cgdconfig.c revision 1.24
1 /* $NetBSD: cgdconfig.c,v 1.24 2008/07/20 01:20:21 lukem Exp $ */ 2 3 /*- 4 * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Roland C. Dowdeswell. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 #ifndef lint 34 __COPYRIGHT("@(#) Copyright (c) 2002, 2003\ 35 The NetBSD Foundation, Inc. All rights reserved."); 36 __RCSID("$NetBSD: cgdconfig.c,v 1.24 2008/07/20 01:20:21 lukem Exp $"); 37 #endif 38 39 #include <err.h> 40 #include <errno.h> 41 #include <fcntl.h> 42 #include <libgen.h> 43 #include <stdio.h> 44 #include <stdlib.h> 45 #include <string.h> 46 #include <unistd.h> 47 #include <util.h> 48 49 #include <sys/ioctl.h> 50 #include <sys/disklabel.h> 51 #include <sys/mman.h> 52 #include <sys/param.h> 53 #include <sys/resource.h> 54 55 #include <dev/cgdvar.h> 56 57 #include <ufs/ffs/fs.h> 58 59 #include "params.h" 60 #include "pkcs5_pbkdf2.h" 61 #include "utils.h" 62 63 #define CGDCONFIG_DIR "/etc/cgd" 64 #define CGDCONFIG_CFILE CGDCONFIG_DIR "/cgd.conf" 65 66 enum action { 67 ACTION_DEFAULT, /* default -> configure */ 68 ACTION_CONFIGURE, /* configure, with paramsfile */ 69 ACTION_UNCONFIGURE, /* unconfigure */ 70 ACTION_GENERATE, /* generate a paramsfile */ 71 ACTION_GENERATE_CONVERT, /* generate a ``dup'' paramsfile */ 72 ACTION_CONFIGALL, /* configure all from config file */ 73 ACTION_UNCONFIGALL, /* unconfigure all from config file */ 74 ACTION_CONFIGSTDIN /* configure, key from stdin */ 75 }; 76 77 /* if nflag is set, do not configure/unconfigure the cgd's */ 78 79 int nflag = 0; 80 81 /* if pflag is set to PFLAG_STDIN read from stdin rather than getpass(3) */ 82 83 #define PFLAG_GETPASS 0x01 84 #define PFLAG_STDIN 0x02 85 int pflag = PFLAG_GETPASS; 86 87 static int configure(int, char **, struct params *, int); 88 static int configure_stdin(struct params *, int argc, char **); 89 static int generate(struct params *, int, char **, const char *); 90 static int generate_convert(struct params *, int, char **, const char *); 91 static int unconfigure(int, char **, struct params *, int); 92 static int do_all(const char *, int, char **, 93 int (*)(int, char **, struct params *, int)); 94 95 #define CONFIG_FLAGS_FROMALL 1 /* called from configure_all() */ 96 #define CONFIG_FLAGS_FROMMAIN 2 /* called from main() */ 97 98 static int configure_params(int, const char *, const char *, 99 struct params *); 100 static void eliminate_cores(void); 101 static bits_t *getkey(const char *, struct keygen *, size_t); 102 static bits_t *getkey_storedkey(const char *, struct keygen *, size_t); 103 static bits_t *getkey_randomkey(const char *, struct keygen *, size_t, int); 104 static bits_t *getkey_pkcs5_pbkdf2(const char *, struct keygen *, size_t, 105 int); 106 static bits_t *getkey_shell_cmd(const char *, struct keygen *, size_t); 107 static char *maybe_getpass(char *); 108 static int opendisk_werror(const char *, char *, size_t); 109 static int unconfigure_fd(int); 110 static int verify(struct params *, int); 111 static int verify_disklabel(int); 112 static int verify_ffs(int); 113 static int verify_reenter(struct params *); 114 115 static void usage(void); 116 117 /* Verbose Framework */ 118 unsigned verbose = 0; 119 120 #define VERBOSE(x,y) if (verbose >= x) y 121 #define VPRINTF(x,y) if (verbose >= x) (void)printf y 122 123 static void 124 usage(void) 125 { 126 127 (void)fprintf(stderr, "usage: %s [-nv] [-V vmeth] cgd dev [paramsfile]\n", 128 getprogname()); 129 (void)fprintf(stderr, " %s -C [-nv] [-f configfile]\n", getprogname()); 130 (void)fprintf(stderr, " %s -U [-nv] [-f configfile]\n", getprogname()); 131 (void)fprintf(stderr, " %s -G [-nv] [-i ivmeth] [-k kgmeth] " 132 "[-o outfile] paramsfile\n", getprogname()); 133 (void)fprintf(stderr, " %s -g [-nv] [-i ivmeth] [-k kgmeth] " 134 "[-o outfile] alg [keylen]\n", getprogname()); 135 (void)fprintf(stderr, " %s -s [-nv] [-i ivmeth] cgd dev alg " 136 "[keylen]\n", getprogname()); 137 (void)fprintf(stderr, " %s -u [-nv] cgd\n", getprogname()); 138 exit(EXIT_FAILURE); 139 } 140 141 static int 142 parse_size_t(const char *s, size_t *l) 143 { 144 char *endptr; 145 long v; 146 147 errno = 0; 148 v = strtol(s, &endptr, 10); 149 if ((v == LONG_MIN || v == LONG_MAX) && errno) 150 return -1; 151 if (v < INT_MIN || v > INT_MAX) { 152 errno = ERANGE; 153 return -1; 154 } 155 if (endptr == s) { 156 errno = EINVAL; 157 return -1; 158 } 159 *l = (size_t)v; 160 return 0; 161 } 162 163 static void 164 set_action(enum action *action, enum action value) 165 { 166 if (*action != ACTION_DEFAULT) 167 usage(); 168 *action = value; 169 } 170 171 int 172 main(int argc, char **argv) 173 { 174 struct params *p; 175 struct params *tp; 176 struct keygen *kg; 177 enum action action = ACTION_DEFAULT; 178 int ch; 179 const char *cfile = NULL; 180 const char *outfile = NULL; 181 182 setprogname(*argv); 183 eliminate_cores(); 184 if (mlockall(MCL_FUTURE)) 185 err(EXIT_FAILURE, "Can't lock memory"); 186 p = params_new(); 187 kg = NULL; 188 189 while ((ch = getopt(argc, argv, "CGUV:b:f:gi:k:no:spuv")) != -1) 190 switch (ch) { 191 case 'C': 192 set_action(&action, ACTION_CONFIGALL); 193 break; 194 case 'G': 195 set_action(&action, ACTION_GENERATE_CONVERT); 196 break; 197 case 'U': 198 set_action(&action, ACTION_UNCONFIGALL); 199 break; 200 case 'V': 201 tp = params_verify_method(string_fromcharstar(optarg)); 202 if (!tp) 203 usage(); 204 p = params_combine(p, tp); 205 break; 206 case 'b': 207 { 208 size_t size; 209 210 if (parse_size_t(optarg, &size) == -1) 211 usage(); 212 tp = params_bsize(size); 213 if (!tp) 214 usage(); 215 p = params_combine(p, tp); 216 } 217 break; 218 case 'f': 219 if (cfile) 220 usage(); 221 cfile = estrdup(optarg); 222 break; 223 case 'g': 224 set_action(&action, ACTION_GENERATE); 225 break; 226 case 'i': 227 tp = params_ivmeth(string_fromcharstar(optarg)); 228 p = params_combine(p, tp); 229 break; 230 case 'k': 231 kg = keygen_method(string_fromcharstar(optarg)); 232 if (!kg) 233 usage(); 234 keygen_addlist(&p->keygen, kg); 235 break; 236 case 'n': 237 nflag = 1; 238 break; 239 case 'o': 240 if (outfile) 241 usage(); 242 outfile = estrdup(optarg); 243 break; 244 case 'p': 245 pflag = PFLAG_STDIN; 246 break; 247 case 's': 248 set_action(&action, ACTION_CONFIGSTDIN); 249 break; 250 251 case 'u': 252 set_action(&action, ACTION_UNCONFIGURE); 253 break; 254 case 'v': 255 verbose++; 256 break; 257 default: 258 usage(); 259 /* NOTREACHED */ 260 } 261 262 argc -= optind; 263 argv += optind; 264 265 if (!outfile) 266 outfile = ""; 267 if (!cfile) 268 cfile = ""; 269 270 /* validate the consistency of the arguments */ 271 272 switch (action) { 273 case ACTION_DEFAULT: /* ACTION_CONFIGURE is the default */ 274 case ACTION_CONFIGURE: 275 return configure(argc, argv, p, CONFIG_FLAGS_FROMMAIN); 276 case ACTION_UNCONFIGURE: 277 return unconfigure(argc, argv, NULL, CONFIG_FLAGS_FROMMAIN); 278 case ACTION_GENERATE: 279 return generate(p, argc, argv, outfile); 280 case ACTION_GENERATE_CONVERT: 281 return generate_convert(p, argc, argv, outfile); 282 case ACTION_CONFIGALL: 283 return do_all(cfile, argc, argv, configure); 284 case ACTION_UNCONFIGALL: 285 return do_all(cfile, argc, argv, unconfigure); 286 case ACTION_CONFIGSTDIN: 287 return configure_stdin(p, argc, argv); 288 default: 289 errx(EXIT_FAILURE, "undefined action"); 290 /* NOTREACHED */ 291 } 292 } 293 294 static bits_t * 295 getkey(const char *dev, struct keygen *kg, size_t len) 296 { 297 bits_t *ret = NULL; 298 bits_t *tmp; 299 300 VPRINTF(3, ("getkey(\"%s\", %p, %zu) called\n", dev, kg, len)); 301 for (; kg; kg=kg->next) { 302 switch (kg->kg_method) { 303 case KEYGEN_STOREDKEY: 304 tmp = getkey_storedkey(dev, kg, len); 305 break; 306 case KEYGEN_RANDOMKEY: 307 tmp = getkey_randomkey(dev, kg, len, 1); 308 break; 309 case KEYGEN_URANDOMKEY: 310 tmp = getkey_randomkey(dev, kg, len, 0); 311 break; 312 case KEYGEN_PKCS5_PBKDF2_SHA1: 313 tmp = getkey_pkcs5_pbkdf2(dev, kg, len, 0); 314 break; 315 /* provide backwards compatibility for old config files */ 316 case KEYGEN_PKCS5_PBKDF2_OLD: 317 tmp = getkey_pkcs5_pbkdf2(dev, kg, len, 1); 318 break; 319 case KEYGEN_SHELL_CMD: 320 tmp = getkey_shell_cmd(dev, kg, len); 321 break; 322 default: 323 warnx("unrecognised keygen method %d in getkey()", 324 kg->kg_method); 325 if (ret) 326 bits_free(ret); 327 return NULL; 328 } 329 330 if (ret) 331 ret = bits_xor_d(tmp, ret); 332 else 333 ret = tmp; 334 } 335 336 return ret; 337 } 338 339 /*ARGSUSED*/ 340 static bits_t * 341 getkey_storedkey(const char *target, struct keygen *kg, size_t keylen) 342 { 343 return bits_dup(kg->kg_key); 344 } 345 346 /*ARGSUSED*/ 347 static bits_t * 348 getkey_randomkey(const char *target, struct keygen *kg, size_t keylen, int hard) 349 { 350 return bits_getrandombits(keylen, hard); 351 } 352 353 static char * 354 maybe_getpass(char *prompt) 355 { 356 char buf[1024]; 357 char *p = buf; 358 char *tmp; 359 360 switch (pflag) { 361 case PFLAG_GETPASS: 362 p = getpass(prompt); 363 break; 364 365 case PFLAG_STDIN: 366 p = fgets(buf, sizeof(buf), stdin); 367 if (p) { 368 tmp = strchr(p, '\n'); 369 if (tmp) 370 *tmp = '\0'; 371 } 372 break; 373 374 default: 375 errx(EXIT_FAILURE, "pflag set inappropriately?"); 376 } 377 378 if (!p) 379 err(EXIT_FAILURE, "failed to read passphrase"); 380 381 return estrdup(p); 382 } 383 384 /*ARGSUSED*/ 385 /* 386 * XXX take, and pass through, a compat flag that indicates whether we 387 * provide backwards compatibility with a previous bug. The previous 388 * behaviour is indicated by the keygen method pkcs5_pbkdf2, and a 389 * non-zero compat flag. The new default, and correct keygen method is 390 * called pcks5_pbkdf2/sha1. When the old method is removed, so will 391 * be the compat argument. 