Print this page
5857 lofiadm should ask passphrase once if the crypto is already set up
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Toomas Soome <tsoome@me.com>

*** 152,161 **** --- 152,163 ---- #define KILOBYTE 1024 #define MEGABYTE (KILOBYTE * KILOBYTE) #define GIGABYTE (KILOBYTE * MEGABYTE) #define LIBZ "libz.so.1" + const char lofi_crypto_magic[6] = LOFI_CRYPTO_MAGIC; + static void usage(const char *pname) { (void) fprintf(stderr, gettext(USAGE), pname, pname, pname, pname, pname, pname, pname, pname, pname, pname);
*** 834,844 **** /* * PBE the passphrase into a raw key */ static void ! getkeyfromuser(mech_alias_t *cipher, char **raw_key, size_t *raw_key_sz) { CK_SESSION_HANDLE sess; CK_RV rv; char *pass = NULL; size_t passlen = 0; --- 836,847 ---- /* * PBE the passphrase into a raw key */ static void ! getkeyfromuser(mech_alias_t *cipher, char **raw_key, size_t *raw_key_sz, ! boolean_t with_confirmation) { CK_SESSION_HANDLE sess; CK_RV rv; char *pass = NULL; size_t passlen = 0;
*** 865,875 **** rv = C_OpenSession(cipher->slot, CKF_SERIAL_SESSION, NULL, NULL, &sess); if (rv != CKR_OK) goto cleanup; /* get user passphrase with 8 byte minimum */ ! if (pkcs11_get_pass(NULL, &pass, &passlen, MIN_PASSLEN, B_TRUE) < 0) { die(gettext("passphrases do not match\n")); } /* * salt should not be NULL, or else pkcs11_PasswdToKey() will --- 868,879 ---- rv = C_OpenSession(cipher->slot, CKF_SERIAL_SESSION, NULL, NULL, &sess); if (rv != CKR_OK) goto cleanup; /* get user passphrase with 8 byte minimum */ ! if (pkcs11_get_pass(NULL, &pass, &passlen, MIN_PASSLEN, ! with_confirmation) < 0) { die(gettext("passphrases do not match\n")); } /* * salt should not be NULL, or else pkcs11_PasswdToKey() will
*** 1758,1767 **** --- 1762,1806 ---- if (name_to_minor(filename) != 0) { die(gettext("cannot use %s on itself\n"), LOFI_DRIVER_NAME); } } + static boolean_t + check_file_is_encrypted(const char *filename) + { + int fd; + char buf[sizeof (lofi_crypto_magic)]; + int got; + int rest = sizeof (lofi_crypto_magic); + + fd = open64(filename, O_RDONLY); + if (fd == -1) + die(gettext("failed to open: %s"), filename); + + if (lseek(fd, CRYOFF, SEEK_SET) != CRYOFF) + die(gettext("failed to seek to offset 0x%lx in file %s"), + CRYOFF, filename); + + do { + got = read(fd, buf + sizeof (lofi_crypto_magic) - rest, rest); + if ((got == 0) || ((got == -1) && (errno != EINTR))) + die(gettext("failed to read crypto header" + " at offset 0x%lx in file %s"), CRYOFF, filename); + + if (got > 0) + rest -= got; + } while (rest > 0); + + while (close(fd) == -1) { + if (errno != EINTR) + die(gettext("failed to close file %s"), filename); + } + + return (strncmp(buf, lofi_crypto_magic, + sizeof (lofi_crypto_magic)) == 0); + } + static uint32_t convert_to_num(const char *str) { int len; uint32_t segsize, mult = 1;
*** 2020,2030 **** "mechanisms\n")); init_crypto(token, cipher, &sess); if (cipher_only) { ! getkeyfromuser(cipher, &rkey, &rksz); } else if (token != NULL) { getkeyfromtoken(sess, token, keyfile, cipher, &rkey, &rksz); } else { /* this also handles ephemeral keys */ --- 2059,2070 ---- "mechanisms\n")); init_crypto(token, cipher, &sess); if (cipher_only) { ! getkeyfromuser(cipher, &rkey, &rksz, ! !check_file_is_encrypted(filename)); } else if (token != NULL) { getkeyfromtoken(sess, token, keyfile, cipher, &rkey, &rksz); } else { /* this also handles ephemeral keys */