cgdconfig.c revision 1.34
1 /* $NetBSD: cgdconfig.c,v 1.34 2012/12/05 02:23:20 christos Exp $ */ 2 3 /*- 4 * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Roland C. Dowdeswell. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 #ifndef lint 34 __COPYRIGHT("@(#) Copyright (c) 2002, 2003\ 35 The NetBSD Foundation, Inc. All rights reserved."); 36 __RCSID("$NetBSD: cgdconfig.c,v 1.34 2012/12/05 02:23:20 christos Exp $"); 37 #endif 38 39 #include <err.h> 40 #include <errno.h> 41 #include <fcntl.h> 42 #include <libgen.h> 43 #include <stdio.h> 44 #include <stdlib.h> 45 #include <string.h> 46 #include <unistd.h> 47 #include <util.h> 48 49 #include <sys/ioctl.h> 50 #include <sys/disklabel.h> 51 #include <sys/mman.h> 52 #include <sys/param.h> 53 #include <sys/resource.h> 54 #include <sys/statvfs.h> 55 56 #include <dev/cgdvar.h> 57 58 #include <ufs/ffs/fs.h> 59 60 #include "params.h" 61 #include "pkcs5_pbkdf2.h" 62 #include "utils.h" 63 #include "cgdconfig.h" 64 #include "prog_ops.h" 65 66 #define CGDCONFIG_DIR "/etc/cgd" 67 #define CGDCONFIG_CFILE CGDCONFIG_DIR "/cgd.conf" 68 69 enum action { 70 ACTION_DEFAULT, /* default -> configure */ 71 ACTION_CONFIGURE, /* configure, with paramsfile */ 72 ACTION_UNCONFIGURE, /* unconfigure */ 73 ACTION_GENERATE, /* generate a paramsfile */ 74 ACTION_GENERATE_CONVERT, /* generate a ``dup'' paramsfile */ 75 ACTION_CONFIGALL, /* configure all from config file */ 76 ACTION_UNCONFIGALL, /* unconfigure all from config file */ 77 ACTION_CONFIGSTDIN, /* configure, key from stdin */ 78 ACTION_LIST /* list configured devices */ 79 }; 80 81 /* if nflag is set, do not configure/unconfigure the cgd's */ 82 83 int nflag = 0; 84 85 /* if pflag is set to PFLAG_STDIN read from stdin rather than getpass(3) */ 86 87 #define PFLAG_GETPASS 0x01 88 #define PFLAG_STDIN 0x02 89 int pflag = PFLAG_GETPASS; 90 91 static int configure(int, char **, struct params *, int); 92 static int configure_stdin(struct params *, int argc, char **); 93 static int generate(struct params *, int, char **, const char *); 94 static int generate_convert(struct params *, int, char **, const char *); 95 static int unconfigure(int, char **, struct params *, int); 96 static int do_all(const char *, int, char **, 97 int (*)(int, char **, struct params *, int)); 98 static int do_list(int, char **); 99 100 #define CONFIG_FLAGS_FROMALL 1 /* called from configure_all() */ 101 #define CONFIG_FLAGS_FROMMAIN 2 /* called from main() */ 102 103 static int configure_params(int, const char *, const char *, 104 struct params *); 105 static void eliminate_cores(void); 106 static bits_t *getkey(const char *, struct keygen *, size_t); 107 static bits_t *getkey_storedkey(const char *, struct keygen *, size_t); 108 static bits_t *getkey_randomkey(const char *, struct keygen *, size_t, int); 109 static bits_t *getkey_pkcs5_pbkdf2(const char *, struct keygen *, size_t, 110 int); 111 static bits_t *getkey_shell_cmd(const char *, struct keygen *, size_t); 112 static char *maybe_getpass(char *); 113 static int opendisk_werror(const char *, char *, size_t); 114 static int unconfigure_fd(int); 115 