Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sbin/cgdconfig cgdconfig(8): Handle -P/-S for shared keys wi...



details:   https://anonhg.NetBSD.org/src/rev/b8ad6f3a032a
branches:  trunk
changeset: 368893:b8ad6f3a032a
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Fri Aug 12 10:49:47 2022 +0000

description:
cgdconfig(8): Handle -P/-S for shared keys with -G too.

This way you can convert an existing parameters file to one that is
derived from a shared key, and derive other subkeys for other disks
from the same shared key.

        cgdconfig -G -S -o /etc/cgd/wd0.shared /etc/cgd/wd0
        cgdconfig -G -S -o /etc/cgd/wd1.shared \
                -P /etc/cgd/wd0.shared /etc/cgd/wd1

This way, if you enter the same new password both times, wd0.shared
and wd1.shared generate the same keys as wd0 and wd1, but only need
one password entry with `cgdconfig -C'.

diffstat:

 sbin/cgdconfig/cgdconfig.8 |  10 ++++--
 sbin/cgdconfig/cgdconfig.c |  68 +++++++++++++++++++++++++++++++++++----------
 2 files changed, 59 insertions(+), 19 deletions(-)

diffs (165 lines):

diff -r fe810e68006c -r b8ad6f3a032a sbin/cgdconfig/cgdconfig.8
--- a/sbin/cgdconfig/cgdconfig.8        Fri Aug 12 10:49:35 2022 +0000
+++ b/sbin/cgdconfig/cgdconfig.8        Fri Aug 12 10:49:47 2022 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: cgdconfig.8,v 1.56 2022/08/12 10:49:35 riastradh Exp $
+.\" $NetBSD: cgdconfig.8,v 1.57 2022/08/12 10:49:47 riastradh Exp $
 .\"
 .\" Copyright (c) 2002, The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -144,7 +144,9 @@
 .Fl S
 option for the
 .Fl g
-action, specify a parameters file with a shared key to reuse for
+or
+.Fl G
+actions, specify a parameters file with a shared key to reuse for
 deriving this one as a subkey.
 .It Fl p
 Read all passphrases from stdin rather than
@@ -157,7 +159,9 @@
 again.
 .It Fl S
 When generating a parameters file with
-.Fl g ,
+.Fl g
+or
+.Fl G ,
 arrange to use a subkey of a shared key.
 If
 .Fl P Ar paramsfile
diff -r fe810e68006c -r b8ad6f3a032a sbin/cgdconfig/cgdconfig.c
--- a/sbin/cgdconfig/cgdconfig.c        Fri Aug 12 10:49:35 2022 +0000
+++ b/sbin/cgdconfig/cgdconfig.c        Fri Aug 12 10:49:47 2022 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: cgdconfig.c,v 1.57 2022/08/12 10:49:35 riastradh Exp $ */
+/* $NetBSD: cgdconfig.c,v 1.58 2022/08/12 10:49:47 riastradh Exp $ */
 
 /*-
  * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
 #ifndef lint
 __COPYRIGHT("@(#) Copyright (c) 2002, 2003\
  The NetBSD Foundation, Inc.  All rights reserved.");
-__RCSID("$NetBSD: cgdconfig.c,v 1.57 2022/08/12 10:49:35 riastradh Exp $");
+__RCSID("$NetBSD: cgdconfig.c,v 1.58 2022/08/12 10:49:47 riastradh Exp $");
 #endif
 
