Commit Graph

159 Commits

Author SHA1 Message Date
chs 87ba0e2a31 Restore backward compatibility of UFS2 with previous NetBSD releases by
disabling support in UFS2 for extended attributes (including ACLs).
Add a new variant of UFS2 called "UFS2ea" that does support extended attributes.
Add new	fsck_ffs operations "-c	ea" and	"-c no-ea" to convert file systems
from UFS2 to UFS2ea and	vice-versa (both of which delete all existing extended
attributes in the process).
2022-11-17 06:40:38 +00:00
riastradh 9b5a6c4d5c cgdconfig(8): Restore loop for password re-entry for non-shared keys.
Fixes mistake in previous which changed the semantics in the case
where _no_ keys are shared.
2022-09-13 10:14:32 +00:00
riastradh 4b3ee8b4fa cgdconfig(8): Gracefully handle failed verification with shared keys.
The first time each key is verified, if verification fails, we chuck
the failed key and try again with passphrase re-entry.

But if a key has already been verified, and verification fails,
assume something is wrong with the disk and fail.
2022-08-30 08:48:41 +00:00
riastradh 7605cff464 cgdconfig(8): Handle -P/-S for shared keys with -G too.
This way you can convert an existing parameters file to one that is
derived from a shared key, and derive other subkeys for other disks
from the same shared key.

	cgdconfig -G -S -o /etc/cgd/wd0.shared /etc/cgd/wd0
	cgdconfig -G -S -o /etc/cgd/wd1.shared \
		-P /etc/cgd/wd0.shared /etc/cgd/wd1

This way, if you enter the same new password both times, wd0.shared
and wd1.shared generate the same keys as wd0 and wd1, but only need
one password entry with `cgdconfig -C'.
2022-08-12 10:49:47 +00:00
riastradh 3adc7246cf cgdconfig(8): Add support for generating shared-key parameters files.
Usage model:

- Generate a parameters file that supports sharing its main key:

	cgdconfig -g -S -o /etc/cgd/wd0e -V gpt adiantum

- Make another parameters file that uses the same shared main key but
  derives an independent subkey from it:

	cgdconfig -g -S -P /etc/cgd/wd0e -o /etc/cgd/ld1e \
	    -V disklabel aes-cbc 256
2022-08-12 10:49:35 +00:00
riastradh 920e28df65 cgdconfig(8): Add support for shared keys.
New clause `shared <id> algorithm <alg> subkey <info>' in a keygen
block enables `cgdconfig -C' to reuse a key between different params
files, so you can, e.g., use a single password for multiple disks.
This is better than simply caching the password itself because:

- Hashing the password is expensive, so it should only be done once.

  Suppose your budget is time t before you get bored, and you
  calibrate password hash parameters to unlock n disks before you get
  bored waiting for `cgdconfig -C'.

  . With n password hashings the adversary's cost goes up only by a
    factor of t/n.
  . With one password hashing and n subkeys the adversary's cost goes
    up by a factor of n.

  And if you ever add a disk, rehashing it will make `cgdconfig -C'
  go over budget, whereas another subkey adds negligible cost to you.

- Subkeys work for other types of keygen blocks, like shell_cmd,
  which could be used to get a key from a hardware token that needs a
  button press.

The <info> parameter must be different for each params file;
everything else in the keygen block must be the same.  With this
clause, the keygen block determines a shared key used only to derive
keys; the actual key used by cgdconfig is derived from the shared key
by the specified algorithm.

The only supported algorithm is hkdf-hmac-sha256, which uses
HKDF-Expand of RFC 5869 instantiated with SHA-256.

Example:

	algorithm aes-cbc;
	iv-method encblkno1;
	keylength 128;
	verify_method none;
	keygen pkcs5_pbkdf2/sha1 {
		iterations 39361;
		salt AAAAgMoHiYonye6KogdYJAobCHE=;
		shared "pw" algorithm hkdf-hmac-sha256
		    subkey AAAAgFlw0BMQ5gY+haYkZ6JC+yY=;
	};

The key used for this disk will be derived by

	HKDF-HMAC-SHA256_k(WXDQExDmBj6FpiRnokL7Jg==),

where k is the outcome of PBKDF2-SHA1 with the given parameters.

