cgdconfig(8): Handle -P/-S for shared keys with -G too.

This way you can convert an existing parameters file to one that is derived from a shared key, and derive other subkeys for other disks from the same shared key. cgdconfig -G -S -o /etc/cgd/wd0.shared /etc/cgd/wd0 cgdconfig -G -S -o /etc/cgd/wd1.shared \ -P /etc/cgd/wd0.shared /etc/cgd/wd1 This way, if you enter the same new password both times, wd0.shared and wd1.shared generate the same keys as wd0 and wd1, but only need one password entry with `cgdconfig -C'.
2022-08-12 10:49:47 +00:00 · 2022-08-12 10:49:47 +00:00 · 7605cff464
parent 3adc7246cf
commit 7605cff464
2 changed files with 59 additions and 19 deletions
--- a/sbin/cgdconfig/cgdconfig.8
+++ b/sbin/cgdconfig/cgdconfig.8
@ -1,4 +1,4 @@
-.\" $NetBSD: cgdconfig.8,v 1.56 2022/08/12 10:49:35 riastradh Exp $
+.\" $NetBSD: cgdconfig.8,v 1.57 2022/08/12 10:49:47 riastradh Exp $
 .\"
 .\" Copyright (c) 2002, The NetBSD Foundation, Inc.
 .\" All rights reserved.
@ -144,7 +144,9 @@ With the
 .Fl S
 option for the
 .Fl g
-action, specify a parameters file with a shared key to reuse for
+or
+.Fl G
+actions, specify a parameters file with a shared key to reuse for
 deriving this one as a subkey.
 .It Fl p
 Read all passphrases from stdin rather than
@ -157,7 +159,9 @@ in question to be unconfigured rather than prompting for the passphrase
 again.
 .It Fl S
 When generating a parameters file with
-.Fl g ,
+.Fl g
+or
+.Fl G ,
 arrange to use a subkey of a shared key.
 If
 .Fl P Ar paramsfile
--- a/sbin/cgdconfig/cgdconfig.c
+++ b/sbin/cgdconfig/cgdconfig.c
@ -1,4 +1,4 @@
-/* $NetBSD: cgdconfig.c,v 1.57 2022/08/12 10:49:35 riastradh Exp $ */
+/* $NetBSD: cgdconfig.c,v 1.58 2022/08/12 10:49:47 riastradh Exp $ */

 /*-
 * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc.
@ -33,7 +33,7 @@
 #ifndef lint
 __COPYRIGHT("@(#) Copyright (c) 2002, 2003\
 The NetBSD Foundation, Inc.  All rights reserved.");
-__RCSID("$NetBSD: cgdconfig.c,v 1.57 2022/08/12 10:49:35 riastradh Exp $");
+__RCSID("$NetBSD: cgdconfig.c,v 1.58 2022/08/12 10:49:47 riastradh Exp $");
 #endif

 #ifdef HAVE_ARGON2
@ -129,7 +129,8 @@ static int	configure(int, char **, struct params *, int);
 static int	configure_stdin(struct params *, int argc, char **);
 static int	generate(struct params *, int, char **, const char *,
 		    const char *);
-static int	generate_convert(struct params *, int, char **, const char *);
+static int	generate_convert(struct params *, int, char **, const char *,
+		    const char *);
 static int	unconfigure(int, char **, struct params *, int);
 static int	do_all(const char *, int, char **,
 		       int (*)(int, char **, struct params *, int));
@ -180,8 +181,8 @@ usage(void)
 	    "[paramsfile]\n", getprogname());
 	(void)fprintf(stderr, "       %s -C [-enpv] [-f configfile]\n",
 	    getprogname());
-	(void)fprintf(stderr, "       %s -G [-enpv] [-i ivmeth] [-k kgmeth] "
-	    "[-o outfile] paramsfile\n", getprogname());
+	(void)fprintf(stderr, "       %s -G [-enpSv] [-i ivmeth] [-k kgmeth] "
+	    "[-P paramsfile] [-o outfile] paramsfile\n", getprogname());
 	(void)fprintf(stderr, "       %s -g [-Sv] [-i ivmeth] [-k kgmeth] "
 	    "[-P paramsfile] [-o outfile] alg [keylen]\n", getprogname());
 	(void)fprintf(stderr, "       %s -l [-v[v]] [cgd]\n", getprogname());
@ -350,15 +351,19 @@ main(int argc, char **argv)
 		err(1, "init failed");

