summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
authorAlexander von Gernler <grunk@cvs.openbsd.org>2007-05-26 03:37:46 +0000
committerAlexander von Gernler <grunk@cvs.openbsd.org>2007-05-26 03:37:46 +0000
commite824d0a67754988b985061a9cfb0e98ab023c9ba (patch)
treecc5e52a9d5152159ee061182ed86af9a186654cb /sbin
parent2fd3b69c813fcad97c53137d7edffb11552a9445 (diff)
make mount_vnd a C program by pulling in the vnconfig(8) source and adding
a mount_vnd(8) interface to it. merge manpages as well. next goal is to have this here completely replace the usr.sbin/vnconfig directory. prodded by many, manpage discussion and help jmc@, "go ahead" deraadt@
Diffstat (limited to 'sbin')
-rw-r--r--sbin/mount_vnd/Makefile14
-rw-r--r--sbin/mount_vnd/mount_vnd96
-rw-r--r--sbin/mount_vnd/mount_vnd.8202
-rw-r--r--sbin/mount_vnd/mount_vnd.c346
-rw-r--r--sbin/mount_vnd/pkcs5_pbkdf2.c253
-rw-r--r--sbin/mount_vnd/pkcs5_pbkdf2.h47
6 files changed, 834 insertions, 124 deletions
diff --git a/sbin/mount_vnd/Makefile b/sbin/mount_vnd/Makefile
index 33a7137f794..6b869d77050 100644
--- a/sbin/mount_vnd/Makefile
+++ b/sbin/mount_vnd/Makefile
@@ -1,9 +1,13 @@
-# $OpenBSD: Makefile,v 1.1 2007/04/14 11:54:00 grunk Exp $
+# $OpenBSD: Makefile,v 1.2 2007/05/26 03:37:45 grunk Exp $
-MAN=mount_vnd.8
+PROG= mount_vnd
+SRCS= mount_vnd.c pkcs5_pbkdf2.c
+LDADD= -lutil -lcrypto
+DPADD= ${LIBUTIL}
-beforeinstall:
- ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m ${BINMODE} \
- ${.CURDIR}/mount_vnd ${DESTDIR}${BINDIR}/mount_vnd
+LINKS= ${BINDIR}/mount_vnd ${BINDIR}/vnconfig
+MLINKS= mount_vnd.8 vnconfig.8
+
+MAN= mount_vnd.8
.include <bsd.prog.mk>
diff --git a/sbin/mount_vnd/mount_vnd b/sbin/mount_vnd/mount_vnd
deleted file mode 100644
index ec0d6834c18..00000000000
--- a/sbin/mount_vnd/mount_vnd
+++ /dev/null
@@ -1,96 +0,0 @@
-#!/bin/sh
-# $OpenBSD: mount_vnd,v 1.2 2007/05/02 20:13:13 david Exp $
-#
-# Copyright (c) 2005, 2006, 2007 David Krause <david@openbsd.org>
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-
-progname=`basename "$0"`
-usage() {
- cat 1>&2 <<-EOF
- usage: $progname [-k] [-K rounds] [-o options] [-S saltfile] image node
- EOF
- exit 1
-}
-
-kflag=
-ROUNDS=
-SALTFILE=
-
-args=`getopt kK:o:S: $*`
-if [ $? -ne 0 ]; then
- usage
-fi
-
-set -eu
-
-set -- $args
-while [ $# -ge 0 ]; do
- case "$1" in
- -k)
- kflag="$1"; shift;;
- -K)
- ROUNDS="$2"; shift; shift;;
- -o)
- # currently, no mount options have effect for vnd
- shift; shift;;
- -S)
- SALTFILE="$2"; shift; shift;;
- --)
- shift; break;;
- esac
-done
-
-if [ $# -ne 2 ]; then
- usage
-fi
-
-IMAGE="$1"
-VND="$2"
-
-if [ -n "${ROUNDS}" -a ! -n "${SALTFILE}" ]; then
- SALTFILE="${IMAGE}.slt"
-fi
-
-if [ -n "${ROUNDS}" -a -n "${kflag}" ]; then