392 */ 393 static bits_t * 394 getkey_pkcs5_pbkdf2(const char *target, struct keygen *kg, size_t keylen, 395 int compat) 396 { 397 bits_t *ret; 398 u_int8_t *passp; 399 char buf[1024]; 400 u_int8_t *tmp; 401 402 snprintf(buf, sizeof(buf), "%s's passphrase:", target); 403 passp = (u_int8_t *)maybe_getpass(buf); 404 if (pkcs5_pbkdf2(&tmp, BITS2BYTES(keylen), passp, strlen(passp), 405 bits_getbuf(kg->kg_salt), BITS2BYTES(bits_len(kg->kg_salt)), 406 kg->kg_iterations, compat)) { 407 warnx("failed to generate PKCS#5 PBKDF2 key"); 408 return NULL; 409 } 410 411 ret = bits_new(tmp, keylen); 412 kg->kg_key = bits_dup(ret); 413 free(passp); 414 free(tmp); 415 return ret; 416 } 417 418 /*ARGSUSED*/ 419 static bits_t * 420 getkey_shell_cmd(const char *target, struct keygen *kg, size_t keylen) 421 { 422 FILE *f; 423 bits_t *ret; 424 425 f = popen(string_tocharstar(kg->kg_cmd), "r"); 426 ret = bits_fget(f, keylen); 427 pclose(f); 428 429 return ret; 430 } 431 432 /*ARGSUSED*/ 433 static int 434 unconfigure(int argc, char **argv, struct params *inparams, int flags) 435 { 436 int fd; 437 int ret; 438 char buf[MAXPATHLEN] = ""; 439 440 /* only complain about additional arguments, if called from main() */ 441 if (flags == CONFIG_FLAGS_FROMMAIN && argc != 1) 442 usage(); 443 444 /* if called from do_all(), then ensure that 2 or 3 args exist */ 445 if (flags == CONFIG_FLAGS_FROMALL && (argc < 2 || argc > 3)) 446 return -1; 447 448 fd = opendisk(*argv, O_RDWR, buf, sizeof(buf), 1); 449 if (fd == -1) { 450 int saved_errno = errno; 451 452 warn("can't open cgd \"%s\", \"%s\"", *argv, buf); 453 454 /* this isn't fatal with nflag != 0 */ 455 if (!nflag) 456 return saved_errno; 457 } 458 459 VPRINTF(1, ("%s (%s): clearing\n", *argv, buf)); 460 461 if (nflag) 462 return 0; 463 464 ret = unconfigure_fd(fd); 465 (void)close(fd); 466 return ret; 467 } 468 469 static int 470 unconfigure_fd(int fd) 471 { 472 struct cgd_ioctl ci; 473 474 if (ioctl(fd, CGDIOCCLR, &ci) == -1) { 475 warn("ioctl"); 476 return -1; 477 } 478 479 return 0; 480 } 481 482 /*ARGSUSED*/ 483 static int 484 configure(int argc, char **argv, struct params *inparams, int flags) 485 { 486 struct params *p; 487 struct keygen *kg; 488 int fd; 489 int loop = 0; 490 int ret; 491 char cgdname[PATH_MAX]; 492 493 if (argc == 2) { 494 char *pfile; 495 496 if (asprintf(&pfile, "%s/%s", 497 CGDCONFIG_DIR, basename(argv[1])) == -1) 498 return -1; 499 500 p = params_cget(pfile); 501 free(pfile); 502 } else if (argc == 3) { 503 p = params_cget(argv[2]); 504 } else { 505 /* print usage and exit, only if called from main() */ 506 if (flags == CONFIG_FLAGS_FROMMAIN) { 507 warnx("wrong number of args"); 508 usage(); 509 } 510 return -1; 511 } 512 513 if (!p) 514 return -1; 515 516 /* 517 * over-ride with command line specifications and fill in default 518 * values. 519 */ 520 521 p = params_combine(p, inparams); 522 ret = params_filldefaults(p); 523 if (ret) { 524 params_free(p); 525 return ret; 526 } 527 528 if (!params_verify(p)) { 529 warnx("params invalid"); 530 return -1; 531 } 532 533 /* 534 * loop over configuring the disk and checking to see if it 535 * verifies properly. We open and close the disk device each 536 * time, because if the user passes us the block device we 537 * need to flush the buffer cache. 