static int verify(struct params *, int); 116 static int verify_disklabel(int); 117 static int verify_ffs(int); 118 static int verify_reenter(struct params *); 119 120 __dead static void usage(void); 121 122 /* Verbose Framework */ 123 unsigned verbose = 0; 124 125 #define VERBOSE(x,y) if (verbose >= x) y 126 #define VPRINTF(x,y) if (verbose >= x) (void)printf y 127 128 static void 129 usage(void) 130 { 131 132 (void)fprintf(stderr, "usage: %s [-nv] [-V vmeth] cgd dev [paramsfile]\n", 133 getprogname()); 134 (void)fprintf(stderr, " %s -C [-nv] [-f configfile]\n", getprogname()); 135 (void)fprintf(stderr, " %s -G [-nv] [-i ivmeth] [-k kgmeth] " 136 "[-o outfile] paramsfile\n", getprogname()); 137 (void)fprintf(stderr, " %s -g [-nv] [-i ivmeth] [-k kgmeth] " 138 "[-o outfile] alg [keylen]\n", getprogname()); 139 (void)fprintf(stderr, " %s -l\n", getprogname()); 140 (void)fprintf(stderr, " %s -s [-nv] [-i ivmeth] cgd dev alg " 141 "[keylen]\n", getprogname()); 142 (void)fprintf(stderr, " %s -U [-nv] [-f configfile]\n", getprogname()); 143 (void)fprintf(stderr, " %s -u [-nv] cgd\n", getprogname()); 144 exit(EXIT_FAILURE); 145 } 146 147 static int 148 parse_size_t(const char *s, size_t *l) 149 { 150 char *endptr; 151 long v; 152 153 errno = 0; 154 v = strtol(s, &endptr, 10); 155 if ((v == LONG_MIN || v == LONG_MAX) && errno) 156 return -1; 157 if (v < INT_MIN || v > INT_MAX) { 158 errno = ERANGE; 159 return -1; 160 } 161 if (endptr == s) { 162 errno = EINVAL; 163 return -1; 164 } 165 *l = (size_t)v; 166 return 0; 167 } 168 169 static void 170 set_action(enum action *action, enum action value) 171 { 172 if (*action != ACTION_DEFAULT) 173 usage(); 174 *action = value; 175 } 176 177 int 178 main(int argc, char **argv) 179 { 180 struct params *p; 181 struct params *tp; 182 struct keygen *kg; 183 enum action action = ACTION_DEFAULT; 184 int ch; 185 const char *cfile = NULL; 186 const char *outfile = NULL; 187 188 setprogname(*argv); 189 eliminate_cores(); 190 if (mlockall(MCL_FUTURE)) 191 err(EXIT_FAILURE, "Can't lock memory"); 192 p = params_new(); 193 kg = NULL; 194 195 while ((ch = getopt(argc, argv, "CGUV:b:f:gi:k:lno:spuv")) != -1) 196 switch (ch) { 197 case 'C': 198 set_action(&action, ACTION_CONFIGALL); 199 break; 200 case 'G': 201 set_action(&action, ACTION_GENERATE_CONVERT); 202 break; 203 case 'U': 204 set_action(&action, ACTION_UNCONFIGALL); 205 break; 206 case 'V': 207 tp = params_verify_method(string_fromcharstar(optarg)); 208 if (!tp) 209 usage(); 210 p = params_combine(p, tp); 211 break; 212 case 'b': 213 { 214 size_t size; 215 216 if (parse_size_t(optarg, &size) == -1) 217 usage(); 218 tp = params_bsize(size); 219 if (!tp) 220 usage(); 221 p = params_combine(p, tp); 222 } 223 break; 224 case 'f': 225 if (cfile) 226 usage(); 227 cfile = estrdup(optarg); 228 break; 229 case 'g': 230 set_action(&action, ACTION_GENERATE); 231 break; 232 case 'i': 233 tp = params_ivmeth(string_fromcharstar(optarg)); 234 p = params_combine(p, tp); 235 break; 236 case 'k': 237 kg = keygen_method(string_fromcharstar(optarg)); 238 if (!kg) 239 usage(); 240 keygen_addlist(&p->keygen, kg); 