diff options
| -rw-r--r-- | sbin/Makefile | 4 | ||||
| -rw-r--r-- | sbin/mount_vnd/Makefile | 6 | ||||
| -rw-r--r-- | usr.sbin/Makefile | 4 | ||||
| -rw-r--r-- | usr.sbin/vnconfig/Makefile | 9 | ||||
| -rw-r--r-- | usr.sbin/vnconfig/pkcs5_pbkdf2.c | 253 | ||||
| -rw-r--r-- | usr.sbin/vnconfig/pkcs5_pbkdf2.h | 47 | ||||
| -rw-r--r-- | usr.sbin/vnconfig/vnconfig.8 | 170 | ||||
| -rw-r--r-- | usr.sbin/vnconfig/vnconfig.c | 322 |
8 files changed, 9 insertions, 806 deletions
diff --git a/sbin/Makefile b/sbin/Makefile index b42b8588dd1..f207c62757c 100644 --- a/sbin/Makefile +++ b/sbin/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.82 2007/05/18 16:08:12 deraadt Exp $ +# $OpenBSD: Makefile,v 1.83 2007/05/26 21:39:45 grunk Exp $ SUBDIR= atactl badsect bioctl brconfig ccdconfig clri dhclient \ disklabel dmesg dump dumpfs fdisk fsck fsck_ext2fs fsck_ffs \ @@ -6,7 +6,7 @@ SUBDIR= atactl badsect bioctl brconfig ccdconfig clri dhclient \ isakmpd kbd lmccontrol mknod modload modunload mount \ mount_ados mount_cd9660 mount_ext2fs mount_ffs mount_msdos \ mount_nfs mount_ntfs mount_portal mount_procfs mount_udf \ - mount_xfs mountd ncheck_ffs newfs newfs_msdos \ + mount_vnd mount_xfs mountd ncheck_ffs newfs newfs_msdos \ nfsd nmeaattach nologin pdisk pfctl pflogd ping ping6 quotacheck \ raidctl reboot restore route routed rtsol savecore scan_ffs \ scsi shutdown slattach swapctl sysctl ttyflags tunefs \ diff --git a/sbin/mount_vnd/Makefile b/sbin/mount_vnd/Makefile index 6b869d77050..071a2560dac 100644 --- a/sbin/mount_vnd/Makefile +++ b/sbin/mount_vnd/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.2 2007/05/26 03:37:45 grunk Exp $ +# $OpenBSD: Makefile,v 1.3 2007/05/26 21:39:45 grunk Exp $ PROG= mount_vnd SRCS= mount_vnd.c pkcs5_pbkdf2.c @@ -8,6 +8,10 @@ DPADD= ${LIBUTIL} LINKS= ${BINDIR}/mount_vnd ${BINDIR}/vnconfig MLINKS= mount_vnd.8 vnconfig.8 +# XXX compatibility +afterinstall: + (cd ${DESTDIR}/usr/sbin && ln -sf ../../sbin/vnconfig .) + MAN= mount_vnd.8 .include <bsd.prog.mk> diff --git a/usr.sbin/Makefile b/usr.sbin/Makefile index eb01ae8500e..9a80b386a94 100644 --- a/usr.sbin/Makefile +++ b/usr.sbin/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.134 2007/05/18 16:08:12 deraadt Exp $ +# $OpenBSD: Makefile,v 1.135 2007/05/26 21:39:45 grunk Exp $ .include <bsd.own.mk> @@ -14,7 +14,7 @@ SUBDIR= ac accton acpidump adduser amd apm apmd arp \ rmt route6d rpc.bootparamd rpc.lockd rtadvd rtsold rwhod sa \ sasyncd sensorsd sliplogin slstats spamdb spray syslogc syslogd \ tcpdrop tcpdump timed tokenadm tokeninit traceroute traceroute6 \ - trpt usbdevs user vipw vnconfig watchdogd wsconscfg wsfontload \ + trpt usbdevs user vipw watchdogd wsconscfg wsfontload \ wsmoused zdump zic ztsscale .if (${AFS:L} == "yes") diff --git a/usr.sbin/vnconfig/Makefile b/usr.sbin/vnconfig/Makefile deleted file mode 100644 index 8290eb29b1f..00000000000 --- a/usr.sbin/vnconfig/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -# $OpenBSD: Makefile,v 1.4 2006/06/30 16:09:27 tedu Exp $ - -PROG= vnconfig -MAN= vnconfig.8 -DPADD= ${LIBUTIL} -LDADD= -lutil -lcrypto -SRCS=vnconfig.c pkcs5_pbkdf2.c - -.include <bsd.prog.mk> diff --git a/usr.sbin/vnconfig/pkcs5_pbkdf2.c b/usr.sbin/vnconfig/pkcs5_pbkdf2.c deleted file mode 100644 index b88ee815b8e..00000000000 --- a/usr.sbin/vnconfig/pkcs5_pbkdf2.c +++ /dev/null @@ -1,253 +0,0 @@ -/* $NetBSD: pkcs5_pbkdf2.c,v 1.5 2004/03/17 01:29:13 dan Exp $ */ - -/*- - * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc. - * All rights reserved. - * - * This code is derived from software contributed to The NetBSD Foundation - * by Roland C. Dowdeswell. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the NetBSD - * Foundation, Inc. and its contributors. - * 4. Neither the name of The NetBSD Foundation nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS - * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code is an implementation of PKCS #5 PBKDF2 which is described - * in: - * - * ``PKCS #5 v2.0: Password-Based Cryptography Standard'', RSA Laboratories, - * March 25, 1999. - * - * and can be found at the following URL: - * - * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/ - * - * It was also republished as RFC 2898. - */ - - -#include <sys/types.h> -#include <sys/time.h> -#include <sys/resource.h> - -#include <assert.h> -#include <stdlib.h> -#include <string.h> - -#include <openssl/hmac.h> - -#include "pkcs5_pbkdf2.h" - -static void int_encode(u_int8_t *, int); -static void prf_iterate(u_int8_t *, const u_int8_t *, int, - const u_int8_t *, int, int, int); -static int pkcs5_pbkdf2_time(int, int); - -void -memxor(void *res, const void *src, size_t len) -{ - int i; - char *r; - const char *s; - - r = res; - s = src; - for (i=0; i < len; i++) - r[i] ^= s[i]; -} - -#define PRF_BLOCKLEN 20 - -/* - * int_encode encodes i as a four octet integer, most significant - * octet first. (from the end of Step 3). - */ - -static void -int_encode(u_int8_t *res, int i) -{ - - *res++ = (i >> 24) & 0xff; - *res++ = (i >> 16) & 0xff; - *res++ = (i >> 8) & 0xff; - *res = (i ) & 0xff; -} - -static void -prf_iterate(u_int8_t *r, const u_int8_t *P, int Plen, - const u_int8_t *S, int Slen, int c, int ind) -{ - int first_time = 1; - int i; - int datalen; - int tmplen; - u_int8_t *data; - u_int8_t tmp[EVP_MAX_MD_SIZE]; - - data = malloc(Slen + 4); - if (!data) - err(1, "prf_iterate"); - memcpy(data, S, Slen); - int_encode(data + Slen, ind); - datalen = Slen + 4; - - for (i=0; i < c; i++) { - HMAC(EVP_sha1(), P, Plen, data, datalen, tmp, &tmplen); - - assert(tmplen == PRF_BLOCKLEN); - - if (first_time) { - memcpy(r, tmp, PRF_BLOCKLEN); - first_time = 0; - } else - memxor(r, tmp, PRF_BLOCKLEN); - memcpy(data, tmp, PRF_BLOCKLEN); - datalen = PRF_BLOCKLEN; - } - free(data); -} - -/* - * pkcs5_pbkdf2 takes all of its lengths in bytes. - */ - -int -pkcs5_pbkdf2(u_int8_t **r, int dkLen, const u_int8_t *P, int Plen, - const u_int8_t *S, int Slen, int c, int compat) -{ - int i; - int l; - - /* sanity */ - if (!r) - return -1; - if (dkLen <= 0) - return -1; - if (c < 1) - return -1; - - /* Step 2 */ - l = (dkLen + PRF_BLOCKLEN - 1) / PRF_BLOCKLEN; - - /* allocate the output */ - *r = malloc(l * PRF_BLOCKLEN); - if (!*r) - return -1; - - /* Step 3 */ - for (i=0; i < l; i++) - prf_iterate(*r + (PRF_BLOCKLEN * i), P, Plen, S, Slen, c, - (compat?i:i+1)); - - /* Step 4 and 5 - * by the structure of the code, we do not need to concatenate - * the blocks, they're already concatenated. We do not extract - * the first dkLen octets, since we [naturally] assume that the - * calling function will use only the octets that it needs and - * the free(3) will free all of the allocated memory. - */ - return 0; -} - -/* - * We use predefined