- echo "$progname: -k and -K are mutually exclusive" 1>&2
- exit 1
-elif [ -n "${SALTFILE}" -a ! -n "${ROUNDS}" ]; then
- echo "$progname: -S only makes sense when used with -K" 1>&2
- exit 1
-elif [ ! -b "${IMAGE}" -a ! -f "${IMAGE}" ]; then
- echo "$progname: ${IMAGE}: No such file or block device" 1>&2
- exit 1
-elif [ -n "${SALTFILE}" -a ! -f "${SALTFILE}" ]; then
- echo "$progname: ${SALTFILE}: No such file" 1>&2
- exit 1
-elif [ ! -b "${VND}" ]; then
- echo "$progname: ${VND}: No such block device" 1>&2
- exit 1
-fi
-
-vnconfig -l ${VND} > /dev/null
-if vnconfig -l ${VND} | fgrep -q covering; then
- echo "$progname: ${VND} is already in use" 1>&2
- exit 1
-fi
-
-echo "${IMAGE} on ${VND}"
-if [ -n "${ROUNDS}" ]; then
- vnconfig -K ${ROUNDS} -S ${SALTFILE} ${VND} ${IMAGE}
-elif [ -n "${kflag}" ]; then
- vnconfig -k ${VND} ${IMAGE}
-else
- vnconfig ${VND} ${IMAGE}
-fi
diff --git a/sbin/mount_vnd/mount_vnd.8 b/sbin/mount_vnd/mount_vnd.8
index 63f6884a6ed..86922ba49f9 100644
--- a/sbin/mount_vnd/mount_vnd.8
+++ b/sbin/mount_vnd/mount_vnd.8
@@ -1,4 +1,39 @@
-.\" $OpenBSD: mount_vnd.8,v 1.2 2007/04/14 13:17:24 jmc Exp $
+.\" $OpenBSD: mount_vnd.8,v 1.3 2007/05/26 03:37:45 grunk Exp $
+.\"
+.\" Copyright (c) 1993 University of Utah.
+.\" Copyright (c) 1980, 1989, 1991, 1993
+.\" The Regents of the University of California. All rights reserved.
+.\"
+.\" This code is derived from software contributed to Berkeley by
+.\" the Systems Programming Group of the University of Utah Computer
+.\" Science Department.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the University nor the names of its contributors
+.\" may be used to endorse or promote products derived from this software
+.\" without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" @(#)vnconfig.8 8.1 (Berkeley) 6/5/93
+.\"
.\"
.\" Copyright (c) 2007 Alexander von Gernler <grunk@openbsd.org>
.\"
@@ -14,29 +49,74 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd April 11, 2007
+.Dd May 18, 2007
.Dt MOUNT_VND 8
.Os
.Sh NAME
-.Nm mount_vnd
-.Nd configure a vnd image
+.Nm mount_vnd ,
+.Nm vnconfig
+.Nd "configure vnode disks for file swapping or pseudo file systems"
.Sh SYNOPSIS
.Nm mount_vnd
+.Bk -words
.Op Fl k
.Op Fl K Ar rounds
.Op Fl o Ar options
.Op Fl S Ar saltfile
.Ar image
-.Ar node
+.Ar vnd_dev
+.Ek
+.Nm vnconfig
+.Bk -words
+.Op Fl ckluv
+.Op Fl K Ar rounds
+.Op Fl S Ar saltfile
+.Ar vnd_dev
+.Ar image
+.Ek
.Sh DESCRIPTION
The
-.Nm
-command configures an image file named
+.Nm vnconfig
+command configures vnode pseudo disk devices.
+It will associate (or disassociate) the special file
+.Ar rawdev
+with the regular file
+.Ar regular_file ,
+allowing the latter to be accessed as though it were a disk.