241 break; 242 case 'l': 243 set_action(&action, ACTION_LIST); 244 break; 245 case 'n': 246 nflag = 1; 247 break; 248 case 'o': 249 if (outfile) 250 usage(); 251 outfile = estrdup(optarg); 252 break; 253 case 'p': 254 pflag = PFLAG_STDIN; 255 break; 256 case 's': 257 set_action(&action, ACTION_CONFIGSTDIN); 258 break; 259 260 case 'u': 261 set_action(&action, ACTION_UNCONFIGURE); 262 break; 263 case 'v': 264 verbose++; 265 break; 266 default: 267 usage(); 268 /* NOTREACHED */ 269 } 270 271 argc -= optind; 272 argv += optind; 273 274 if (!outfile) 275 outfile = ""; 276 if (!cfile) 277 cfile = ""; 278 279 if (prog_init && prog_init() == -1) 280 err(1, "init failed"); 281 282 /* validate the consistency of the arguments */ 283 284 switch (action) { 285 case ACTION_DEFAULT: /* ACTION_CONFIGURE is the default */ 286 case ACTION_CONFIGURE: 287 return configure(argc, argv, p, CONFIG_FLAGS_FROMMAIN); 288 case ACTION_UNCONFIGURE: 289 return unconfigure(argc, argv, NULL, CONFIG_FLAGS_FROMMAIN); 290 case ACTION_GENERATE: 291 return generate(p, argc, argv, outfile); 292 case ACTION_GENERATE_CONVERT: 293 return generate_convert(p, argc, argv, outfile); 294 case ACTION_CONFIGALL: 295 return do_all(cfile, argc, argv, configure); 296 case ACTION_UNCONFIGALL: 297 return do_all(cfile, argc, argv, unconfigure); 298 case ACTION_CONFIGSTDIN: 299 return configure_stdin(p, argc, argv); 300 case ACTION_LIST: 301 return do_list(argc, argv); 302 default: 303 errx(EXIT_FAILURE, "undefined action"); 304 /* NOTREACHED */ 305 } 306 } 307 308 static bits_t * 309 getkey(const char *dev, struct keygen *kg, size_t len) 310 { 311 bits_t *ret = NULL; 312 bits_t *tmp; 313 314 VPRINTF(3, ("getkey(\"%s\", %p, %zu) called\n", dev, kg, len)); 315 for (; kg; kg=kg->next) { 316 switch (kg->kg_method) { 317 case KEYGEN_STOREDKEY: 318 tmp = getkey_storedkey(dev, kg, len); 319 break; 320 case KEYGEN_RANDOMKEY: 321 tmp = getkey_randomkey(dev, kg, len, 1); 322 break; 323 case KEYGEN_URANDOMKEY: 324 tmp = getkey_randomkey(dev, kg, len, 0); 325 break; 326 case KEYGEN_PKCS5_PBKDF2_SHA1: 327 tmp = getkey_pkcs5_pbkdf2(dev, kg, len, 0); 328 break; 329 /* provide backwards compatibility for old config files */ 330 case KEYGEN_PKCS5_PBKDF2_OLD: 331 tmp = getkey_pkcs5_pbkdf2(dev, kg, len, 1); 332 break; 333 case KEYGEN_SHELL_CMD: 334 tmp = getkey_shell_cmd(dev, kg, len); 335 break; 336 default: 337 warnx("unrecognised keygen method %d in getkey()", 338 kg->kg_method); 339 if (ret) 340 bits_free(ret); 341 return NULL; 342 } 343 344 if (ret) 345 ret = bits_xor_d(tmp, ret); 346 else 347 ret = tmp; 348 } 349 350 return ret; 351 } 352 353 /*ARGSUSED*/ 354 static bits_t * 355 getkey_storedkey(const char *target, struct keygen *kg, size_t keylen) 356 { 357 return bits_dup(kg->kg_key); 358 } 359 360 /*ARGSUSED*/ 361 static bits_t * 362 getkey_randomkey(const char *target, struct keygen *kg, size_t keylen, int hard) 363 { 364 return bits_getrandombits(keylen, hard); 365 } 366 367 static char * 368 maybe_getpass(char *prompt) 369 { 370 char buf[1024]; 371 char *p = buf; 372 char *tmp; 373 374 switch (pflag) { 375 case