diff options
| author | Marco Peereboom <marco@cvs.openbsd.org> | 2009-10-21 22:31:18 +0000 |
|---|---|---|
| committer | Marco Peereboom <marco@cvs.openbsd.org> | 2009-10-21 22:31:18 +0000 |
| commit | b2b168551efa19ecc877ccefaf29c9dc4330caa1 (patch) | |
| tree | 55955a77a493b3fd202c2863c79e28628f6e6071 | |
| parent | a2ad7e7cea0482b7a5a6929d0d2eded25f6b612f (diff) | |
Add passphrase file for crypto volume bring-up. Proded and ok deraadt
| -rw-r--r-- | sbin/bioctl/bioctl.8 | 9 | ||||
| -rw-r--r-- | sbin/bioctl/bioctl.c | 47 |
2 files changed, 47 insertions, 9 deletions
diff --git a/sbin/bioctl/bioctl.8 b/sbin/bioctl/bioctl.8 index d32c5d4700b..595ac1d1efb 100644 --- a/sbin/bioctl/bioctl.8 +++ b/sbin/bioctl/bioctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bioctl.8,v 1.72 2009/07/31 05:58:51 jmc Exp $ +.\" $OpenBSD: bioctl.8,v 1.73 2009/10/21 22:31:17 marco Exp $ .\" .\" Copyright (c) 2004, 2005 Marco Peereboom .\" @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd $Mdocdate: July 31 2009 $ +.Dd $Mdocdate: October 21 2009 $ .Dt BIOCTL 8 .Os .Sh NAME @@ -47,6 +47,7 @@ .Op Fl C Ar flag[,flag,...] .Op Fl c Ar raidlevel .Op Fl l Ar special[,special,...] +.Op Fl p Ar passfile .Op Fl R Ar device \*(Ba channel:target[.lun] .Op Fl r Ar rounds .Ar device @@ -124,6 +125,10 @@ digits to four or less. .It Fl i Enumerate the selected RAID devices. This is the default if no other option is given. +.It Fl p Ar passfile +Passphrase file used for crypto volume bring-up. +This file must be root owned and have 0600 permissions. +This can not be used during the initial creation of the crypto volume. .It Fl q Show vendor, product, revision, and serial number for the given disk. .It Fl R Ar device \*(Ba channel:target[.lun] diff --git a/sbin/bioctl/bioctl.c b/sbin/bioctl/bioctl.c index 034167baaf6..33f68a74306 100644 --- a/sbin/bioctl/bioctl.c +++ b/sbin/bioctl/bioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bioctl.c,v 1.81 2009/07/31 16:12:10 jsing Exp $ */ +/* $OpenBSD: bioctl.c,v 1.82 2009/10/21 22:31:17 marco Exp $ */ /* * Copyright (c) 2004, 2005 Marco Peereboom @@ -36,6 +36,8 @@ #include <scsi/scsi_all.h> #include <dev/biovar.h> #include <dev/softraidvar.h> +#include <sys/types.h> +#include <sys/stat.h> #include <errno.h> #include <err.h> @@ -85,6 +87,7 @@ int human; int verbose; u_int32_t cflags = 0; int rflag = 8192; +char *password; struct bio_locate bl; @@ -104,7 +107,7 @@ main(int argc, char *argv[]) if (argc < 2) usage(); - while ((ch = getopt(argc, argv, "a:b:C:c:dH:hil:qr:R:vu:")) != -1) { + while ((ch = getopt(argc, argv, "a:b:C:c:dH:hil:p:qr:R:vu:")) != -1) { switch (ch) { case 'a': /* alarm */ func |= BIOC_ALARM; @@ -149,6 +152,9 @@ main(int argc, char *argv[]) func |= BIOC_DEVLIST; dev_list = optarg; break; + case 'p': + password = optarg; + break; case 'r': rflag = strtonum(optarg, 1000, 1<<30, &errstr); if (errstr != NULL) @@ -203,7 +209,7 @@ main(int argc, char *argv[]) if (devh == -1) err(1, "Can't open %s", sd_dev); } else - errx(1, "need -d or -f parameter"); + errx(1, "need device"); if (diskinq) { bio_diskinq(sd_dev); @@ -246,7 +252,7 @@ usage(void) "[-C flag[,flag,...]] [-c raidlevel]\n" "\t[-l special[,special,...]] " "[-R device | channel:target[.lun]\n" - "\t[-r rounds] " + "\t[-p passfile] [-r rounds] " "device\n", __progname, __progname); exit(1); @@ -933,6 +939,9 @@ void derive_key_pkcs(int rounds, u_int8_t *key, size_t keysz, u_int8_t *salt, size_t saltsz, int verify) { + FILE *f; + size_t pl; + struct stat sb; char passphrase[1024], verifybuf[1024]; if (!key) @@ -943,9 +952,33 @@ derive_key_pkcs(int rounds, u_int8_t *key, size_t keysz, u_int8_t *salt, errx(1, "Too less rounds: %d", rounds); /* get passphrase */ - if (readpassphrase("Passphrase: ", passphrase, sizeof(passphrase), - RPP_REQUIRE_TTY) == NULL) - errx(1, "unable to read passphrase"); + if (password && verify == 0) { + if ((f = fopen(password, "r")) == NULL) + err(1, "invalid passphrase file"); + + if (fstat(fileno(f), &sb) == -1) + err(1, "can't stat passphrase file"); + if (sb.st_uid != 0) + errx(1, "passphrase file must be owned by root"); + if ((sb.st_mode & ~S_IFMT) != (S_IRUSR | S_IWUSR)) + errx(1, "passphrase file has the wrong permissions"); + + if (fgets(passphrase, sizeof(passphrase), f) == NULL) + err(1, "can't read passphrase file"); + pl = strlen(passphrase); + if (pl > 0 && passphrase[pl - 1] == '\n') + passphrase[pl - 1] = '\0'; + else + errx(1, "invalid passphrase length"); + + fclose(f); + } else if (password == NULL && verify) { + if (readpassphrase("Passphrase: ", passphrase, + sizeof(passphrase), RPP_REQUIRE_TTY) == NULL) + errx(1, "unable to read passphrase"); + } else + errx(1, "can't specify passphrase file during initial " + "creation of crypto volume"); if (verify) { /* request user to re-type it */ |