+Hence a regular file within the file system can be used for swapping
+or can contain a file system that is mounted in the name space.
+.Pp
+Both traditional devices,
+.Xr vnd 4 ,
+and the cache-coherent devices,
+.Pa svnd ,
+are configured through
+.Nm vnconfig .
+.Pa svnd
+should be mounted with the
+.Xr mount 8
+option
+.Dq sync
+if
+.Ar regular_file
+is being read from,
+to ensure consistency in the buffer cache.
+For normal operation this is not necessary.
+.Pp
+The
+.Nm mount_vnd
+works similarly to
+.Nm vnconfig ,
+but it provides an interface that can be used by the
+.Xr fstab 5
+infrastructure, so that an
.Ar image
-using
-.Xr vnconfig 8 .
+file can be configured to a device
+.Ar node
+while booting.
.Pp
-This command is invoked by
+.Nm mount_vnd
+is invoked by
.Xr mount 8
when using the following syntax:
.Bd -ragged -offset 4n
@@ -47,18 +127,48 @@ when using the following syntax:
.Pp
The options are as follows:
.Bl -tag -width Ds
+.It Fl c
+.Nm vnconfig
+only.
+Configures the device.
+If successful, references to
+.Ar rawdev
+will access the contents of
+.Ar regular_file .
+This is the default operation.
+.It Fl k
+Associate an encryption key with the device.
+All data will be encrypted using the Blowfish cipher before it is
+written to the disk.
+Encryption only works with
+.Pa svnd .
.It Fl K Ar rounds
-Flag is passed on to
-.Xr vnconfig 8 .
-It is used to associate an encryption key using a salt file
-and a specified number of
+Associate an encryption key with the device.
+All data will be encrypted using the Blowfish cipher before it is
+written to the disk.
+The user is asked for both a passphrase and the name of a salt file.
+The salt file can also be specified on the command line using the
+.Fl S
+option.
+The passphrase and salt are combined according to PKCS #5 PBKDF2 for the
+specified number of
+rounds to generate the actual key used.
.Ar rounds
-for PKCS #5 PBKDF2 with the vnd device.
-.It Fl k
-Flag is passed on to
-.Xr vnconfig 8 .
-It is used to associate an encryption key with the vnd device.
+is a number between 1000 and
+.Dv INT_MAX .
+DO NOT LOSE THE SALT FILE.
+Encryption only works with
+.Pa svnd .
+.It Fl l
+.Nm vnconfig
+only.
+List the (s)vnd devices and indicate which ones are in use.
+If a specific
+.Ar rawdev
+is given, then only that one will be described.
.It Fl o Ar options
+.Nm mount_vnd
+only.
Options are specified with a
.Fl o
flag followed by a comma separated string of options.
@@ -71,16 +181,61 @@ At the moment,
is only here for compatibility reasons, but no use is made of supplied
options.
.It Fl S Ar saltfile
-Flag is passed on to
-.Xr vnconfig 8 .
-It is used to specify the name of the saltfile used with
-.Fl K .
+When
+.Fl K
+is used, specify the
+.Pa saltfile .
If the salt filename is not specified using
.Fl S ,
it defaults to
.Ar image Ns .slt .
+.It Fl u
+.Nm vnconfig
+only.
+Unconfigures a
+.Ar rawdev .
+.It Fl v
+.Nm vnconfig
+only.
+Print messages to stdout describing actions taken.
+.El
+.Sh FILES
+.Bl -tag -width /etc/rvnd?? -compact
+.It Pa /dev/{,r}{,s}vnd*
.El
.Sh EXAMPLES
+Configure a CD-ROM or DVD image file as vnode disk svnd0
+and mount the ISO 9660 file system contained in it:
+.Bd -literal -offset indent
+# vnconfig svnd0 /tmp/diskimage
+# mount -t cd9660 /dev/svnd0c /mnt
+.Ed
+.Pp
+Configure an encrypted image file as vnode disk svnd0 and mount the FFS
+file system contained in it.