538 * 539 * We only loop if one of the verification methods prompts for 540 * a password. 541 */ 542 543 for (kg = p->keygen; pflag == PFLAG_GETPASS && kg; kg = kg->next) 544 if ((kg->kg_method == KEYGEN_PKCS5_PBKDF2_SHA1) || 545 (kg->kg_method == KEYGEN_PKCS5_PBKDF2_OLD )) { 546 loop = 1; 547 break; 548 } 549 550 for (;;) { 551 fd = opendisk_werror(argv[0], cgdname, sizeof(cgdname)); 552 if (fd == -1) 553 return -1; 554 555 if (p->key) 556 bits_free(p->key); 557 558 p->key = getkey(argv[1], p->keygen, p->keylen); 559 if (!p->key) 560 goto bail_err; 561 562 ret = configure_params(fd, cgdname, argv[1], p); 563 if (ret) 564 goto bail_err; 565 566 ret = verify(p, fd); 567 if (ret == -1) 568 goto bail_err; 569 if (!ret) 570 break; 571 572 (void)unconfigure_fd(fd); 573 (void)close(fd); 574 575 if (!loop) { 576 warnx("verification failed permanently"); 577 goto bail_err; 578 } 579 580 warnx("verification failed, please reenter passphrase"); 581 } 582 583 params_free(p); 584 (void)close(fd); 585 return 0; 586 bail_err: 587 params_free(p); 588 (void)close(fd); 589 return -1; 590 } 591 592 static int 593 configure_stdin(struct params *p, int argc, char **argv) 594 { 595 int fd; 596 int ret; 597 char cgdname[PATH_MAX]; 598 599 if (argc < 3 || argc > 4) 600 usage(); 601 602 p->algorithm = string_fromcharstar(argv[2]); 603 if (argc > 3) { 604 size_t keylen; 605 606 if (parse_size_t(argv[3], &keylen) == -1) { 607 warn("failed to parse key length"); 608 return -1; 609 } 610 p->keylen = keylen; 611 } 612 613 ret = params_filldefaults(p); 614 if (ret) 615 return ret; 616 617 fd = opendisk_werror(argv[0], cgdname, sizeof(cgdname)); 618 if (fd == -1) 619 return -1; 620 621 p->key = bits_fget(stdin, p->keylen); 622 if (!p->key) { 623 warnx("failed to read key from stdin"); 624 return -1; 625 } 626 627 return configure_params(fd, cgdname, argv[1], p); 628 } 629 630 static int 631 opendisk_werror(const char *cgd, char *buf, size_t buflen) 632 { 633 int fd; 634 635 VPRINTF(3, ("opendisk_werror(%s, %s, %zu) called.\n", cgd, buf, buflen)); 636 637 /* sanity */ 638 if (!cgd || !buf) 639 return -1; 640 641 if (nflag) { 642 if (strlcpy(buf, cgd, buflen) >= buflen) 643 return -1; 644 return 0; 645 } 646 647 fd = opendisk(cgd, O_RDWR, buf, buflen, 0); 648 if (fd == -1) 649 warnx("can't open cgd \"%s\", \"%s\"", cgd, buf); 650 651 return fd; 652 } 653 654 static int 655 configure_params(int fd, const char *cgd, const char *dev, struct params *p) 656 { 657 struct cgd_ioctl ci; 658 659 /* sanity */ 660 if (!cgd || !dev) 661 return -1; 662 663 (void)memset(&ci, 0x0, sizeof(ci)); 664 ci.ci_disk = dev; 665 ci.ci_alg = string_tocharstar(p->algorithm); 666 ci.ci_ivmethod = string_tocharstar(p->ivmeth); 667 ci.ci_key = bits_getbuf(p->key); 668 ci.ci_keylen = p->keylen; 669 ci.ci_blocksize = p->bsize; 670 671 VPRINTF(1, (" with alg %s keylen %zu blocksize %zu ivmethod %s\n", 672 string_tocharstar(p->algorithm), p->keylen, p->bsize, 673 string_tocharstar(p->ivmeth))); 674 VPRINTF(2, ("key: ")); 675 VERBOSE(2, bits_fprint(stdout, p->key)); 676 VPRINTF(2, ("\n")); 677 678 if (nflag) 679 return 0; 680 681 if (ioctl(fd, CGDIOCSET, &ci) == -1) { 682 int saved_errno = errno; 683 warn("ioctl"); 684 return saved_errno; 685 } 686 687 return 0; 688 } 689 690 /* 691 * verify returns 0 for success, -1 for unrecoverable error, or 1 for retry. 