Note that <info> encodes a four-byte prefix giving the big-endian
length in bits of the info argument to HKDF, just like all other bit
strings in cgdconfig parameters files.

If you have multiple disks configured using the same keygen block
except for the info parameter, `cgdconfig -C' will only prompt once
for your passphrase, generate a shared key k with PBKDF2 as usual,
and then reuse it for each of the disks.
2022-08-12 10:49:17 +00:00
riastradh 732db29a3c cgdconfig(8): New -T operation prints all generated keys in cgd.conf.
For testing purposes.
2022-08-12 10:48:44 +00:00
riastradh a7c16118d0 cgdconfig(8): New -t operation just prints the derived key in base64.
For testing purposes.
2022-08-12 10:48:27 +00:00
christos 7a3aa8fc03 Use the Makefile.inc from libargon2 (fixes the vax build that requires
a compiler hack).
2022-05-17 18:56:29 +00:00
christos b5df3bed15 make things behave just like before the libcrypt symbol renaming:
The normal cgdconfig binary is built with threads and the crunched one
in rescue without.
2022-05-16 14:57:44 +00:00
christos 0afca0c76d Re-enable threads; apparently we get different results depending if we are
threaded or not... This tastes like a bug.
2022-05-16 10:44:06 +00:00
christos f3c3951664 Build argon2 inline so that crunched programs work. I also disabled threads
for now; we can put them back if needed.
2022-05-15 19:53:27 +00:00
nia 1e8ef14842 cgdconfig.8: Use argon2id in examples 2021-12-04 15:03:58 +00:00
christos ccce93efc8 -lpthread to LDADD (fixes lint build) 2021-11-28 02:01:30 +00:00
nia 47fbfd2f6a cgdconfig(8): add some console feedback when calculating the number
of pkcs5_pbkdf2 iterations
2021-11-22 16:04:03 +00:00
nia 1569bcc0b3 cgdconfig(8): Add an argon2id password-based key generation method
This provides an extra level of side-channel and cracking resistance
compared to the pre-existing pkcs5_pbkdf2/sha1 method used for
password-based disk encryption.

Several new keygen parameters are supported:

	memory (integer, in kilobytes)
	parallelism (integer, usually the number of CPU cores)
	version (integer, usually 19...)

We do our best to calibrate these automatically when the paramsfile
is initially generated.

lgtm riastradh@
2021-11-22 14:34:35 +00:00
riastradh 3db1594692 cgdconfig(8): Fail more gracefully than SIGSEGV if shell_cmd fails. 2021-06-16 23:22:08 +00:00
prlw1 6fcffc8303 Make adiantum a first class citizen 2021-06-03 15:40:27 +00:00
nia cb91ad3daa cgdconfig.8: use gpt in examples, it's more versatile for this use case 2021-04-30 21:07:34 +00:00
maya 1b70e4604b The -n flag is useless with -g, don't mention it.
From rudolf in PR misc/36243
2021-04-18 19:56:09 +00:00
riastradh 800615b324 Touch up cgdconfig(8) man page.
- Suggest adiantum first.
- Remove references to Blowfish.
- Clarify that ivmethod is relevant only for ancient compatibility.
2020-12-11 21:52:19 +00:00
wiz c6cc6b9db4 Use Nm. 2020-06-23 14:08:01 +00:00
nia 44bd074d70 cgdconfig.8: remove references to using cgd for swap
this is potentially misleading now that the kernel does swap encryption
2020-06-23 13:23:56 +00:00
nia 4e9ba6e816 cgdconfig.8: Reflect actual behaviour of /dev/(u)random 2020-06-23 13:20:14 +00:00
kre 84b2b98300 KNF, 80 column police, a few other tidy ups (use if (ret == 0) rather
than if (!ret) when ret is not a boolean, and test fopen result against
NULL, for example).