PFLAG_GETPASS: 376 p = getpass(prompt); 377 break; 378 379 case PFLAG_STDIN: 380 p = fgets(buf, sizeof(buf), stdin); 381 if (p) { 382 tmp = strchr(p, '\n'); 383 if (tmp) 384 *tmp = '\0'; 385 } 386 break; 387 388 default: 389 errx(EXIT_FAILURE, "pflag set inappropriately?"); 390 } 391 392 if (!p) 393 err(EXIT_FAILURE, "failed to read passphrase"); 394 395 return estrdup(p); 396 } 397 398 /*ARGSUSED*/ 399 /* 400 * XXX take, and pass through, a compat flag that indicates whether we 401 * provide backwards compatibility with a previous bug. The previous 402 * behaviour is indicated by the keygen method pkcs5_pbkdf2, and a 403 * non-zero compat flag. The new default, and correct keygen method is 404 * called pcks5_pbkdf2/sha1. When the old method is removed, so will 405 * be the compat argument. 406 */ 407 static bits_t * 408 getkey_pkcs5_pbkdf2(const char *target, struct keygen *kg, size_t keylen, 409 int compat) 410 { 411 bits_t *ret; 412 char *passp; 413 char buf[1024]; 414 u_int8_t *tmp; 415 416 snprintf(buf, sizeof(buf), "%s's passphrase:", target); 417 passp = maybe_getpass(buf); 418 if (pkcs5_pbkdf2(&tmp, BITS2BYTES(keylen), (uint8_t *)passp, 419 strlen(passp), 420 bits_getbuf(kg->kg_salt), BITS2BYTES(bits_len(kg->kg_salt)), 421 kg->kg_iterations, compat)) { 422 warnx("failed to generate PKCS#5 PBKDF2 key"); 423 return NULL; 424 } 425 426 ret = bits_new(tmp, keylen); 427 kg->kg_key = bits_dup(ret); 428 memset(passp, 0, strlen(passp)); 429 free(passp); 430 free(tmp); 431 return ret; 432 } 433 434 /*ARGSUSED*/ 435 static bits_t * 436 getkey_shell_cmd(const char *target, struct keygen *kg, size_t keylen) 437 { 438 FILE *f; 439 bits_t *ret; 440 441 f = popen(string_tocharstar(kg->kg_cmd), "r"); 442 ret = bits_fget(f, keylen); 443 pclose(f); 444 445 return ret; 446 } 447 448 /*ARGSUSED*/ 449 static int 450 unconfigure(int argc, char **argv, struct params *inparams, int flags) 451 { 452 int fd; 453 int ret; 454 char buf[MAXPATHLEN] = ""; 455 456 /* only complain about additional arguments, if called from main() */ 457 if (flags == CONFIG_FLAGS_FROMMAIN && argc != 1) 458 usage(); 459 460 /* if called from do_all(), then ensure that 2 or 3 args exist */ 461 if (flags == CONFIG_FLAGS_FROMALL && (argc < 2 || argc > 3)) 462 return -1; 463 464 fd = opendisk1(*argv, O_RDWR, buf, sizeof(buf), 1, prog_open); 465 if (fd == -1) { 466 int saved_errno = errno; 467 468 warn("can't open cgd \"%s\", \"%s\"", *argv, buf); 469 470 /* this isn't fatal with nflag != 0 */ 471 if (!nflag) 472 return saved_errno; 473 } 474 475 VPRINTF(1, ("%s (%s): clearing\n", *argv, buf)); 476 477 if (nflag) 478 return 0; 479 480 ret = unconfigure_fd(fd); 481 (void)prog_close(fd); 482 return ret; 483 } 484 485 static int 486 unconfigure_fd(int fd) 487 { 488 struct cgd_ioctl ci; 489 490 if (prog_ioctl(fd, CGDIOCCLR, &ci) == -1) { 491 warn("ioctl"); 492 return -1; 493 } 494 495 return 0; 496 } 497 498 /*ARGSUSED*/ 499 static int 500 configure(int argc, char **argv, struct params *inparams, int flags) 501 { 502 struct params *p; 503 struct keygen *kg; 504 int fd; 505 int loop = 0; 506 int ret; 507 char cgdname[PATH_MAX]; 