lengths for the password and salt to ensure that - * no analysis can be done on the output of the calibration based on - * those parameters. We do not do the same for dkLen because: - * 1. dkLen is known to the attacker if they know the iteration - * count, and - * 2. using the wrong dkLen will skew the calibration by an - * integral factor n = (dkLen / 160). - */ - -#define CAL_PASSLEN 64 -#define CAL_SALTLEN 64 -#define CAL_TIME 30000 /* Minimum number of microseconds that - * are considered significant. - */ - -/* - * We return the user time in milliseconds that c iterations - * of the algorithm take. - */ - -static int -pkcs5_pbkdf2_time(int dkLen, int c) -{ - struct rusage start; - struct rusage end; - int ret; - u_int8_t *r = NULL; - u_int8_t P[CAL_PASSLEN]; - u_int8_t S[CAL_SALTLEN]; - - getrusage(RUSAGE_SELF, &start); - /* XXX compat flag at end to be removed when _OLD keygen method is */ - ret = pkcs5_pbkdf2(&r, dkLen, P, sizeof(P), S, sizeof(S), c, 0); - if (ret) - return ret; - getrusage(RUSAGE_SELF, &end); - free(r); - - return (end.ru_utime.tv_sec - start.ru_utime.tv_sec) * 1000000 - + (end.ru_utime.tv_usec - start.ru_utime.tv_usec); -} - -int -pkcs5_pbkdf2_calibrate(int dkLen, int milliseconds) -{ - int c; - int t = 0; - int ret; - - /* - * First we get a meaningfully long time by doubling the - * iteration count until it takes longer than CAL_TIME. This - * should take approximately 2 * CAL_TIME. - */ - for (c=1;; c *= 2) { - t = pkcs5_pbkdf2_time(dkLen, c); - if (t > CAL_TIME) - break; - } - - /* Now that we know that, we scale it. */ - ret = (int) ((u_int64_t) c * milliseconds / t); - - /* - * Since it is quite important to not get this wrong, - * we test the result. - */ - - t = pkcs5_pbkdf2_time(dkLen, 10000); - - /* if we are over 5% off, return an error */ - if (abs(milliseconds - t) > (milliseconds / 20)) - return -1; - - return ret; -} diff --git a/usr.sbin/vnconfig/pkcs5_pbkdf2.h b/usr.sbin/vnconfig/pkcs5_pbkdf2.h deleted file mode 100644 index 443e3e4298c..00000000000 --- a/usr.sbin/vnconfig/pkcs5_pbkdf2.h +++ /dev/null @@ -1,47 +0,0 @@ -/* $NetBSD: pkcs5_pbkdf2.h,v 1.3 2004/03/17 01:29:13 dan Exp $ */ - -/*- - * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc. - * All rights reserved. - * - * This code is derived from software contributed to The NetBSD Foundation - * by Roland C. Dowdeswell. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the NetBSD - * Foundation, Inc. and its contributors. - * 4. Neither the name of The NetBSD Foundation nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS - * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef PKCS5_PBKDF2_H -#define PKCS5_PBKDF2_H - -__BEGIN_DECLS -int pkcs5_pbkdf2(u_int8_t **, int, const u_int8_t *, int, - const u_int8_t *, int, int, int); -int pkcs5_pbkdf2_calibrate(int, int); -__END_DECLS -#endif diff --git a/usr.sbin/vnconfig/vnconfig.8 b/usr.sbin/vnconfig/vnconfig.8 deleted file mode 100644 index bf87b315f84..00000000000 --- a/usr.sbin/vnconfig/vnconfig.8 +++ /dev/null @@ -1,170 +0,0 @@ -.\" $OpenBSD: vnconfig.8,v 1.30 2007/01/27 10:34:46 grunk Exp $ -.\" -.\" Copyright (c) 1993 University of Utah. -.\" Copyright (c) 1980, 1989, 1991, 1993 -.\" The Regents of the University of California. All rights reserved. -.\" -.\" This code is derived from software contributed to Berkeley by -.