cgdconfig.c revision 1.28
1 /* $NetBSD: cgdconfig.c,v 1.28 2009/09/08 21:36:35 pooka Exp $ */ 2 3 /*- 4 * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Roland C. Dowdeswell. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 #ifndef lint 34 __COPYRIGHT("@(#) Copyright (c) 2002, 2003\ 35 The NetBSD Foundation, Inc. All rights reserved."); 36 __RCSID("$NetBSD: cgdconfig.c,v 1.28 2009/09/08 21:36:35 pooka Exp $"); 37 #endif 38 39 #include <err.h> 40 #include <errno.h> 41 #include <fcntl.h> 42 #include <libgen.h> 43 #include <stdio.h> 44 #include <stdlib.h> 45 #include <string.h> 46 #include <unistd.h> 47 #include <util.h> 48 49 #include <sys/ioctl.h> 50 #include <sys/disklabel.h> 51 #include <sys/mman.h> 52 #include <sys/param.h> 53 #include <sys/resource.h> 54 55 #include <dev/cgdvar.h> 56 57 #include <ufs/ffs/fs.h> 58 59 #include "params.h" 60 #include "pkcs5_pbkdf2.h" 61 #include "utils.h" 62 #include "cgd_kernelops.h" 63 #include "cgdconfig.h" 64 65 #define CGDCONFIG_DIR "/etc/cgd" 66 #define CGDCONFIG_CFILE CGDCONFIG_DIR "/cgd.conf" 67 68 enum action { 69 ACTION_DEFAULT, /* default -> configure */ 70 ACTION_CONFIGURE, /* configure, with paramsfile */ 71 ACTION_UNCONFIGURE, /* unconfigure */ 72 ACTION_GENERATE, /* generate a paramsfile */ 73 ACTION_GENERATE_CONVERT, /* generate a ``dup'' paramsfile */ 74 ACTION_CONFIGALL, /* configure all from config file */ 75 ACTION_UNCONFIGALL, /* unconfigure all from config file */ 76 ACTION_CONFIGSTDIN /* configure, key from stdin */ 77 }; 78 79 /* if nflag is set, do not configure/unconfigure the cgd's */ 80 81 int nflag = 0; 82 83 /* if pflag is set to PFLAG_STDIN read from stdin rather than getpass(3) */ 84 85 #define PFLAG_GETPASS 0x01 86 #define PFLAG_STDIN 0x02 87 int pflag = PFLAG_GETPASS; 88 89 static int configure(int, char **, struct params *, int); 90 static int configure_stdin(struct params *, int argc, char **); 91 static int generate(struct params *, int, char **, const char *); 92 static int generate_convert(struct params *, int, char **, const char *); 93 static int unconfigure(int, char **, struct params *, int); 94 static int do_all(const char *, int, char **, 95 int (*)(int, char **, struct params *, int)); 96 97 #define CONFIG_FLAGS_FROMALL 1 /* called from configure_all() */ 98 #define CONFIG_FLAGS_FROMMAIN 2 /* called from main() */ 99 100 static int configure_params(int, const char *, const char *, 101 struct params *); 102 static void eliminate_cores(void); 103 static bits_t *getkey(const char *, struct keygen *, size_t); 104 static bits_t *getkey_storedkey(const char *, struct keygen *, size_t); 105 static bits_t *getkey_randomkey(const char *, struct keygen *, size_t, int); 106 static bits_t *getkey_pkcs5_pbkdf2(const char *, struct keygen *, size_t, 107 int); 108 static bits_t *getkey_shell_cmd(const char *, struct keygen *, size_t); 109 static char *maybe_getpass(char *); 110 static int opendisk_werror(const char *, char *, size_t); 111 static int unconfigure_fd(int); 112 static int verify(struct params *, int); 113 static int verify_disklabel(int); 114 static int verify_ffs(int); 115 static int verify_reenter(struct params *); 116 117 static void usage(void); 118 119 /* Verbose Framework */ 120 unsigned verbose = 0; 121 122 #define VERBOSE(x,y) if (verbose >= x) y 123 #define VPRINTF(x,y) if (verbose >= x) (void)printf y 124 125 static void 126 usage(void) 127 { 128 129 (void)fprintf(stderr, "usage: %s [-nv] [-V vmeth] cgd dev [paramsfile]\n", 130 getprogname()); 131 (void)fprintf(stderr, " %s -C [-nv] [-f configfile]\n", getprogname()); 132 (void)fprintf(stderr, " %s -U [-nv] [-f configfile]\n", getprogname()); 133 (void)fprintf(stderr, " %s -G [-nv] [-i ivmeth] [-k kgmeth] " 134 "[-o outfile] paramsfile\n", getprogname()); 135 (void)fprintf(stderr, " %s -g [-nv] [-i ivmeth] [-k kgmeth] " 136 "[-o outfile] alg [keylen]\n", getprogname()); 137 (void)fprintf(stderr, " %s -s [-nv] [-i ivmeth] cgd dev alg " 138 "[keylen]\n", getprogname()); 139 (void)fprintf(stderr, " %s -u [-nv] cgd\n", getprogname()); 140 exit(EXIT_FAILURE); 141 } 142 143 static int 144 parse_size_t(const char *s, size_t *l) 145 { 146 char *endptr; 147 long v; 148 149 errno = 0; 150 v = strtol(s, &endptr, 10); 151 if ((v == LONG_MIN || v == LONG_MAX) && errno) 152 return -1; 153 if (v < INT_MIN || v > INT_MAX) { 154 errno = ERANGE; 155 return -1; 156 } 157 if (endptr == s) { 158 errno = EINVAL; 159 return -1; 160 } 161 *l = (size_t)v; 162 return 0; 163 } 164 165 static void 166 set_action(enum action *action, enum action value) 167 { 168 if (*action != ACTION_DEFAULT) 169 usage(); 170 *action = value; 171 } 172 173 #ifndef CGDCONFIG_AS_LIB 174 int 175 main(int argc, char **argv) 176 { 177 178 return cgdconfig(argc, argv); 179 } 180 #endif 181 182 int 183 cgdconfig(int argc, char *argv[]) 184 { 185 struct params *p; 186 struct params *tp; 187 struct keygen *kg; 188 enum action action = ACTION_DEFAULT; 189 int ch; 190 const char *cfile = NULL; 191 const char *outfile = NULL; 192 193 setprogname(*argv); 194 eliminate_cores(); 195 if (mlockall(MCL_FUTURE)) 196 err(EXIT_FAILURE, "Can't lock memory"); 197 p = params_new(); 198 kg = NULL; 199 200 while ((ch = getopt(argc, argv, "CGUV:b:f:gi:k:no:spuv")) != -1) 201 switch (ch) { 202 case 'C': 203 set_action(&action, ACTION_CONFIGALL); 204 break; 205 case 'G': 206 set_action(&action, ACTION_GENERATE_CONVERT); 207 break; 208 case 'U': 209 set_action(&action, ACTION_UNCONFIGALL); 210 break; 211 case 'V': 212 tp = params_verify_method(string_fromcharstar(optarg)); 213 if (!tp) 214 usage(); 215 p = params_combine(p, tp); 216 break; 217 case 'b': 218 { 219 size_t size; 220 221 if (parse_size_t(optarg, &size) == -1) 222 usage(); 223 tp = params_bsize(size); 224 if (!tp) 225 usage(); 226 p = params_combine(p, tp); 227 } 228 break; 229 case 'f': 230 if (cfile) 231 usage(); 232 cfile = estrdup(optarg); 233 break; 234 case 'g': 235 set_action(&action, ACTION_GENERATE); 236 break; 237 case 'i': 238 tp = params_ivmeth(string_fromcharstar(optarg)); 239 p = params_combine(p, tp); 240 break; 241 case 'k': 242 kg = keygen_method(string_fromcharstar(optarg)); 243 if (!kg) 244 usage(); 245 keygen_addlist(&p->keygen, kg); 246 break; 247 case 'n': 248 nflag = 1; 249 break; 250 case 'o': 251 if (outfile) 252 usage(); 253 outfile = estrdup(optarg); 254 break; 255 case 'p': 256 pflag = PFLAG_STDIN; 257 break; 258 case 's': 259 set_action(&action, ACTION_CONFIGSTDIN); 260 break; 261 262 case 'u': 263 set_action(&action, ACTION_UNCONFIGURE); 264 break; 265 case 'v': 266 verbose++; 267 break; 