692 */ 693 694 #define SCANSIZE 8192 695 696 static int 697 verify(struct params *p, int fd) 698 { 699 700 switch (p->verify_method) { 701 case VERIFY_NONE: 702 return 0; 703 case VERIFY_DISKLABEL: 704 return verify_disklabel(fd); 705 case VERIFY_FFS: 706 return verify_ffs(fd); 707 case VERIFY_REENTER: 708 return verify_reenter(p); 709 default: 710 warnx("unimplemented verification method"); 711 return -1; 712 } 713 } 714 715 static int 716 verify_disklabel(int fd) 717 { 718 struct disklabel l; 719 ssize_t ret; 720 char buf[SCANSIZE]; 721 722 /* 723 * we simply scan the first few blocks for a disklabel, ignoring 724 * any MBR/filecore sorts of logic. MSDOS and RiscOS can't read 725 * a cgd, anyway, so it is unlikely that there will be non-native 726 * partition information. 727 */ 728 729 ret = pread(fd, buf, 8192, 0); 730 if (ret < 0) { 731 warn("can't read disklabel area"); 732 return -1; 733 } 734 735 /* now scan for the disklabel */ 736 737 return disklabel_scan(&l, buf, (size_t)ret); 738 } 739 740 static off_t sblock_try[] = SBLOCKSEARCH; 741 742 static int 743 verify_ffs(int fd) 744 { 745 size_t i; 746 747 for (i = 0; sblock_try[i] != -1; i++) { 748 union { 749 char buf[SBLOCKSIZE]; 750 struct fs fs; 751 } u; 752 ssize_t ret; 753 754 ret = pread(fd, &u, sizeof(u), sblock_try[i]); 755 if (ret < 0) { 756 warn("pread"); 757 break; 758 } else if ((size_t)ret < sizeof(u)) { 759 warnx("pread: incomplete block"); 760 break; 761 } 762 switch (u.fs.fs_magic) { 763 case FS_UFS1_MAGIC: 764 case FS_UFS2_MAGIC: 765 case FS_UFS1_MAGIC_SWAPPED: 766 case FS_UFS2_MAGIC_SWAPPED: 767 return 0; 768 default: 769 continue; 770 } 771 } 772 773 return 1; /* failure */ 774 } 775 776 static int 777 verify_reenter(struct params *p) 778 { 779 struct keygen *kg; 780 bits_t *orig_key, *key; 781 int ret; 782 783 ret = 0; 784 for (kg = p->keygen; kg && !ret; kg = kg->next) { 785 if ((kg->kg_method != KEYGEN_PKCS5_PBKDF2_SHA1) && 786 (kg->kg_method != KEYGEN_PKCS5_PBKDF2_OLD )) 787 continue; 788 789 orig_key = kg->kg_key; 790 kg->kg_key = NULL; 791 792 /* add a compat flag till the _OLD method goes away */ 793 key = getkey_pkcs5_pbkdf2("re-enter device", kg, 794 bits_len(orig_key), kg->kg_method == KEYGEN_PKCS5_PBKDF2_OLD); 795 ret = !bits_match(key, orig_key); 796 797 bits_free(key); 798 bits_free(kg->kg_key); 799 kg->kg_key = orig_key; 800 } 801 802 return ret; 803 } 804 805 static int 806 generate(struct params *p, int argc, char **argv, const char *outfile) 807 { 808 int ret; 809 810 if (argc < 1 || argc > 2) 811 usage(); 812 813 p->algorithm = string_fromcharstar(argv[0]); 814 if (argc > 1) { 815 size_t keylen; 816 817 if (parse_size_t(argv[1], &keylen) == -1) { 818 warn("Failed to parse key length"); 819 return -1; 820 } 821 p->keylen = keylen; 822 } 823 824 ret = params_filldefaults(p); 825 if (ret) 826 return ret; 827 828 if (!p->keygen) { 829 p->keygen = keygen_generate(KEYGEN_PKCS5_PBKDF2_SHA1); 830 if (!p->keygen) 831 return -1; 832 } 833 834 if (keygen_filldefaults(p->keygen, p->keylen)) { 