\" the Systems Programming Group of the University of Utah Computer -.\" Science Department. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. Neither the name of the University nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" @(#)vnconfig.8 8.1 (Berkeley) 6/5/93 -.\" -.Dd July 8, 1993 -.Dt VNCONFIG 8 -.Os -.Sh NAME -.Nm vnconfig -.Nd "configure vnode disks for file swapping or pseudo file systems" -.Sh SYNOPSIS -.Nm -.Op Fl ckluv -.Op Fl K Ar rounds -.Op Fl S Ar saltfile -.Ar rawdev -.Ar regular_file -.Sh DESCRIPTION -The -.Nm -command configures vnode pseudo disk devices. -It will associate (or disassociate) the special file -.Ar rawdev -with the regular file -.Ar regular_file , -allowing the latter to be accessed as though it were a disk. -Hence a regular file within the file system can be used for swapping -or can contain a file system that is mounted in the name space. -.Pp -Both traditional devices, -.Xr vnd 4 , -and the cache-coherent devices, -.Pa svnd , -are configured through -.Nm vnconfig . -.Pa svnd -should be mounted with the -.Xr mount 8 -option -.Dq sync -if -.Ar regular_file -is being read from, -to ensure consistency in the buffer cache. -For normal operation this is not necessary. -.Pp -The options are as follows: -.Bl -tag -width Ds -.It Fl c -Configures the device. -If successful, references to -.Ar rawdev -will access the contents of -.Ar regular_file . -This is the default operation. -.It Fl K Ar rounds -Associate an encryption key with the device. -All data will be encrypted using the Blowfish cipher before it is -written to the disk. -The user is asked for both a passphrase and the name of a salt file. -The salt file can also be specified on the command line using the -.Fl S -option. -The passphrase and salt are combined according to PKCS #5 PBKDF2 for the -specified number of -rounds to generate the actual key used. -.Ar rounds -is a number between 1000 and -.Dv INT_MAX . -DO NOT LOSE THE SALT FILE. -Encryption only works with -.Pa svnd . -.It Fl k -Associate an encryption key with the device. -All data will be encrypted using the Blowfish cipher before it is -written to the disk. -Encryption only works with -.Pa svnd . -.It Fl l -List the (s)vnd devices and indicate which ones are in use. -If a specific -.Ar rawdev -is given, then only that one will be described. -.It Fl S Ar saltfile -When -.Fl K -is used, specify the -.Pa saltfile . -.It Fl u -Unconfigures a -.Ar rawdev . -.It Fl v -Print messages to stdout describing actions taken. -.El -.Sh FILES -.Bl -tag -width /etc/rvnd?? -compact -.It Pa /dev/{,r}{,s}vnd* -.El -.Sh EXAMPLES -Configure a CD-ROM or DVD image file as vnode disk svnd0 -and mount the ISO 9660 file system contained in it: -.Bd -literal -offset indent -# vnconfig svnd0 /tmp/diskimage -# mount -t cd9660 /dev/svnd0c /mnt -.Ed -.Pp -Configure an encrypted image file as vnode disk svnd0 and mount the FFS -file system contained in it. -The encryption key does not echo and must be entered every time -the vnode disk is configured. -.Bd -literal -offset indent -# vnconfig -k svnd0 /tmp/cryptimg -Encryption key: -# mount /dev/svnd0c /mnt -.Ed -.Pp -Same as above, but now configure the vnode using PKCS #5 PBKDF2 and -a salt file with 20000 rounds: -.Bd -literal -offset indent -# vnconfig -K 20000 svnd0 /tmp/cryptimg -Encryption key: -Salt file: /tmp/cryptsalt -# mount /dev/svnd0c /mnt -.Ed -.Pp -Unmount the file system and unconfigure the vnode device: -.Bd -literal -offset indent -# umount /mnt -# vnconfig -u svnd0 -.Ed -.Sh SEE ALSO -.Xr vnd 4 , -.Xr mount 8 , -.Xr swapon 8 , -.Xr umount 8 -.Sh BUGS -This command should really be named -.Nm vndconfig . diff --git a/usr.sbin/vnconfig/vnconfig.c b/usr.sbin/vnconfig/vnconfig.c deleted file mode 100644 index fade6e2707c..00000000000 --- a/usr.sbin/vnconfig/vnconfig.c +++ /dev/null @@ -1,322 +0,0 @@ -/* $OpenBSD: vnconfig.c,v 1.27 2007/04/10 15:28:55 tedu Exp $ */ -/* - * Copyright (c) 1993 University of Utah. - * Copyright (c) 1990, 1993 - * The Regents of the University of California. All rights reserved. - * - * This code is derived from software contributed to Berkeley by - * the Systems Programming Group of the University of Utah Computer - * Science Department. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * from: Utah $Hdr: vnconfig.c 1.1 93/12/15$ - * - * @(#)vnconfig.c 8.1 (Berkeley) 12/15/93 - */ - -#include <sys/param.h> -#include <sys/ioctl.h> -#include <sys/mount.h> -#include <sys/stat.h> - -#include <dev/vndioctl.h> - -#include <blf.h> -#include <err.h> -#include <errno.h> -#include <fcntl.h> -#include <pwd.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> -#include <util.h> - -#include "pkcs5_pbkdf2.h" - -#define DEFAULT_VND "vnd0" - -#define VND_CONFIG 1 -#define VND_UNCONFIG 2 -#define VND_GET 3 - -int verbose = 0; - -__dead void usage(void); -int config(char *, char *, int, char *, size_t); -int getinfo(const char *); -char *get_pkcs_key(char *, char *); - -int -main(int argc, char **argv) -{ - int ch, rv, action = VND_CONFIG; - char *key = NULL; - char *rounds = NULL; - char *saltopt = NULL; - size_t keylen = 0; - int opt_c = 0, opt_k = 0; - int opt_K = 0, opt_l = 0, opt_u = 0; - - while ((ch = getopt(argc, argv, "ckK:luS:v")) != -1) { - switch (ch) { - case 'c': - opt_c = 1; - break; - case 'l': - opt_l = 1; - break; - case 'k': - opt_k = 1; - break; - case 'K': - opt_K = 1; - rounds = optarg; - break; - case 'S': - saltopt = optarg; - break; - case 'u': - opt_u = 1; - break; - case 'v': - verbose = 1; - break; - default: - usage(); - /* NOTREACHED */ - } - } - - argc -= optind; - argv += optind; - - if (opt_c + opt_l + opt_u > 1) - errx(1, "-c, -l and -u are mutually exclusive options"); - - if (opt_l) - action = VND_GET; - else if (opt_u) - action = VND_UNCONFIG; - else - action = VND_CONFIG; /* default behavior */ - - if (saltopt && (!opt_K)) - errx(1, "-S only makes sense when used with -K"); - - if (action == VND_CONFIG && argc == 2) { - if (opt_k) { - if (opt_K) - errx(1, "-k and -K are mutually exclusive"); - key = getpass("Encryption key: "); - if (key == NULL || (keylen = strlen(key)) == 0) - errx(1, "Need an encryption key"); - } else if (opt_K) { - key = get_pkcs_key(rounds, saltopt); - keylen = BLF_MAXUTILIZED; - } - rv = config(argv[0], argv[1], action, key, keylen); - } else if (action == VND_UNCONFIG && argc == 1) - rv = config(argv[0], NULL, action, NULL, 0); - else if (action == VND_GET) - rv = getinfo(argc ? argv[0] : NULL); - else - usage(); - - exit(rv); -} - -char * -get_pkcs_key(char *arg, char *saltopt) -{ - char keybuf[128], saltbuf[128], saltfilebuf[PATH_MAX]; - char *saltfile; - char *key = NULL; - const char *errstr; - int rounds; - - rounds = strtonum(arg, 1000, INT_MAX, &errstr); - if (errstr) - err(1, "rounds: %s", errstr); - key = getpass("Encryption key: "); - if (!key || strlen(key) == 0) - errx(1, "Need an encryption key"); - strncpy(keybuf, key, sizeof(keybuf)); - if (saltopt) - saltfile = saltopt; - else { - printf("Salt file: "); - fflush(stdout); - saltfile = fgets(saltfilebuf, sizeof(saltfilebuf), stdin); - } - if (!saltfile || saltfile[0] == '\n') { - warnx("Skipping salt file, insecure"); - saltfile = NULL; - } else { - size_t len = strlen(saltfile); - if (saltfile[len - 1] == '\n') - saltfile[len - 1] = 0; - } - if (saltfile) { - int fd; - - fd = open(saltfile, O_RDONLY); - if (fd == -1) { - int *s; - - fprintf(stderr, "Salt file not found, attempting to create one\n"); - fd = open(saltfile, O_RDWR|O_CREAT|O_EXCL, 0600); - if (fd == -1) - err(1, "Unable to create salt file: '%s'", - saltfile); - for (s = (int *)saltbuf; - s < (int *)(saltbuf + sizeof(saltbuf)); s++) - *s = arc4random(); - if (write(fd, saltbuf, sizeof(saltbuf)) - != sizeof(saltbuf)) - err(1, "Unable to write salt file: '%s'", saltfile); - fprintf(stderr, "Salt file created as '%s'\n", saltfile); - } else { - if (read(fd, saltbuf, sizeof(saltbuf)) - != sizeof(saltbuf)) - err(1, "Unable to read salt file: '%s'", saltfile); - } - close(fd); - } else { - memset(saltbuf, 0, sizeof(saltbuf)); - } - if (pkcs5_pbkdf2((u_int8_t**)&key, BLF_MAXUTILIZED, keybuf, - sizeof(keybuf), saltbuf, sizeof(saltbuf), rounds, 0)) - errx(1, "pkcs5_pbkdf2 failed"); - - return (key); -} - -int -getinfo(const char *vname) -{ - int vd, print_all = 0; - struct vnd_user vnu; - - if (vname == NULL) { - vname = DEFAULT_VND; - print_all = 1; - } - - vd = opendev((char *)vname, O_RDONLY, OPENDEV_PART, NULL); - if (vd < 0) - err(1, "open: %s", vname); - - vnu.vnu_unit = -1; - -query: - if (ioctl(vd, VNDIOCGET, &vnu) == -1) { - if (print_all && errno == ENXIO && vnu.vnu_unit > 0) { - close(vd); - return (0); - } else { - err(1, "ioctl: %s", vname); - } - } - - fprintf(stdout, "vnd%d: ", vnu.vnu_unit); - - if (!vnu.vnu_ino) - fprintf(stdout, "not in use\n"); - else - fprintf(stdout, "covering %s on %s, inode %d\n", vnu.vnu_file, - devname(vnu.vnu_dev, S_IFBLK), vnu.vnu_ino); - - if (print_all) { - vnu.vnu_unit++; - goto query; - } - - close(vd); - - return (0); -} - -int -config(char *dev, char *file, int action, char *key, size_t keylen) -{ - struct vnd_ioctl vndio; - FILE *f; - char *rdev; - int rv; - - if (opendev(dev, O_RDONLY, OPENDEV_PART, &rdev) < 0) - err(4, "%s", rdev); - f = fopen(rdev, "r"); - if (f == NULL) { - warn("%s", rdev); - rv = -1; - goto out; - } - vndio.vnd_file = file; - vndio.vnd_key = (u_char *)key; - vndio.vnd_keylen = keylen; - - /* - * Clear (un-configure) the device - */ - if (action == VND_UNCONFIG) { - rv = ioctl(fileno(f), VNDIOCCLR, &vndio); - if (rv) - warn("VNDIOCCLR"); - else if (verbose) - printf("%s: cleared\n", dev); - } - /* - * Configure the device - */ - if (action == VND_CONFIG) { - rv = ioctl(fileno(f), VNDIOCSET, &vndio); - if (rv) - warn("VNDIOCSET"); - else if (verbose) - printf("%s: %llu bytes on %s\n", dev, vndio.vnd_size, - file); - } - - fclose(f); - fflush(stdout); - out: - if (key) - memset(key, 0, keylen); - return (rv < 0); -} - -__dead void -usage(void) -{ - extern char *__progname; - - (void)fprintf(stderr, - "usage: %s [-ckluv] [-K rounds] [-S saltfile] rawdev regular_file\n", - __progname); - exit(1); -} |