268 default: 269 usage(); 270 /* NOTREACHED */ 271 } 272 273 argc -= optind; 274 argv += optind; 275 276 if (!outfile) 277 outfile = ""; 278 if (!cfile) 279 cfile = ""; 280 281 /* validate the consistency of the arguments */ 282 283 switch (action) { 284 case ACTION_DEFAULT: /* ACTION_CONFIGURE is the default */ 285 case ACTION_CONFIGURE: 286 return configure(argc, argv, p, CONFIG_FLAGS_FROMMAIN); 287 case ACTION_UNCONFIGURE: 288 return unconfigure(argc, argv, NULL, CONFIG_FLAGS_FROMMAIN); 289 case ACTION_GENERATE: 290 return generate(p, argc, argv, outfile); 291 case ACTION_GENERATE_CONVERT: 292 return generate_convert(p, argc, argv, outfile); 293 case ACTION_CONFIGALL: 294 return do_all(cfile, argc, argv, configure); 295 case ACTION_UNCONFIGALL: 296 return do_all(cfile, argc, argv, unconfigure); 297 case ACTION_CONFIGSTDIN: 298 return configure_stdin(p, argc, argv); 299 default: 300 errx(EXIT_FAILURE, "undefined action"); 301 /* NOTREACHED */ 302 } 303 } 304 305 static bits_t * 306 getkey(const char *dev, struct keygen *kg, size_t len) 307 { 308 bits_t *ret = NULL; 309 bits_t *tmp; 310 311 VPRINTF(3, ("getkey(\"%s\", %p, %zu) called\n", dev, kg, len)); 312 for (; kg; kg=kg->next) { 313 switch (kg->kg_method) { 314 case KEYGEN_STOREDKEY: 315 tmp = getkey_storedkey(dev, kg, len); 316 break; 317 case KEYGEN_RANDOMKEY: 318 tmp = getkey_randomkey(dev, kg, len, 1); 319 break; 320 case KEYGEN_URANDOMKEY: 321 tmp = getkey_randomkey(dev, kg, len, 0); 322 break; 323 case KEYGEN_PKCS5_PBKDF2_SHA1: 324 tmp = getkey_pkcs5_pbkdf2(dev, kg, len, 0); 325 break; 326 /* provide backwards compatibility for old config files */ 327 case KEYGEN_PKCS5_PBKDF2_OLD: 328 tmp = getkey_pkcs5_pbkdf2(dev, kg, len, 1); 329 break; 330 case KEYGEN_SHELL_CMD: 331 tmp = getkey_shell_cmd(dev, kg, len); 332 break; 333 default: 334 warnx("unrecognised keygen method %d in getkey()", 335 kg->kg_method); 336 if (ret) 337 bits_free(ret); 338 return NULL; 339 } 340 341 if (ret) 342 ret = bits_xor_d(tmp, ret); 343 else 344 ret = tmp; 345 } 346 347 return ret; 348 } 349 350 /*ARGSUSED*/ 351 static bits_t * 352 getkey_storedkey(const char *target, struct keygen *kg, size_t keylen) 353 { 354 return bits_dup(kg->kg_key); 355 } 356 357 /*ARGSUSED*/ 358 static bits_t * 359 getkey_randomkey(const char *target, struct keygen *kg, size_t keylen, int hard) 360 { 361 return bits_getrandombits(keylen, hard); 362 } 363 364 static char * 365 maybe_getpass(char *prompt) 366 { 367 char buf[1024]; 368 char *p = buf; 369 char *tmp; 370 371 switch (pflag) { 372 case PFLAG_GETPASS: 373 p = getpass(prompt); 374 break; 375 376 case PFLAG_STDIN: 377 p = fgets(buf, sizeof(buf), stdin); 378 if (p) { 379 tmp = strchr(p, '\n'); 380 if (tmp) 381 *tmp = '\0'; 382 } 383 break; 384 385 default: 386 errx(EXIT_FAILURE, "pflag set inappropriately?"); 387 } 388 389 if (!p) 390 err(EXIT_FAILURE, "failed to read passphrase"); 391 392 return estrdup(p); 393 } 394 395 /*ARGSUSED*/ 396 /* 397 * XXX take, and pass through, a compat flag that indicates whether we 398 * provide backwards compatibility with a previous bug. The previous 399 * behaviour is indicated by the keygen method pkcs5_pbkdf2, and a 400 * non-zero compat flag. The new default, and correct keygen method is 401 * called pcks5_pbkdf2/sha1. When the old method is removed, so will 402 * be the compat argument. 