NFCI.
2019-04-10 06:11:37 +00:00
kre c2cf8ad6d4 PR bin/53999 from rudolf (eq.cz)
Fix cgdconfig to report verification failures with gpt and mbr
verification methods (and not treat them as silent hard errors).
This also causes the cgd to be unconfigured when one of those
verification methods fails.

Add ATF tests to check that bad verification is reported, and
does not leave the cgd configured.

Patches from the PR applied.
2019-04-10 06:09:39 +00:00
mlelstv e93ebd453a Avoid crash when no algorithm is specified in parameter file. 2018-12-30 12:05:48 +00:00
wiz e63c9a2484 Sort SEE ALSO. 2018-12-29 18:34:01 +00:00
alnsn 7f3a8bf678 s/Dec/December/. 2018-12-28 18:33:54 +00:00
alnsn 4b140abf1c Document that cgd.conf supports NAME=label and ROOT.<suffix> targets.
XXX Default paramsfile for NAME=label is /etc/cgd/dkNN (resolved wedge
partition) and /etc/cgd/ROOT.<suffix> for ROOT.<suffix>. This isn't yet
documented. IMO, it should be the other way around: /etc/cgd/label
for the former and /et/cgd/[root-device] for the latter.
2018-12-27 21:17:08 +00:00
prlw1 30eeab08c0 typo 2018-09-01 11:46:52 +00:00
kre 0efffb3e4f With the change to use getpass_r the 128 byte passphrase limit no
longer applies, so update the BUGS section here to reflect that change.
The limit now is 1023 whichever method is used to fetch the passphrase.
2018-05-09 20:23:35 +00:00
alnsn 265610788f use explicit_memset(3) 2018-05-09 19:38:46 +00:00
alnsn 98def45107 Missed one change when doing a manual merge of my patch with kre's commit. 2018-05-09 18:18:11 +00:00
alnsn bf3984213d Add '-e' option (echo the passphrase) and wipe the passphrase after use.
XXX Using memset for wiping isn't a good idea because memset is likely
optimised away by gcc. This should be revisited.
2018-05-09 18:11:56 +00:00
wiz 9f41709322 Add commas in enumeration. 2018-05-09 17:35:03 +00:00
kre 2d50dc8f17 Fix missing -p in usage message (noted by Christoph Badura, thanks),
and update -l usage as well.

While here fix man page synopses and a few other odds and ends.
2018-05-09 14:27:41 +00:00
kre 99316b228e Check arg count in configure() at entry, rather than later.
This avoids the stupid null deref I added a couple of commits
ago (on bad usage) and also simplifies the rest of the routine
which no longer needs to check the arg count nearly as much.

Thanks to Alexander Nasonov for finding the null deref bug.
2018-05-09 13:19:33 +00:00
kre ed050bc6ea Fix usage for rump. Fixes test breakage caused by previous commit. 2018-05-06 20:55:42 +00:00
kre 8880a43f55 Check whether the cgd device selected is available to be
configured,that is, not already in use, before requesting
passwords from the user (or elsewhere).
2018-05-05 11:28:44 +00:00
christos 8cdbd53a62 Need <sys/stat.h> for S_IFBLK. 2017-01-10 20:45:19 +00:00
alnsn 11d74f071c Add aes-xts to cgdconfig(8). 2016-12-11 00:34:39 +00:00
sevan d2528dc7eb Spelling mistake.
Bump date.
2016-09-11 01:09:34 +00:00
christos 55b06df259 replace openssl HMAC(3) with our hmac(3). 2016-07-01 22:50:09 +00:00
christos 35da36c439 CID 1340063: fix TOCTOU 2015-11-24 14:07:18 +00:00
christos fc8a4870ed Don't chdir to the config directory; just form the parameters file with a
path if needed.
2015-11-22 20:24:19 +00:00
christos d3037dba83 fix error messages containing \n 2015-06-16 23:18:54 +00:00
christos d980f336d5 fix possibly uninitialized variable. 2014-12-14 23:27:14 +00:00
christos d4b702a5f2 avoid local variable shadowing devname. 2014-12-14 23:25:07 +00:00
wiz b1ec4779e4 Bump date for previous. Fix typo. 2014-12-14 17:15:14 +00:00