835 warnx("Failed to generate defaults for keygen"); 836 return -1; 837 } 838 839 if (!params_verify(p)) { 840 warnx("invalid parameters generated"); 841 return -1; 842 } 843 844 return params_cput(p, outfile); 845 } 846 847 static int 848 generate_convert(struct params *p, int argc, char **argv, const char *outfile) 849 { 850 struct params *oldp; 851 struct keygen *kg; 852 853 if (argc != 1) 854 usage(); 855 856 oldp = params_cget(*argv); 857 if (!oldp) 858 return -1; 859 860 /* for sanity, we ensure that none of the keygens are randomkey */ 861 for (kg=p->keygen; kg; kg=kg->next) 862 if (kg->kg_method == KEYGEN_RANDOMKEY) 863 goto bail; 864 for (kg=oldp->keygen; kg; kg=kg->next) 865 if (kg->kg_method == KEYGEN_RANDOMKEY) 866 goto bail; 867 868 if (!params_verify(oldp)) { 869 warnx("invalid old parameters file \"%s\"", *argv); 870 return -1; 871 } 872 873 oldp->key = getkey("old file", oldp->keygen, oldp->keylen); 874 875 /* we copy across the non-keygen info, here. */ 876 877 string_free(p->algorithm); 878 string_free(p->ivmeth); 879 880 p->algorithm = string_dup(oldp->algorithm); 881 p->ivmeth = string_dup(oldp->ivmeth); 882 p->keylen = oldp->keylen; 883 p->bsize = oldp->bsize; 884 if (p->verify_method == VERIFY_UNKNOWN) 885 p->verify_method = oldp->verify_method; 886 887 params_free(oldp); 888 889 if (!p->keygen) { 890 p->keygen = keygen_generate(KEYGEN_PKCS5_PBKDF2_SHA1); 891 if (!p->keygen) 892 return -1; 893 } 894 (void)params_filldefaults(p); 895 (void)keygen_filldefaults(p->keygen, p->keylen); 896 p->key = getkey("new file", p->keygen, p->keylen); 897 898 kg = keygen_generate(KEYGEN_STOREDKEY); 899 kg->kg_key = bits_xor(p->key, oldp->key); 900 keygen_addlist(&p->keygen, kg); 901 902 if (!params_verify(p)) { 903 warnx("can't generate new parameters file"); 904 return -1; 905 } 906 907 return params_cput(p, outfile); 908 bail: 909 params_free(oldp); 910 return -1; 911 } 912 913 static int 914 /*ARGSUSED*/ 915 do_all(const char *cfile, int argc, char **argv, 916 int (*conf)(int, char **, struct params *, int)) 917 { 918 FILE *f; 919 size_t len; 920 size_t lineno; 921 int my_argc; 922 int ret; 923 const char *fn; 924 char *line; 925 char **my_argv; 926 927 if (argc > 0) 928 usage(); 929 930 if (!cfile[0]) 931 fn = CGDCONFIG_CFILE; 932 else 933 fn = cfile; 934 935 f = fopen(fn, "r"); 936 if (!f) { 937 warn("could not open config file \"%s\"", fn); 938 return -1; 939 } 940 941 ret = chdir(CGDCONFIG_DIR); 942 if (ret == -1) 943 warn("could not chdir to %s", CGDCONFIG_DIR); 944 945 ret = 0; 946 lineno = 0; 947 for (;;) { 948 line = fparseln(f, &len, &lineno, "\\\\#", FPARSELN_UNESCALL); 949 if (!line) 950 break; 951 if (!*line) 952 continue; 953 954 my_argv = words(line, &my_argc); 955 ret = conf(my_argc, my_argv, NULL, CONFIG_FLAGS_FROMALL); 956 if (ret) { 957 warnx("action failed on \"%s\" line %lu", fn, 958 (u_long)lineno); 959 break; 960 } 961 words_free(my_argv, my_argc); 962 } 963 return ret; 964 } 965 966 static void 967 eliminate_cores(void) 968 { 969 struct rlimit rlp; 970 971 rlp.rlim_cur = 0; 972 rlp.rlim_max = 0; 973 if (setrlimit(RLIMIT_CORE, &rlp) == -1) 974 err(EXIT_FAILURE, "Can't disable cores"); 975 } 976
Indexes created Tue Sep 30 06:09:59 GMT 2025