+The encryption key does not echo and must be entered every time
+the vnode disk is configured.
+.Bd -literal -offset indent
+# vnconfig -k svnd0 /tmp/cryptimg
+Encryption key:
+# mount /dev/svnd0c /mnt
+.Ed
+.Pp
+Same as above, but now configure the vnode using PKCS #5 PBKDF2 and
+a salt file with 20000 rounds:
+.Bd -literal -offset indent
+# vnconfig -K 20000 svnd0 /tmp/cryptimg
+Encryption key:
+Salt file: /tmp/cryptsalt
+# mount /dev/svnd0c /mnt
+.Ed
+.Pp
+Unmount the file system and unconfigure the vnode device:
+.Bd -literal -offset indent
+# umount /mnt
+# vnconfig -u svnd0
+.Ed
+.Pp
Some possible vnd configurations for
.Pa /etc/fstab
are listed below.
@@ -120,6 +275,7 @@ from checking the file system for the same reasons.
.Xr vnd 4 ,
.Xr fstab 5 ,
.Xr mount 8 ,
+.Xr swapon 8 ,
.Xr umount 8
.Sh HISTORY
The
diff --git a/sbin/mount_vnd/mount_vnd.c b/sbin/mount_vnd/mount_vnd.c
new file mode 100644
index 00000000000..19239cbbe7d
--- /dev/null
+++ b/sbin/mount_vnd/mount_vnd.c
@@ -0,0 +1,346 @@
+/* $OpenBSD: mount_vnd.c,v 1.1 2007/05/26 03:37:45 grunk Exp $ */
+/*
+ * Copyright (c) 1993 University of Utah.
+ * Copyright (c) 1990, 1993
+ * The Regents of the University of California. All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * the Systems Programming Group of the University of Utah Computer
+ * Science Department.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * from: Utah $Hdr: vnconfig.c 1.1 93/12/15$
+ *
+ * @(#)vnconfig.c 8.1 (Berkeley) 12/15/93
+ */
+
+#include <sys/param.h>
+#include <sys/ioctl.h>
+#include <sys/mount.h>
+#include <sys/stat.h>
+
+#include <dev/vndioctl.h>
+
+#include <blf.h>
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <util.h>
+
+#include "pkcs5_pbkdf2.h"
+
+#define DEFAULT_VND "vnd0"
+
+#define VND_CONFIG 1
+#define VND_UNCONFIG 2
+#define VND_GET 3
+
+int verbose = 0;
+int run_mount_vnd = 0;
+
+__dead void usage(void);
+int config(char *, char *, int, char *, size_t);
+int getinfo(const char *);
+char *get_pkcs_key(char *, char *);
+
+int
+main(int argc, char **argv)
+{
+ int ch, rv, action, opt_c, opt_k, opt_K, opt_l, opt_u;
+ char *key, *mntopts, *rounds, *saltopt;
+ size_t keylen = 0;
+ extern char *__progname;
+
+ if (strcasecmp(__progname, "mount_vnd") == 0)
+ run_mount_vnd = 1;
+
+ opt_c = opt_k = opt_K = opt_l = opt_u = 0;
+ key = mntopts = rounds = saltopt = NULL;
+ action = VND_CONFIG;
+
+ while ((ch = getopt(argc, argv, "ckK:lo:S:uv")) != -1) {
+ switch (ch) {
+ case 'c':
+ opt_c = 1;
+ break;
+ case 'k':
+ opt_k = 1;
+ break;
+ case 'K':
+ opt_K = 1;
+ rounds = optarg;
+ break;
+ case 'l':
+ opt_l = 1;
+ break;
+ case 'o':
+ mntopts = optarg;
+ break;
+ case 'S':
+ saltopt = optarg;
+ break;
+ case 'u':
+ opt_u = 1;
+ break;