508 509 if (argc == 2) { 510 char *pfile; 511 512 if (asprintf(&pfile, "%s/%s", 513 CGDCONFIG_DIR, basename(argv[1])) == -1) 514 return -1; 515 516 p = params_cget(pfile); 517 free(pfile); 518 } else if (argc == 3) { 519 p = params_cget(argv[2]); 520 } else { 521 /* print usage and exit, only if called from main() */ 522 if (flags == CONFIG_FLAGS_FROMMAIN) { 523 warnx("wrong number of args"); 524 usage(); 525 } 526 return -1; 527 } 528 529 if (!p) 530 return -1; 531 532 /* 533 * over-ride with command line specifications and fill in default 534 * values. 535 */ 536 537 p = params_combine(p, inparams); 538 ret = params_filldefaults(p); 539 if (ret) { 540 params_free(p); 541 return ret; 542 } 543 544 if (!params_verify(p)) { 545 warnx("params invalid"); 546 return -1; 547 } 548 549 /* 550 * loop over configuring the disk and checking to see if it 551 * verifies properly. We open and close the disk device each 552 * time, because if the user passes us the block device we 553 * need to flush the buffer cache. 554 * 555 * We only loop if one of the verification methods prompts for 556 * a password. 557 */ 558 559 for (kg = p->keygen; pflag == PFLAG_GETPASS && kg; kg = kg->next) 560 if ((kg->kg_method == KEYGEN_PKCS5_PBKDF2_SHA1) || 561 (kg->kg_method == KEYGEN_PKCS5_PBKDF2_OLD )) { 562 loop = 1; 563 break; 564 } 565 566 for (;;) { 567 fd = opendisk_werror(argv[0], cgdname, sizeof(cgdname)); 568 if (fd == -1) 569 return -1; 570 571 if (p->key) 572 bits_free(p->key); 573 574 p->key = getkey(argv[1], p->keygen, p->keylen); 575 if (!p->key) 576 goto bail_err; 577 578 ret = configure_params(fd, cgdname, argv[1], p); 579 if (ret) 580 goto bail_err; 581 582 ret = verify(p, fd); 583 if (ret == -1) 584 goto bail_err; 585 if (!ret) 586 break; 587 588 (void)unconfigure_fd(fd); 589 (void)prog_close(fd); 590 591 if (!loop) { 592 warnx("verification failed permanently"); 593 goto bail_err; 594 } 595 596 warnx("verification failed, please reenter passphrase"); 597 } 598 599 params_free(p); 600 (void)prog_close(fd); 601 return 0; 602 bail_err: 603 params_free(p); 604 (void)prog_close(fd); 605 return -1; 606 } 607 608 static int 609 configure_stdin(struct params *p, int argc, char **argv) 610 { 611 int fd; 612 int ret; 613 char cgdname[PATH_MAX]; 614 615 if (argc < 3 || argc > 4) 616 usage(); 617 618 p->algorithm = string_fromcharstar(argv[2]); 619 if (argc > 3) { 620 size_t keylen; 621 622 if (parse_size_t(argv[3], &keylen) == -1) { 623 warn("failed to parse key length"); 624 return -1; 625 } 626 p->keylen = keylen; 627 } 628 629 ret = params_filldefaults(p); 630 if (ret) 631 return ret; 632 633 fd = opendisk_werror(argv[0], cgdname, sizeof(cgdname)); 634 if (fd == -1) 635 return -1; 636 637 p->key = bits_fget(stdin, p->keylen); 638 if (!p->key) { 639 warnx("failed to read key from stdin"); 640 return -1; 641 } 642 643 return configure_params(fd, cgdname, argv[1], p); 644 } 645 646 static int 647 opendisk_werror(const char *cgd, char *buf, size_t buflen) 648 { 649 int fd; 650 651 VPRINTF(3, ("opendisk_werror(%s, %s, %zu) called.