403 */ 404 static bits_t * 405 getkey_pkcs5_pbkdf2(const char *target, struct keygen *kg, size_t keylen, 406 int compat) 407 { 408 bits_t *ret; 409 char *passp; 410 char buf[1024]; 411 u_int8_t *tmp; 412 413 snprintf(buf, sizeof(buf), "%s's passphrase:", target); 414 passp = maybe_getpass(buf); 415 if (pkcs5_pbkdf2(&tmp, BITS2BYTES(keylen), (uint8_t *)passp, 416 strlen(passp), 417 bits_getbuf(kg->kg_salt), BITS2BYTES(bits_len(kg->kg_salt)), 418 kg->kg_iterations, compat)) { 419 warnx("failed to generate PKCS#5 PBKDF2 key"); 420 return NULL; 421 } 422 423 ret = bits_new(tmp, keylen); 424 kg->kg_key = bits_dup(ret); 425 memset(passp, 0, strlen(passp)); 426 free(passp); 427 free(tmp); 428 return ret; 429 } 430 431 /*ARGSUSED*/ 432 static bits_t * 433 getkey_shell_cmd(const char *target, struct keygen *kg, size_t keylen) 434 { 435 FILE *f; 436 bits_t *ret; 437 438 f = popen(string_tocharstar(kg->kg_cmd), "r"); 439 ret = bits_fget(f, keylen); 440 pclose(f); 441 442 return ret; 443 } 444 445 /*ARGSUSED*/ 446 static int 447 unconfigure(int argc, char **argv, struct params *inparams, int flags) 448 { 449 int fd; 450 int ret; 451 char buf[MAXPATHLEN] = ""; 452 453 /* only complain about additional arguments, if called from main() */ 454 if (flags == CONFIG_FLAGS_FROMMAIN && argc != 1) 455 usage(); 456 457 /* if called from do_all(), then ensure that 2 or 3 args exist */ 458 if (flags == CONFIG_FLAGS_FROMALL && (argc < 2 || argc > 3)) 459 return -1; 460 461 fd = opendisk1(*argv, O_RDWR, buf, sizeof(buf), 1, cgd_kops.ko_open); 462 if (fd == -1) { 463 int saved_errno = errno; 464 465 warn("can't open cgd \"%s\", \"%s\"", *argv, buf); 466 467 /* this isn't fatal with nflag != 0 */ 468 if (!nflag) 469 return saved_errno; 470 } 471 472 VPRINTF(1, ("%s (%s): clearing\n", *argv, buf)); 473 474 if (nflag) 475 return 0; 476 477 ret = unconfigure_fd(fd); 478 (void)cgd_kops.ko_close(fd); 479 return ret; 480 } 481 482 static int 483 unconfigure_fd(int fd) 484 { 485 struct cgd_ioctl ci; 486 487 if (cgd_kops.ko_ioctl(fd, CGDIOCCLR, &ci) == -1) { 488 warn("ioctl"); 489 return -1; 490 } 491 492 return 0; 493 } 494 495 /*ARGSUSED*/ 496 static int 497 configure(int argc, char **argv, struct params *inparams, int flags) 498 { 499 struct params *p; 500 struct keygen *kg; 501 int fd; 502 int loop = 0; 503 int ret; 504 char cgdname[PATH_MAX]; 505 506 if (argc == 2) { 507 char *pfile; 508 509 if (asprintf(&pfile, "%s/%s", 510 CGDCONFIG_DIR, basename(argv[1])) == -1) 511 return -1; 512 513 p = params_cget(pfile); 514 free(pfile); 515 } else if (argc == 3) { 516 p = params_cget(argv[2]); 517 } else { 518 /* print usage and exit, only if called from main() */ 519 if (flags == CONFIG_FLAGS_FROMMAIN) { 520 warnx("wrong number of args"); 521 usage(); 522 } 523 return -1; 524 } 525 526 if (!p) 527 return -1; 528 529 /* 530 * over-ride with command line specifications and fill in default 531 * values. 532 */ 533 534 p = params_combine(p, inparams); 535 ret = params_filldefaults(p); 536 if (ret) { 537 params_free(p); 538 return ret; 539 } 540 541 if (!params_verify(p)) { 542 warnx("params invalid"); 543 return -1; 544 } 545 546 /* 547 * loop over configuring the disk and checking to see if it 548 * verifies properly. We open and close the disk device each 549 * time, because if the user passes us the block device we 550 * need to flush the buffer cache. 