+ case 'v':
+ verbose = 1;
+ break;
+ default:
+ usage();
+ /* NOTREACHED */
+ }
+ }
+ argc -= optind;
+ argv += optind;
+
+ if (opt_c + opt_l + opt_u > 1)
+ errx(1, "-c, -l and -u are mutually exclusive options");
+
+ if (opt_l)
+ action = VND_GET;
+ else if (opt_u)
+ action = VND_UNCONFIG;
+ else
+ action = VND_CONFIG; /* default behavior */
+
+ if (saltopt && (!opt_K))
+ errx(1, "-S only makes sense when used with -K");
+
+ if (action == VND_CONFIG && argc == 2) {
+ int ind_raw, ind_reg;
+
+ if (opt_k) {
+ if (opt_K)
+ errx(1, "-k and -K are mutually exclusive");
+ key = getpass("Encryption key: ");
+ if (key == NULL || (keylen = strlen(key)) == 0)
+ errx(1, "Need an encryption key");
+ } else if (opt_K) {
+ key = get_pkcs_key(rounds, saltopt);
+ keylen = BLF_MAXUTILIZED;
+ }
+
+ /* fix order of arguments. */
+ if (run_mount_vnd) {
+ ind_raw = 1;
+ ind_reg = 0;
+ } else {
+ ind_raw = 0;
+ ind_reg = 1;
+ }
+ rv = config(argv[ind_raw], argv[ind_reg], action, key, keylen);
+ } else if (action == VND_UNCONFIG && argc == 1)
+ rv = config(argv[0], NULL, action, NULL, 0);
+ else if (action == VND_GET)
+ rv = getinfo(argc ? argv[0] : NULL);
+ else
+ usage();
+
+ exit(rv);
+}
+
+char *
+get_pkcs_key(char *arg, char *saltopt)
+{
+ char keybuf[128], saltbuf[128], saltfilebuf[PATH_MAX];
+ char *saltfile;
+ char *key = NULL;
+ const char *errstr;
+ int rounds;
+
+ rounds = strtonum(arg, 1000, INT_MAX, &errstr);
+ if (errstr)
+ err(1, "rounds: %s", errstr);
+ key = getpass("Encryption key: ");
+ if (!key || strlen(key) == 0)
+ errx(1, "Need an encryption key");
+ strncpy(keybuf, key, sizeof(keybuf));
+ if (saltopt)
+ saltfile = saltopt;
+ else {
+ printf("Salt file: ");
+ fflush(stdout);
+ saltfile = fgets(saltfilebuf, sizeof(saltfilebuf), stdin);
+ }
+ if (!saltfile || saltfile[0] == '\n') {
+ warnx("Skipping salt file, insecure");
+ saltfile = NULL;
+ } else {
+ size_t len = strlen(saltfile);
+ if (saltfile[len - 1] == '\n')
+ saltfile[len - 1] = 0;
+ }
+ if (saltfile) {
+ int fd;
+
+ fd = open(saltfile, O_RDONLY);
+ if (fd == -1) {
+ int *s;
+
+ fprintf(stderr, "Salt file not found, attempting to create one\n");
+ fd = open(saltfile, O_RDWR|O_CREAT|O_EXCL, 0600);
+ if (fd == -1)
+ err(1, "Unable to create salt file: '%s'",
+ saltfile);
+ for (s = (int *)saltbuf;
+ s < (int *)(saltbuf + sizeof(saltbuf)); s++)
+ *s = arc4random();
+ if (write(fd, saltbuf, sizeof(saltbuf))
+ != sizeof(saltbuf))
+ err(1, "Unable to write salt file: '%s'", saltfile);
+ fprintf(stderr, "Salt file created as '%s'\n", saltfile);
+ } else {
+ if (read(fd, saltbuf, sizeof(saltbuf))
+ != sizeof(saltbuf))
+ err(1, "Unable to read salt file: '%s'", saltfile);
+ }
+ close(fd);
+ } else {
+ memset(saltbuf, 0, sizeof(saltbuf));