 #ifdef HAVE_ARGON2
@@ -129,7 +129,8 @@
 static int     configure_stdin(struct params *, int argc, char **);
 static int     generate(struct params *, int, char **, const char *,
                    const char *);
-static int     generate_convert(struct params *, int, char **, const char *);
+static int     generate_convert(struct params *, int, char **, const char *,
+                   const char *);
 static int     unconfigure(int, char **, struct params *, int);
 static int     do_all(const char *, int, char **,
                       int (*)(int, char **, struct params *, int));
@@ -180,8 +181,8 @@
            "[paramsfile]\n", getprogname());
        (void)fprintf(stderr, "       %s -C [-enpv] [-f configfile]\n",
            getprogname());
-       (void)fprintf(stderr, "       %s -G [-enpv] [-i ivmeth] [-k kgmeth] "
-           "[-o outfile] paramsfile\n", getprogname());
+       (void)fprintf(stderr, "       %s -G [-enpSv] [-i ivmeth] [-k kgmeth] "
+           "[-P paramsfile] [-o outfile] paramsfile\n", getprogname());
        (void)fprintf(stderr, "       %s -g [-Sv] [-i ivmeth] [-k kgmeth] "
            "[-P paramsfile] [-o outfile] alg [keylen]\n", getprogname());
        (void)fprintf(stderr, "       %s -l [-v[v]] [cgd]\n", getprogname());
@@ -350,15 +351,19 @@
                err(1, "init failed");
 
        /* validate the consistency of the arguments */
-       if (Pfile != NULL && action != ACTION_GENERATE) {
-               warnx("-P is only for use with -g action");
+       if (Pfile != NULL &&
+           action != ACTION_GENERATE &&
+           action != ACTION_GENERATE_CONVERT) {
+               warnx("-P is only for use with -g/-G action");
                usage();
        }
        if (Pfile != NULL && !Sflag) {
                warnx("-P only makes sense with -S flag");
        }
-       if (Sflag && action != ACTION_GENERATE) {
-               warnx("-S is only for use with -g action");
+       if (Sflag &&
+           action != ACTION_GENERATE &&
+           action != ACTION_GENERATE_CONVERT) {
+               warnx("-S is only for use with -g/-G action");
                usage();
        }
 
@@ -371,7 +376,7 @@
        case ACTION_GENERATE:
                return generate(p, argc, argv, outfile, Pfile);
        case ACTION_GENERATE_CONVERT:
-               return generate_convert(p, argc, argv, outfile);
+               return generate_convert(p, argc, argv, outfile, Pfile);
        case ACTION_CONFIGALL:
                return do_all(cfile, argc, argv, configure);
        case ACTION_UNCONFIGALL:
@@ -1293,10 +1298,12 @@
 }
 
 static int
-generate_convert(struct params *p, int argc, char **argv, const char *outfile)
+generate_convert(struct params *p, int argc, char **argv, const char *outfile,
+    const char *Pfile)
 {
        struct params   *oldp;
        struct keygen   *kg;
+       int              ret;
 
        if (argc != 1)
                usage();
@@ -1340,13 +1347,42 @@
 
        params_free(oldp);
 
-       if (!p->keygen) {
-               p->keygen = keygen_generate(KEYGEN_PKCS5_PBKDF2_SHA1);
-               if (!p->keygen)
+       if (Pfile) {
+               struct params *pp;
+
+               pp = params_cget(Pfile);
+               if (pp == NULL)
+                       return -1;
+               if (!params_verify(pp)) {
+                       params_free(pp);
+                       warnx("invalid parameters file \"%s\"", Pfile);
+                       return -1;
+               }
+               p = params_combine(pp, p);
+               keygen_stripstored(&p->keygen);
+               if (!p->keygen) {
+                       warnx("no keygen in parameters file \"%s\"", Pfile);
                        return -1;
+               }
+       } else {
+               if (!p->keygen) {
+                       p->keygen = keygen_generate(KEYGEN_PKCS5_PBKDF2_SHA1);
+                       if (!p->keygen)
+                               return -1;
+               }
+               (void)params_filldefaults(p);
+               (void)keygen_filldefaults(p->keygen, p->keylen);
        }
-       (void)params_filldefaults(p);
-       (void)keygen_filldefaults(p->keygen, p->keylen);
+
+       if (Sflag) {
+               if (Pfile)
+                       ret = keygen_tweakshared(p->keygen);
+               else
+                       ret = keygen_makeshared(p->keygen);
+               if (ret)
+                       return ret;
+       }
+
        p->key = getkey("new file", p->keygen, p->keylen);
 
        kg = keygen_generate(KEYGEN_STOREDKEY);



Home | Main Index | Thread Index | Old Index