\n", cgd, buf, buflen)); 652 653 /* sanity */ 654 if (!cgd || !buf) 655 return -1; 656 657 if (nflag) { 658 if (strlcpy(buf, cgd, buflen) >= buflen) 659 return -1; 660 return 0; 661 } 662 663 fd = opendisk1(cgd, O_RDWR, buf, buflen, 0, prog_open); 664 if (fd == -1) 665 warnx("can't open cgd \"%s\", \"%s\"", cgd, buf); 666 667 return fd; 668 } 669 670 static int 671 configure_params(int fd, const char *cgd, const char *dev, struct params *p) 672 { 673 struct cgd_ioctl ci; 674 675 /* sanity */ 676 if (!cgd || !dev) 677 return -1; 678 679 (void)memset(&ci, 0x0, sizeof(ci)); 680 ci.ci_disk = dev; 681 ci.ci_alg = string_tocharstar(p->algorithm); 682 ci.ci_ivmethod = string_tocharstar(p->ivmeth); 683 ci.ci_key = bits_getbuf(p->key); 684 ci.ci_keylen = p->keylen; 685 ci.ci_blocksize = p->bsize; 686 687 VPRINTF(1, (" with alg %s keylen %zu blocksize %zu ivmethod %s\n", 688 string_tocharstar(p->algorithm), p->keylen, p->bsize, 689 string_tocharstar(p->ivmeth))); 690 VPRINTF(2, ("key: ")); 691 VERBOSE(2, bits_fprint(stdout, p->key)); 692 VPRINTF(2, ("\n")); 693 694 if (nflag) 695 return 0; 696 697 if (prog_ioctl(fd, CGDIOCSET, &ci) == -1) { 698 int saved_errno = errno; 699 warn("ioctl"); 700 return saved_errno; 701 } 702 703 return 0; 704 } 705 706 /* 707 * verify returns 0 for success, -1 for unrecoverable error, or 1 for retry. 708 */ 709 710 #define SCANSIZE 8192 711 712 static int 713 verify(struct params *p, int fd) 714 { 715 716 switch (p->verify_method) { 717 case VERIFY_NONE: 718 return 0; 719 case VERIFY_DISKLABEL: 720 return verify_disklabel(fd); 721 case VERIFY_FFS: 722 return verify_ffs(fd); 723 case VERIFY_REENTER: 724 return verify_reenter(p); 725 default: 726 warnx("unimplemented verification method"); 727 return -1; 728 } 729 } 730 731 static int 732 verify_disklabel(int fd) 733 { 734 struct disklabel l; 735 ssize_t ret; 736 char buf[SCANSIZE]; 737 738 /* 739 * we simply scan the first few blocks for a disklabel, ignoring 740 * any MBR/filecore sorts of logic. MSDOS and RiscOS can't read 741 * a cgd, anyway, so it is unlikely that there will be non-native 742 * partition information. 743 */ 744 745 ret = prog_pread(fd, buf, 8192, 0); 746 if (ret < 0) { 747 warn("can't read disklabel area"); 748 return -1; 749 } 750 751 /* now scan for the disklabel */ 752 753 return disklabel_scan(&l, buf, (size_t)ret); 754 } 755 756 static off_t sblock_try[] = SBLOCKSEARCH; 757 758 static int 759 verify_ffs(int fd) 760 { 761 size_t i; 762 763 for (i = 0; sblock_try[i] != -1; i++) { 764 union { 765 char buf[SBLOCKSIZE]; 766 struct fs fs; 767 } u; 768 ssize_t ret; 769 770 ret = prog_pread(fd, &u, sizeof(u), sblock_try[i]); 771 if (ret < 0) { 772 warn("pread"); 773 break; 774 } else if ((size_t)ret < sizeof(u)) { 775 warnx("pread: incomplete block"); 776 break; 777 } 778 switch (u.fs.fs_magic) { 779 case FS_UFS1_MAGIC: 780 case FS_UFS2_MAGIC: 781 case FS_UFS1_MAGIC_SWAPPED: 782 case FS_UFS2_MAGIC_SWAPPED: 783 return 0; 784 default: 785 continue; 786 } 787 } 788 789 return 1; /* failure */ 790 } 791 792 static int 793 verify_reenter(struct params *p) 794 { 795 struct keygen *kg; 796 bits_t *orig_key, *key; 797 int ret; 798 