+ }
+ if (pkcs5_pbkdf2((u_int8_t**)&key, BLF_MAXUTILIZED, keybuf,
+ sizeof(keybuf), saltbuf, sizeof(saltbuf), rounds, 0))
+ errx(1, "pkcs5_pbkdf2 failed");
+
+ return (key);
+}
+
+int
+getinfo(const char *vname)
+{
+ int vd, print_all = 0;
+ struct vnd_user vnu;
+
+ if (vname == NULL) {
+ vname = DEFAULT_VND;
+ print_all = 1;
+ }
+
+ vd = opendev((char *)vname, O_RDONLY, OPENDEV_PART, NULL);
+ if (vd < 0)
+ err(1, "open: %s", vname);
+
+ vnu.vnu_unit = -1;
+
+query:
+ if (ioctl(vd, VNDIOCGET, &vnu) == -1) {
+ if (print_all && errno == ENXIO && vnu.vnu_unit > 0) {
+ close(vd);
+ return (0);
+ } else {
+ err(1, "ioctl: %s", vname);
+ }
+ }
+
+ fprintf(stdout, "vnd%d: ", vnu.vnu_unit);
+
+ if (!vnu.vnu_ino)
+ fprintf(stdout, "not in use\n");
+ else
+ fprintf(stdout, "covering %s on %s, inode %d\n", vnu.vnu_file,
+ devname(vnu.vnu_dev, S_IFBLK), vnu.vnu_ino);
+
+ if (print_all) {
+ vnu.vnu_unit++;
+ goto query;
+ }
+
+ close(vd);
+
+ return (0);
+}
+
+int
+config(char *dev, char *file, int action, char *key, size_t keylen)
+{
+ struct vnd_ioctl vndio;
+ FILE *f;
+ char *rdev;
+ int rv;
+
+ if (opendev(dev, O_RDONLY, OPENDEV_PART, &rdev) < 0)
+ err(4, "%s", rdev);
+ f = fopen(rdev, "r");
+ if (f == NULL) {
+ warn("%s", rdev);
+ rv = -1;
+ goto out;
+ }
+ vndio.vnd_file = file;
+ vndio.vnd_key = (u_char *)key;
+ vndio.vnd_keylen = keylen;
+
+ /*
+ * Clear (un-configure) the device
+ */
+ if (action == VND_UNCONFIG) {
+ rv = ioctl(fileno(f), VNDIOCCLR, &vndio);
+ if (rv)
+ warn("VNDIOCCLR");
+ else if (verbose)
+ printf("%s: cleared\n", dev);
+ }
+ /*
+ * Configure the device
+ */
+ if (action == VND_CONFIG) {
+ rv = ioctl(fileno(f), VNDIOCSET, &vndio);
+ if (rv)
+ warn("VNDIOCSET");
+ else if (verbose)
+ printf("%s: %llu bytes on %s\n", dev, vndio.vnd_size,
+ file);
+ }
+
+ fclose(f);
+ fflush(stdout);
+ out:
+ if (key)
+ memset(key, 0, keylen);
+ return (rv < 0);
+}
+
+__dead void
+usage(void)
+{
+ extern char *__progname;
+
+ if (run_mount_vnd)
+ (void)fprintf(stderr,
+ "usage: %s [-ckluv] [-o mntopts] [-K rounds] "
+ "[-S saltfile] image vnd_dev\n", __progname);
+ else
+ (void)fprintf(stderr,
+ "usage: %s [-ckluv] [-K rounds] [-S saltfile] vnd_dev "
+ "image\n", __progname);
+
+ exit(1);
+}
diff --git a/sbin/mount_vnd/pkcs5_pbkdf2.c b/sbin/mount_vnd/pkcs5_pbkdf2.c
new file mode 100644
index 00000000000..b88ee815b8e
--- /dev/null
+++ b/sbin/mount_vnd/pkcs5_pbkdf2.c
@@ -0,0 +1,253 @@
+/* $NetBSD: pkcs5_pbkdf2.c,v 1.5 2004/03/17 01:29:13 dan Exp $ */
+
+/*-
+ * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Roland C. Dowdeswell.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * This product includes software developed by the NetBSD
+ * Foundation, Inc. and its contributors.