551 * 552 * We only loop if one of the verification methods prompts for 553 * a password. 554 */ 555 556 for (kg = p->keygen; pflag == PFLAG_GETPASS && kg; kg = kg->next) 557 if ((kg->kg_method == KEYGEN_PKCS5_PBKDF2_SHA1) || 558 (kg->kg_method == KEYGEN_PKCS5_PBKDF2_OLD )) { 559 loop = 1; 560 break; 561 } 562 563 for (;;) { 564 fd = opendisk_werror(argv[0], cgdname, sizeof(cgdname)); 565 if (fd == -1) 566 return -1; 567 568 if (p->key) 569 bits_free(p->key); 570 571 p->key = getkey(argv[1], p->keygen, p->keylen); 572 if (!p->key) 573 goto bail_err; 574 575 ret = configure_params(fd, cgdname, argv[1], p); 576 if (ret) 577 goto bail_err; 578 579 ret = verify(p, fd); 580 if (ret == -1) 581 goto bail_err; 582 if (!ret) 583 break; 584 585 (void)unconfigure_fd(fd); 586 (void)cgd_kops.ko_close(fd); 587 588 if (!loop) { 589 warnx("verification failed permanently"); 590 goto bail_err; 591 } 592 593 warnx("verification failed, please reenter passphrase"); 594 } 595 596 params_free(p); 597 (void)cgd_kops.ko_close(fd); 598 return 0; 599 bail_err: 600 params_free(p); 601 (void)cgd_kops.ko_close(fd); 602 return -1; 603 } 604 605 static int 606 configure_stdin(struct params *p, int argc, char **argv) 607 { 608 int fd; 609 int ret; 610 char cgdname[PATH_MAX]; 611 612 if (argc < 3 || argc > 4) 613 usage(); 614 615 p->algorithm = string_fromcharstar(argv[2]); 616 if (argc > 3) { 617 size_t keylen; 618 619 if (parse_size_t(argv[3], &keylen) == -1) { 620 warn("failed to parse key length"); 621 return -1; 622 } 623 p->keylen = keylen; 624 } 625 626 ret = params_filldefaults(p); 627 if (ret) 628 return ret; 629 630 fd = opendisk_werror(argv[0], cgdname, sizeof(cgdname)); 631 if (fd == -1) 632 return -1; 633 634 p->key = bits_fget(stdin, p->keylen); 635 if (!p->key) { 636 warnx("failed to read key from stdin"); 637 return -1; 638 } 639 640 return configure_params(fd, cgdname, argv[1], p); 641 } 642 643 static int 644 opendisk_werror(const char *cgd, char *buf, size_t buflen) 645 { 646 int fd; 647 648 VPRINTF(3, ("opendisk_werror(%s, %s, %zu) called.\n", cgd, buf, buflen)); 649 650 /* sanity */ 651 if (!cgd || !buf) 652 return -1; 653 654 if (nflag) { 655 if (strlcpy(buf, cgd, buflen) >= buflen) 656 return -1; 657 return 0; 658 } 659 660 fd = opendisk1(cgd, O_RDWR, buf, buflen, 0, cgd_kops.ko_open); 661 if (fd == -1) 662 warnx("can't open cgd \"%s\", \"%s\"", cgd, buf); 663 664 return fd; 665 } 666 667 static int 668 configure_params(int fd, const char *cgd, const char *dev, struct params *p) 669 { 670 struct cgd_ioctl ci; 671 672 /* sanity */ 673 if (!cgd || !dev) 674 return -1; 675 676 (void)memset(&ci, 0x0, sizeof(ci)); 677 ci.ci_disk = dev; 678 ci.ci_alg = string_tocharstar(p->algorithm); 679 ci.ci_ivmethod = string_tocharstar(p->ivmeth); 680 ci.ci_key = bits_getbuf(p->key); 681 ci.ci_keylen = p->keylen; 682 ci.ci_blocksize = p->bsize; 683 684 VPRINTF(1, (" with alg %s keylen %zu blocksize %zu ivmethod %s\n", 685 string_tocharstar(p->algorithm), p->keylen, p->bsize, 686 string_tocharstar(p->ivmeth))); 687 VPRINTF(2, ("key: ")); 688 VERBOSE(2, bits_fprint(stdout, p->key)); 689 VPRINTF(2, ("\n")); 690 691 if (nflag) 692 return 0; 693 694 if (cgd_kops.ko_ioctl(fd, CGDIOCSET, &ci) == -1) { 695 int saved_errno = errno; 696 warn("ioctl"); 697 return saved_errno; 698 } 699 700 return 0; 701 } 702 703 /* 704 * verify returns 0 for success, -1 for unrecoverable error, or 1 for retry. 