Print this page
5857 lofiadm should ask passphrase once if the crypto is already set up
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Toomas Soome <tsoome@me.com>
*** 152,161 ****
--- 152,163 ----
#define KILOBYTE 1024
#define MEGABYTE (KILOBYTE * KILOBYTE)
#define GIGABYTE (KILOBYTE * MEGABYTE)
#define LIBZ "libz.so.1"
+ const char lofi_crypto_magic[6] = LOFI_CRYPTO_MAGIC;
+
static void
usage(const char *pname)
{
(void) fprintf(stderr, gettext(USAGE), pname, pname, pname,
pname, pname, pname, pname, pname, pname, pname);
*** 834,844 ****
/*
* PBE the passphrase into a raw key
*/
static void
! getkeyfromuser(mech_alias_t *cipher, char **raw_key, size_t *raw_key_sz)
{
CK_SESSION_HANDLE sess;
CK_RV rv;
char *pass = NULL;
size_t passlen = 0;
--- 836,847 ----
/*
* PBE the passphrase into a raw key
*/
static void
! getkeyfromuser(mech_alias_t *cipher, char **raw_key, size_t *raw_key_sz,
! boolean_t with_confirmation)
{
CK_SESSION_HANDLE sess;
CK_RV rv;
char *pass = NULL;
size_t passlen = 0;
*** 865,875 ****
rv = C_OpenSession(cipher->slot, CKF_SERIAL_SESSION, NULL, NULL, &sess);
if (rv != CKR_OK)
goto cleanup;
/* get user passphrase with 8 byte minimum */
! if (pkcs11_get_pass(NULL, &pass, &passlen, MIN_PASSLEN, B_TRUE) < 0) {
die(gettext("passphrases do not match\n"));
}
/*
* salt should not be NULL, or else pkcs11_PasswdToKey() will
--- 868,879 ----
rv = C_OpenSession(cipher->slot, CKF_SERIAL_SESSION, NULL, NULL, &sess);
if (rv != CKR_OK)
goto cleanup;
/* get user passphrase with 8 byte minimum */
! if (pkcs11_get_pass(NULL, &pass, &passlen, MIN_PASSLEN,
! with_confirmation) < 0) {
die(gettext("passphrases do not match\n"));
}
/*
* salt should not be NULL, or else pkcs11_PasswdToKey() will
*** 1758,1767 ****
--- 1762,1806 ----
if (name_to_minor(filename) != 0) {
die(gettext("cannot use %s on itself\n"), LOFI_DRIVER_NAME);
}
}
+ static boolean_t
+ check_file_is_encrypted(const char *filename)
+ {
+ int fd;
+ char buf[sizeof (lofi_crypto_magic)];
+ int got;
+ int rest = sizeof (lofi_crypto_magic);
+
+ fd = open64(filename, O_RDONLY);
+ if (fd == -1)
+ die(gettext("failed to open: %s"), filename);
+
+ if (lseek(fd, CRYOFF, SEEK_SET) != CRYOFF)
+ die(gettext("failed to seek to offset 0x%lx in file %s"),
+ CRYOFF, filename);
+
+ do {
+ got = read(fd, buf + sizeof (lofi_crypto_magic) - rest, rest);
+ if ((got == 0) || ((got == -1) && (errno != EINTR)))
+ die(gettext("failed to read crypto header"
+ " at offset 0x%lx in file %s"), CRYOFF, filename);
+
+ if (got > 0)
+ rest -= got;
+ } while (rest > 0);
+
+ while (close(fd) == -1) {
+ if (errno != EINTR)
+ die(gettext("failed to close file %s"), filename);
+ }
+
+ return (strncmp(buf, lofi_crypto_magic,
+ sizeof (lofi_crypto_magic)) == 0);
+ }
+
static uint32_t
convert_to_num(const char *str)
{
int len;
uint32_t segsize, mult = 1;
*** 2020,2030 ****
"mechanisms\n"));
init_crypto(token, cipher, &sess);
if (cipher_only) {
! getkeyfromuser(cipher, &rkey, &rksz);
} else if (token != NULL) {
getkeyfromtoken(sess, token, keyfile, cipher,
&rkey, &rksz);
} else {
/* this also handles ephemeral keys */
--- 2059,2070 ----
"mechanisms\n"));
init_crypto(token, cipher, &sess);
if (cipher_only) {
! getkeyfromuser(cipher, &rkey, &rksz,
! !check_file_is_encrypted(filename));
} else if (token != NULL) {
getkeyfromtoken(sess, token, keyfile, cipher,
&rkey, &rksz);
} else {
/* this also handles ephemeral keys */