+ * 4. Neither the name of The NetBSD Foundation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This code is an implementation of PKCS #5 PBKDF2 which is described
+ * in:
+ *
+ * ``PKCS #5 v2.0: Password-Based Cryptography Standard'', RSA Laboratories,
+ * March 25, 1999.
+ *
+ * and can be found at the following URL:
+ *
+ * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/
+ *
+ * It was also republished as RFC 2898.
+ */
+
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/hmac.h>
+
+#include "pkcs5_pbkdf2.h"
+
+static void int_encode(u_int8_t *, int);
+static void prf_iterate(u_int8_t *, const u_int8_t *, int,
+ const u_int8_t *, int, int, int);
+static int pkcs5_pbkdf2_time(int, int);
+
+void
+memxor(void *res, const void *src, size_t len)
+{
+ int i;
+ char *r;
+ const char *s;
+
+ r = res;
+ s = src;
+ for (i=0; i < len; i++)
+ r[i] ^= s[i];
+}
+
+#define PRF_BLOCKLEN 20
+
+/*
+ * int_encode encodes i as a four octet integer, most significant
+ * octet first. (from the end of Step 3).
+ */
+
+static void
+int_encode(u_int8_t *res, int i)
+{
+
+ *res++ = (i >> 24) & 0xff;
+ *res++ = (i >> 16) & 0xff;
+ *res++ = (i >> 8) & 0xff;
+ *res = (i ) & 0xff;
+}
+
+static void
+prf_iterate(u_int8_t *r, const u_int8_t *P, int Plen,
+ const u_int8_t *S, int Slen, int c, int ind)
+{
+ int first_time = 1;
+ int i;
+ int datalen;
+ int tmplen;
+ u_int8_t *data;
+ u_int8_t tmp[EVP_MAX_MD_SIZE];
+
+ data = malloc(Slen + 4);
+ if (!data)
+ err(1, "prf_iterate");
+ memcpy(data, S, Slen);
+ int_encode(data + Slen, ind);
+ datalen = Slen + 4;
+
+ for (i=0; i < c; i++) {
+ HMAC(EVP_sha1(), P, Plen, data, datalen, tmp, &tmplen);
+
+ assert(tmplen == PRF_BLOCKLEN);
+
+ if (first_time) {
+ memcpy(r, tmp, PRF_BLOCKLEN);
+ first_time = 0;
+ } else
+ memxor(r, tmp, PRF_BLOCKLEN);
+ memcpy(data, tmp, PRF_BLOCKLEN);
+ datalen = PRF_BLOCKLEN;
+ }
+ free(data);
+}
+
+/*
+ * pkcs5_pbkdf2 takes all of its lengths in bytes.
+ */
+
+int
+pkcs5_pbkdf2(u_int8_t **r, int dkLen, const u_int8_t *P, int Plen,
+ const u_int8_t *S, int Slen, int c, int compat)
+{
+ int i;
+ int l;
+
+ /* sanity */
+ if (!r)
+ return -1;
+ if (dkLen <= 0)
+ return -1;
+ if (c < 1)
+ return -1;
+
+ /* Step 2 */
+ l = (dkLen + PRF_BLOCKLEN - 1) / PRF_BLOCKLEN;
+
+ /* allocate the output */
+ *r = malloc(l * PRF_BLOCKLEN);
+ if (!*r)
+ return -1;
+
+ /* Step 3 */
+ for (i=0; i < l; i++)
+ prf_iterate(*r + (PRF_BLOCKLEN * i), P, Plen, S, Slen, c,
+ (compat?i:i+1));
+
+ /* Step 4 and 5
+ * by the structure of the code, we do not need to concatenate
+ * the blocks, they're already concatenated. We do not extract
+ * the first dkLen octets, since we [naturally] assume that the
+ * calling function will use only the octets that it needs and
+ * the free(3) will free all of the allocated memory.