705 */ 706 707 #define SCANSIZE 8192 708 709 static int 710 verify(struct params *p, int fd) 711 { 712 713 switch (p->verify_method) { 714 case VERIFY_NONE: 715 return 0; 716 case VERIFY_DISKLABEL: 717 return verify_disklabel(fd); 718 case VERIFY_FFS: 719 return verify_ffs(fd); 720 case VERIFY_REENTER: 721 return verify_reenter(p); 722 default: 723 warnx("unimplemented verification method"); 724 return -1; 725 } 726 } 727 728 static int 729 verify_disklabel(int fd) 730 { 731 struct disklabel l; 732 ssize_t ret; 733 char buf[SCANSIZE]; 734 735 /* 736 * we simply scan the first few blocks for a disklabel, ignoring 737 * any MBR/filecore sorts of logic. MSDOS and RiscOS can't read 738 * a cgd, anyway, so it is unlikely that there will be non-native 739 * partition information. 740 */ 741 742 ret = cgd_kops.ko_pread(fd, buf, 8192, 0); 743 if (ret < 0) { 744 warn("can't read disklabel area"); 745 return -1; 746 } 747 748 /* now scan for the disklabel */ 749 750 return disklabel_scan(&l, buf, (size_t)ret); 751 } 752 753 static off_t sblock_try[] = SBLOCKSEARCH; 754 755 static int 756 verify_ffs(int fd) 757 { 758 size_t i; 759 760 for (i = 0; sblock_try[i] != -1; i++) { 761 union { 762 char buf[SBLOCKSIZE]; 763 struct fs fs; 764 } u; 765 ssize_t ret; 766 767 ret = cgd_kops.ko_pread(fd, &u, sizeof(u), sblock_try[i]); 768 if (ret < 0) { 769 warn("pread"); 770 break; 771 } else if ((size_t)ret < sizeof(u)) { 772 warnx("pread: incomplete block"); 773 break; 774 } 775 switch (u.fs.fs_magic) { 776 case FS_UFS1_MAGIC: 777 case FS_UFS2_MAGIC: 778 case FS_UFS1_MAGIC_SWAPPED: 779 case FS_UFS2_MAGIC_SWAPPED: 780 return 0; 781 default: 782 continue; 783 } 784 } 785 786 return 1; /* failure */ 787 } 788 789 static int 790 verify_reenter(struct params *p) 791 { 792 struct keygen *kg; 793 bits_t *orig_key, *key; 794 int ret; 795 796 ret = 0; 797 for (kg = p->keygen; kg && !ret; kg = kg->next) { 798 if ((kg->kg_method != KEYGEN_PKCS5_PBKDF2_SHA1) && 799 (kg->kg_method != KEYGEN_PKCS5_PBKDF2_OLD )) 800 continue; 801 802 orig_key = kg->kg_key; 803 kg->kg_key = NULL; 804 805 /* add a compat flag till the _OLD method goes away */ 806 key = getkey_pkcs5_pbkdf2("re-enter device", kg, 807 bits_len(orig_key), kg->kg_method == KEYGEN_PKCS5_PBKDF2_OLD); 808 ret = !bits_match(key, orig_key); 809 810 bits_free(key); 811 bits_free(kg->kg_key); 812 kg->kg_key = orig_key; 813 } 814 815 return ret; 816 } 817 818 static int 819 generate(struct params *p, int argc, char **argv, const char *outfile) 820 { 821 int ret; 822 823 if (argc < 1 || argc > 2) 824 usage(); 825 826 p->algorithm = string_fromcharstar(argv[0]); 827 if (argc > 1) { 828 size_t keylen; 829 830 if (parse_size_t(argv[1], &keylen) == -1) { 831 warn("Failed to parse key length"); 832 return -1; 833 } 834 p->keylen = keylen; 835 } 836 837 ret = params_filldefaults(p); 838 if (ret) 839 return ret; 840 841 if (!p->keygen) { 842 p->keygen = keygen_generate(KEYGEN_PKCS5_PBKDF2_SHA1); 843 if (!p->keygen) 844 return -1; 845 } 846 847 if (keygen_filldefaults(p->keygen, p->keylen)) { 848 warnx("Failed to generate defaults for keygen"); 849 return -1; 850 } 851 852 if (!params_verify(p)) { 853 warnx("invalid parameters generated"); 854 return -1; 855 } 856 857 return params_cput(p, outfile); 858 } 859 860 static int 861 generate_convert(struct params *p, int argc, char **argv, const char *outfile) 862 { 863 struct params *oldp; 864 struct keygen *kg; 865 866 if (argc != 1) 867 usage(); 868 869 oldp = params_cget(*argv); 870 if (!oldp) 871 return -1; 872 873 /* for sanity, we ensure that none of the keygens are randomkey */ 874 for (kg=p->keygen; kg; kg=kg->next) 875 if (kg->kg_method == KEYGEN_RANDOMKEY) 876 goto bail; 877 for (kg=oldp->keygen; kg; kg=kg->next) 878 if (kg->kg_method == KEYGEN_RANDOMKEY) 879 goto bail; 880 881 if (!params_verify(oldp)) { 882 warnx("invalid old parameters file \"%s\"", *argv); 883 return -1; 884 } 885 886 oldp->key = getkey("old file", oldp->keygen, oldp->keylen); 887 888 /* we copy across the non-keygen info, here. */ 889 890 string_free(p->algorithm); 891 string_free(p->ivmeth); 892 893 p->algorithm = string_dup(oldp->algorithm); 894 p->ivmeth = string_dup(oldp->ivmeth); 895 p->keylen = oldp->keylen; 896 p->bsize = oldp->bsize; 897 if (p->verify_method == VERIFY_UNKNOWN) 898 p->verify_method = oldp->verify_method; 899 900 params_free(oldp); 901 902 if (!p->keygen) { 903 p->keygen = keygen_generate(KEYGEN_PKCS5_PBKDF2_SHA1); 904 if (!p->keygen) 905 return -1; 906 } 907 (void)params_filldefaults(p); 908 (void)keygen_filldefaults(p->keygen, p->keylen); 909 p->key = getkey("new file", p->keygen, p->keylen); 910 911 kg = keygen_generate(KEYGEN_STOREDKEY); 912 kg->kg_key = bits_xor(p->key, oldp->key); 913 keygen_addlist(&p->keygen, kg); 914 915 if (!params_verify(p)) { 916 warnx("can't generate new parameters file"); 917 return -1; 918 } 919 920 return params_cput(p, outfile); 921 bail: 922 params_free(oldp); 923 return -1; 924 } 925 926 static int 927 /*ARGSUSED*/ 928 do_all(const char *cfile, int argc, char **argv, 929 int (*conf)(int, char **, struct params *, int)) 930 { 931 FILE *f; 932 size_t len; 933 size_t lineno; 934 int my_argc; 935 int ret; 936 const char *fn; 937 char *line; 938 char **my_argv; 939 940 if (argc > 0) 941 usage(); 942 943 if (!cfile[0]) 944 fn = CGDCONFIG_CFILE; 945 else 946 fn = cfile; 947 948 f = fopen(fn, "r"); 949 if (!f) { 950 warn("could not open config file \"%s\"", fn); 951 return -1; 952 } 953 954 ret = chdir(CGDCONFIG_DIR); 955 if (ret == -1) 956 warn("could not chdir to %s", CGDCONFIG_DIR); 957 958 ret = 0; 959 lineno = 0; 960 for (;;) { 961 line = fparseln(f, &len, &lineno, "\\\\#", FPARSELN_UNESCALL); 962 if (!line) 963 break; 964 if (!*line) 965 continue; 966 967 my_argv = words(line, &my_argc); 968 ret = conf(my_argc, my_argv, NULL, CONFIG_FLAGS_FROMALL); 969 if (ret) { 970 warnx("action failed on \"%s\" line %lu", fn, 971 (u_long)lineno); 972 break; 973 } 974 words_free(my_argv, my_argc); 975 } 976 return ret; 977 } 978 979 static void 980 eliminate_cores(void) 981 { 982 struct rlimit rlp; 983 984 rlp.rlim_cur = 0; 985 rlp.rlim_max = 0; 986 if (setrlimit(RLIMIT_CORE, &rlp) == -1) 987 err(EXIT_FAILURE, "Can't disable cores"); 988 } 989
Indexes created Wed Oct 01 13:09:50 GMT 2025