_try[] = SBLOCKSEARCH; 742 743 static int 744 verify_ffs(int fd) 745 { 746 size_t i; 747 748 for (i = 0; sblock_try[i] != -1; i++) { 749 union { 750 char buf[SBLOCKSIZE]; 751 struct fs fs; 752 } u; 753 ssize_t ret; 754 755 ret = pread(fd, &u, sizeof(u), sblock_try[i]); 756 if (ret < 0) { 757 warn("pread"); 758 break; 759 } else if ((size_t)ret < sizeof(u)) { 760 warnx("pread: incomplete block"); 761 break; 762 } 763 switch (u.fs.fs_magic) { 764 case FS_UFS1_MAGIC: 765 case FS_UFS2_MAGIC: 766 case FS_UFS1_MAGIC_SWAPPED: 767 case FS_UFS2_MAGIC_SWAPPED: 768 return 0; 769 default: 770 continue; 771 } 772 } 773 774 return 1; /* failure */ 775 } 776 777 static int 778 verify_reenter(struct params *p) 779 { 780 struct keygen *kg; 781 bits_t *orig_key, *key; 782 int ret; 783 784 ret = 0; 785 for (kg = p->keygen; kg && !ret; kg = kg->next) { 786 if ((kg->kg_method != KEYGEN_PKCS5_PBKDF2_SHA1) && 787 (kg->kg_method != KEYGEN_PKCS5_PBKDF2_OLD )) 788 continue; 789 790 orig_key = kg->kg_key; 791 kg->kg_key = NULL; 792 793 /* add a compat flag till the _OLD method goes away */ 794 key = getkey_pkcs5_pbkdf2("re-enter device", kg, 795 bits_len(orig_key), kg->kg_method == KEYGEN_PKCS5_PBKDF2_OLD); 796 ret = !bits_match(key, orig_key); 797 798 bits_free(key); 799 bits_free(kg->kg_key); 800 kg->kg_key = orig_key; 801 } 802 803 return ret; 804 } 805 806 static int 807 generate(struct params *p, int argc, char **argv, const char *outfile) 808 { 809 int ret; 810 811 if (argc < 1 || argc > 2) 812 usage(); 813 814 p->algorithm = string_fromcharstar(argv[0]); 815 if (argc > 1) { 816 size_t keylen; 817 818 if (parse_size_t(argv[1], &keylen) == -1) { 819 warn("Failed to parse key length"); 820 return -1; 821 } 822 p->keylen = keylen; 823 } 824 825 ret = params_filldefaults(p); 826 if (ret) 827 return ret; 828 829 if (!p->keygen) { 830 p->keygen = keygen_generate(KEYGEN_PKCS5_PBKDF2_SHA1); 831 if (!p->keygen) 832 return -1; 833 } 834 835 if (keygen_filldefaults(p->keygen, p->keylen)) { 836 warnx("Failed to generate defaults for keygen"); 837 return -1; 838 } 839 840 if (!params_verify(p)) { 841 warnx("invalid parameters generated"); 842 return -1; 843 } 844 845 return params_cput(p, outfile); 846 } 847 848 static int 849 generate_convert(struct params *p, int argc, char **argv, const char *outfile) 850 { 851 struct params *oldp; 852 struct keygen *kg; 853 854 if (argc != 1) 855 usage(); 856 857 oldp = params_cget(*argv); 858 if (!oldp) 859 return -1; 860 861 /* for sanity, we ensure that none of the keygens are randomkey */ 862 for (kg=p->keygen; kg; kg=kg->next) 863 if (kg->kg_method == KEYGEN_RANDOMKEY) 864 goto bail; 865 for (kg=oldp->keygen; kg; kg=kg->next) 866 if (kg->kg_method == KEYGEN_RANDOMKEY) 867 goto bail; 868 869 if (!params_verify(oldp)) { 870 warnx("invalid old parameters file \"%s\"", *argv); 871 return -1; 872 } 873 874 oldp->key = getkey("old file", oldp->keygen, oldp->keylen); 875 876 /* we copy across the non-keygen info, here. */ 877 878 string_free(p->algorithm); 879 string_free(p->ivmeth); 880 881 p->algorithm = string_dup(oldp->algorithm); 882 p->ivmeth = string_dup(oldp->ivmeth); 883 p->keylen = oldp->keylen; 884 p->bsize = oldp->bsize; 885 if (p->verify_method == VERIFY_UNKNOWN) 886 p->verify_method = oldp->verify_method; 887 888 params_free(oldp); 889 890 if (!p->keygen) { 891 p->keygen = keygen_generate(KEYGEN_PKCS5_PBKDF2_SHA1); 892 if (!p->keygen) 893 return -1; 894 } 895 (void)params_filldefaults(p); 896 (void)keygen_filldefaults(p->keygen, p->keylen); 897 p->key = getkey("new file", p->keygen, p->keylen); 898 899 kg = keygen_generate(KEYGEN_STOREDKEY); 900 kg->kg_key = bits_xor(p->key, oldp->key); 901 keygen_addlist(&p->keygen, kg); 902 903 if (!params_verify(p)) { 904 warnx("can't generate new parameters file"); 905 return -1; 906 } 907 908 return params_cput(p, outfile); 909 bail: 910 params_free(oldp); 911 return -1; 912 } 913 914 static int 915 /*ARGSUSED*/ 916 do_all(const char *cfile, int argc, char **argv, 917 int (*conf)(int, char **, struct params *, int)) 918 { 919 FILE *f; 920 size_t len; 921 size_t lineno; 922 int my_argc; 923 int ret; 924 const char *fn; 925 char *line; 926 char **my_argv; 927 928 if (argc > 0) 929 usage(); 930 931 if (!cfile[0]) 932 fn = CGDCONFIG_CFILE; 933 else 934 fn = cfile; 935 936 f = fopen(fn, "r"); 937 if (!f) { 938 warn("could not open config file \"%s\"", fn); 939 return -1; 940 } 941 942 ret = chdir(CGDCONFIG_DIR); 943 if (ret == -1) 944 warn("could not chdir to %s", CGDCONFIG_DIR); 945 946 ret = 0; 947 lineno = 0; 948 for (;;) { 949 line = fparseln(f, &len, &lineno, "\\\\#", FPARSELN_UNESCALL); 950 if (!line) 951 break; 952 if (!*line) 953 continue; 954 955 my_argv = words(line, &my_argc); 956 ret = conf(my_argc, my_argv, NULL, CONFIG_FLAGS_FROMALL); 957 if (ret) { 958 warnx("action failed on \"%s\" line %lu", fn, 959 (u_long)lineno); 960 break; 961 } 962 words_free(my_argv, my_argc); 963 } 964 return ret; 965 } 966 967 static void 968 eliminate_cores(void) 969 { 970 struct rlimit rlp; 971 972 rlp.rlim_cur = 0; 973 rlp.rlim_max = 0; 974 if (setrlimit(RLIMIT_CORE, &rlp) == -1) 975 err(EXIT_FAILURE, "Can't disable cores"); 976 } 977
Indexes created Tue Sep 30 10:09:55 GMT 2025