799 ret = 0; 800 for (kg = p->keygen; kg && !ret; kg = kg->next) { 801 if ((kg->kg_method != KEYGEN_PKCS5_PBKDF2_SHA1) && 802 (kg->kg_method != KEYGEN_PKCS5_PBKDF2_OLD )) 803 continue; 804 805 orig_key = kg->kg_key; 806 kg->kg_key = NULL; 807 808 /* add a compat flag till the _OLD method goes away */ 809 key = getkey_pkcs5_pbkdf2("re-enter device", kg, 810 bits_len(orig_key), kg->kg_method == KEYGEN_PKCS5_PBKDF2_OLD); 811 ret = !bits_match(key, orig_key); 812 813 bits_free(key); 814 bits_free(kg->kg_key); 815 kg->kg_key = orig_key; 816 } 817 818 return ret; 819 } 820 821 static int 822 generate(struct params *p, int argc, char **argv, const char *outfile) 823 { 824 int ret; 825 826 if (argc < 1 || argc > 2) 827 usage(); 828 829 p->algorithm = string_fromcharstar(argv[0]); 830 if (argc > 1) { 831 size_t keylen; 832 833 if (parse_size_t(argv[1], &keylen) == -1) { 834 warn("Failed to parse key length"); 835 return -1; 836 } 837 p->keylen = keylen; 838 } 839 840 ret = params_filldefaults(p); 841 if (ret) 842 return ret; 843 844 if (!p->keygen) { 845 p->keygen = keygen_generate(KEYGEN_PKCS5_PBKDF2_SHA1); 846 if (!p->keygen) 847 return -1; 848 } 849 850 if (keygen_filldefaults(p->keygen, p->keylen)) { 851 warnx("Failed to generate defaults for keygen"); 852 return -1; 853 } 854 855 if (!params_verify(p)) { 856 warnx("invalid parameters generated"); 857 return -1; 858 } 859 860 return params_cput(p, outfile); 861 } 862 863 static int 864 generate_convert(struct params *p, int argc, char **argv, const char *outfile) 865 { 866 struct params *oldp; 867 struct keygen *kg; 868 869 if (argc != 1) 870 usage(); 871 872 oldp = params_cget(*argv); 873 if (!oldp) 874 return -1; 875 876 /* for sanity, we ensure that none of the keygens are randomkey */ 877 for (kg=p->keygen; kg; kg=kg->next) 878 if ((kg->kg_method == KEYGEN_RANDOMKEY) || 879 (kg->kg_method == KEYGEN_URANDOMKEY)) { 880 warnx("can't preserve randomly generated key"); 881 goto bail; 882 } 883 for (kg=oldp->keygen; kg; kg=kg->next) 884 if ((kg->kg_method == KEYGEN_RANDOMKEY) || 885 (kg->kg_method == KEYGEN_URANDOMKEY)) { 886 warnx("can't preserve randomly generated key"); 887 goto bail; 888 } 889 890 if (!params_verify(oldp)) { 891 warnx("invalid old parameters file \"%s\"", *argv); 892 return -1; 893 } 894 895 oldp->key = getkey("old file", oldp->keygen, oldp->keylen); 896 897 /* we copy across the non-keygen info, here. */ 898 899 string_free(p->algorithm); 900 string_free(p->ivmeth); 901 902 p->algorithm = string_dup(oldp->algorithm); 903 p->ivmeth = string_dup(oldp->ivmeth); 904 p->keylen = oldp->keylen; 905 p->bsize = oldp->bsize; 906 if (p->verify_method == VERIFY_UNKNOWN) 907 p->verify_method = oldp->verify_method; 908 909 params_free(oldp); 910 911 if (!p->keygen) { 912 p->keygen = keygen_generate(KEYGEN_PKCS5_PBKDF2_SHA1); 913 if (!p->keygen) 914 return -1; 915 } 916 (void)params_filldefaults(p); 917 (void)keygen_filldefaults(p->keygen, p->keylen); 918 p->key = getkey("new file", p->keygen, p->keylen); 919 920 kg = keygen_generate(KEYGEN_STOREDKEY); 921 kg->kg_key = bits_xor(p->key, oldp->key); 922 