 	/* validate the consistency of the arguments */
-	if (Pfile != NULL && action != ACTION_GENERATE) {
-		warnx("-P is only for use with -g action");
+	if (Pfile != NULL &&
+	    action != ACTION_GENERATE &&
+	    action != ACTION_GENERATE_CONVERT) {
+		warnx("-P is only for use with -g/-G action");
 		usage();
 	}
 	if (Pfile != NULL && !Sflag) {
 		warnx("-P only makes sense with -S flag");
 	}
-	if (Sflag && action != ACTION_GENERATE) {
-		warnx("-S is only for use with -g action");
+	if (Sflag &&
+	    action != ACTION_GENERATE &&
+	    action != ACTION_GENERATE_CONVERT) {
+		warnx("-S is only for use with -g/-G action");
 		usage();
 	}

@ -371,7 +376,7 @@ main(int argc, char **argv)
 	case ACTION_GENERATE:
 		return generate(p, argc, argv, outfile, Pfile);
 	case ACTION_GENERATE_CONVERT:
-		return generate_convert(p, argc, argv, outfile);
+		return generate_convert(p, argc, argv, outfile, Pfile);
 	case ACTION_CONFIGALL:
 		return do_all(cfile, argc, argv, configure);
 	case ACTION_UNCONFIGALL:
@ -1293,10 +1298,12 @@ generate(struct params *p, int argc, char **argv, const char *outfile,
 }

 static int
-generate_convert(struct params *p, int argc, char **argv, const char *outfile)
+generate_convert(struct params *p, int argc, char **argv, const char *outfile,
+    const char *Pfile)
 {
 	struct params	*oldp;
 	struct keygen	*kg;
+	int		 ret;

 	if (argc != 1)
 		usage();
@ -1340,13 +1347,42 @@ generate_convert(struct params *p, int argc, char **argv, const char *outfile)

 	params_free(oldp);

-	if (!p->keygen) {
-		p->keygen = keygen_generate(KEYGEN_PKCS5_PBKDF2_SHA1);
-		if (!p->keygen)
+	if (Pfile) {
+		struct params *pp;
+
+		pp = params_cget(Pfile);
+		if (pp == NULL)
 			return -1;
+		if (!params_verify(pp)) {
+			params_free(pp);
+			warnx("invalid parameters file \"%s\"", Pfile);
+			return -1;
+		}
+		p = params_combine(pp, p);
+		keygen_stripstored(&p->keygen);
+		if (!p->keygen) {
+			warnx("no keygen in parameters file \"%s\"", Pfile);
+			return -1;
+		}
+	} else {
+		if (!p->keygen) {
+			p->keygen = keygen_generate(KEYGEN_PKCS5_PBKDF2_SHA1);
+			if (!p->keygen)
+				return -1;
+		}
+		(void)params_filldefaults(p);
+		(void)keygen_filldefaults(p->keygen, p->keylen);
 	}
-	(void)params_filldefaults(p);
-	(void)keygen_filldefaults(p->keygen, p->keylen);
+
+	if (Sflag) {
+		if (Pfile)
+			ret = keygen_tweakshared(p->keygen);
+		else
+			ret = keygen_makeshared(p->keygen);
+		if (ret)
+			return ret;
+	}
+
 	p->key = getkey("new file", p->keygen, p->keylen);

 	kg = keygen_generate(KEYGEN_STOREDKEY);