+ */
+ return 0;
+}
+
+/*
+ * We use predefined lengths for the password and salt to ensure that
+ * no analysis can be done on the output of the calibration based on
+ * those parameters. We do not do the same for dkLen because:
+ * 1. dkLen is known to the attacker if they know the iteration
+ * count, and
+ * 2. using the wrong dkLen will skew the calibration by an
+ * integral factor n = (dkLen / 160).
+ */
+
+#define CAL_PASSLEN 64
+#define CAL_SALTLEN 64
+#define CAL_TIME 30000 /* Minimum number of microseconds that
+ * are considered significant.
+ */
+
+/*
+ * We return the user time in milliseconds that c iterations
+ * of the algorithm take.
+ */
+
+static int
+pkcs5_pbkdf2_time(int dkLen, int c)
+{
+ struct rusage start;
+ struct rusage end;
+ int ret;
+ u_int8_t *r = NULL;
+ u_int8_t P[CAL_PASSLEN];
+ u_int8_t S[CAL_SALTLEN];
+
+ getrusage(RUSAGE_SELF, &start);
+ /* XXX compat flag at end to be removed when _OLD keygen method is */
+ ret = pkcs5_pbkdf2(&r, dkLen, P, sizeof(P), S, sizeof(S), c, 0);
+ if (ret)
+ return ret;
+ getrusage(RUSAGE_SELF, &end);
+ free(r);
+
+ return (end.ru_utime.tv_sec - start.ru_utime.tv_sec) * 1000000
+ + (end.ru_utime.tv_usec - start.ru_utime.tv_usec);
+}
+
+int
+pkcs5_pbkdf2_calibrate(int dkLen, int milliseconds)
+{
+ int c;
+ int t = 0;
+ int ret;
+
+ /*
+ * First we get a meaningfully long time by doubling the
+ * iteration count until it takes longer than CAL_TIME. This
+ * should take approximately 2 * CAL_TIME.
+ */
+ for (c=1;; c *= 2) {
+ t = pkcs5_pbkdf2_time(dkLen, c);
+ if (t > CAL_TIME)
+ break;
+ }
+
+ /* Now that we know that, we scale it. */
+ ret = (int) ((u_int64_t) c * milliseconds / t);
+
+ /*
+ * Since it is quite important to not get this wrong,
+ * we test the result.
+ */
+
+ t = pkcs5_pbkdf2_time(dkLen, 10000);
+
+ /* if we are over 5% off, return an error */
+ if (abs(milliseconds - t) > (milliseconds / 20))
+ return -1;
+
+ return ret;
+}
diff --git a/sbin/mount_vnd/pkcs5_pbkdf2.h b/sbin/mount_vnd/pkcs5_pbkdf2.h
new file mode 100644
index 00000000000..443e3e4298c
--- /dev/null
+++ b/sbin/mount_vnd/pkcs5_pbkdf2.h
@@ -0,0 +1,47 @@
+/* $NetBSD: pkcs5_pbkdf2.h,v 1.3 2004/03/17 01:29:13 dan Exp $ */
+
+/*-
+ * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Roland C. Dowdeswell.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * This product includes software developed by the NetBSD
+ * Foundation, Inc. and its contributors.
+ * 4. Neither the name of The NetBSD Foundation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef PKCS5_PBKDF2_H
+#define PKCS5_PBKDF2_H
+
+__BEGIN_DECLS
+int pkcs5_pbkdf2(u_int8_t **, int, const u_int8_t *, int,
+ const u_int8_t *, int, int, int);
+int pkcs5_pbkdf2_calibrate(int, int);
+__END_DECLS
+#endif