keygen_addlist(&p->keygen, kg); 923 924 if (!params_verify(p)) { 925 warnx("can't generate new parameters file"); 926 return -1; 927 } 928 929 return params_cput(p, outfile); 930 bail: 931 params_free(oldp); 932 return -1; 933 } 934 935 static int 936 /*ARGSUSED*/ 937 do_all(const char *cfile, int argc, char **argv, 938 int (*conf)(int, char **, struct params *, int)) 939 { 940 FILE *f; 941 size_t len; 942 size_t lineno; 943 int my_argc; 944 int ret; 945 const char *fn; 946 char *line; 947 char **my_argv; 948 949 if (argc > 0) 950 usage(); 951 952 if (!cfile[0]) 953 fn = CGDCONFIG_CFILE; 954 else 955 fn = cfile; 956 957 f = fopen(fn, "r"); 958 if (!f) { 959 warn("could not open config file \"%s\"", fn); 960 return -1; 961 } 962 963 ret = chdir(CGDCONFIG_DIR); 964 if (ret == -1) 965 warn("could not chdir to %s", CGDCONFIG_DIR); 966 967 ret = 0; 968 lineno = 0; 969 for (;;) { 970 line = fparseln(f, &len, &lineno, "\\\\#", FPARSELN_UNESCALL); 971 if (!line) 972 break; 973 if (!*line) 974 continue; 975 976 my_argv = words(line, &my_argc); 977 ret = conf(my_argc, my_argv, NULL, CONFIG_FLAGS_FROMALL); 978 if (ret) { 979 warnx("action failed on \"%s\" line %lu", fn, 980 (u_long)lineno); 981 break; 982 } 983 words_free(my_argv, my_argc); 984 } 985 return ret; 986 } 987 988 static const char * 989 iv_method(int mode) 990 { 991 992 switch (mode) { 993 case CGD_CIPHER_CBC_ENCBLKNO8: 994 return "encblkno8"; 995 case CGD_CIPHER_CBC_ENCBLKNO1: 996 return "encblkno1"; 997 default: 998 return "unknown"; 999 } 1000 } 1001 1002 static int 1003 do_list(int argc, char **argv) 1004 { 1005 char path[64], buf[16]; 1006 struct cgd_user cgu; 1007 const char *fn; 1008 int fd, n, rv; 1009 1010 if (argc != 0 && argc != 1) 1011 usage(); 1012 1013 fn = argc ? argv[0] : "cgd0"; 1014 n = 0; 1015 for (;;) { 1016 fd = opendisk(fn, O_RDONLY, path, sizeof(path), 0); 1017 if (fd == -1) { 1018 if (argc) 1019 err(1, "open: %s", fn); 1020 break; 1021 } 1022 1023 cgu.cgu_unit = argc ? -1 : n; 1024 rv = prog_ioctl(fd, CGDIOCGET, &cgu); 1025 if (rv == -1) { 1026 close(fd); 1027 err(1, "CGDIOCGET"); 1028 } 1029 1030 printf("%s: ", fn); 1031 1032 if (cgu.cgu_dev == 0) 1033 printf("not in use"); 1034 else { 1035 char *dev; 1036 1037 dev = devname(cgu.cgu_dev, S_IFBLK); 1038 if (dev != NULL) 1039 printf("%s ", dev); 1040 else 1041 printf("dev %llu,%llu ", 1042 (unsigned long long)major(cgu.cgu_dev), 1043 (unsigned long long)minor(cgu.cgu_dev)); 1044 1045 if (verbose) 1046 printf("%s ", cgu.cgu_alg); 1047 if (verbose > 1) { 1048 printf("keylen %d ", cgu.cgu_keylen); 1049 printf("blksize %zd ", cgu.cgu_blocksize); 1050 printf("%s ", iv_method(cgu.cgu_mode)); 1051 } 1052 } 1053 putchar('\n'); 1054 close(fd); 1055 1056 if (argc) 1057 break; 1058 1059 n++; 1060 snprintf(buf, sizeof(buf), "cgd%d", n); 1061 fn = buf; 1062 } 1063 1064 return 0; 1065 } 1066 1067 static void 1068 eliminate_cores(void) 1069 { 1070 struct rlimit rlp; 1071 1072 rlp.rlim_cur = 0; 1073 rlp.rlim_max = 0; 1074 if (setrlimit(RLIMIT_CORE, &rlp) == -1) 1075 err(EXIT_FAILURE, "Can't disable cores"); 1076 } 1077
Indexes created Wed Oct 01 15:09:59 GMT 2025