The NetBSD Project

CVS log for src/sbin/cgdconfig/Makefile

[BACK] Up to [] / src / sbin / cgdconfig

Request diff between arbitrary revisions

Default branch: MAIN

Revision 1.22 / (download) - annotate - [select for diffs], Fri Aug 12 10:49:17 2022 UTC (18 months, 1 week ago) by riastradh
Branch: MAIN
CVS Tags: netbsd-10-base, netbsd-10-0-RC4, netbsd-10-0-RC3, netbsd-10-0-RC2, netbsd-10-0-RC1, netbsd-10, HEAD
Changes since 1.21: +2 -1 lines
Diff to previous 1.21 (colored)

cgdconfig(8): Add support for shared keys.

New clause `shared <id> algorithm <alg> subkey <info>' in a keygen
block enables `cgdconfig -C' to reuse a key between different params
files, so you can, e.g., use a single password for multiple disks.
This is better than simply caching the password itself because:

- Hashing the password is expensive, so it should only be done once.

  Suppose your budget is time t before you get bored, and you
  calibrate password hash parameters to unlock n disks before you get
  bored waiting for `cgdconfig -C'.

  . With n password hashings the adversary's cost goes up only by a
    factor of t/n.
  . With one password hashing and n subkeys the adversary's cost goes
    up by a factor of n.

  And if you ever add a disk, rehashing it will make `cgdconfig -C'
  go over budget, whereas another subkey adds negligible cost to you.

- Subkeys work for other types of keygen blocks, like shell_cmd,
  which could be used to get a key from a hardware token that needs a
  button press.

The <info> parameter must be different for each params file;
everything else in the keygen block must be the same.  With this
clause, the keygen block determines a shared key used only to derive
keys; the actual key used by cgdconfig is derived from the shared key
by the specified algorithm.

The only supported algorithm is hkdf-hmac-sha256, which uses
HKDF-Expand of RFC 5869 instantiated with SHA-256.


	algorithm aes-cbc;
	iv-method encblkno1;
	keylength 128;
	verify_method none;
	keygen pkcs5_pbkdf2/sha1 {
		iterations 39361;
		salt AAAAgMoHiYonye6KogdYJAobCHE=;
		shared "pw" algorithm hkdf-hmac-sha256
		    subkey AAAAgFlw0BMQ5gY+haYkZ6JC+yY=;

The key used for this disk will be derived by


where k is the outcome of PBKDF2-SHA1 with the given parameters.

Note that <info> encodes a four-byte prefix giving the big-endian
length in bits of the info argument to HKDF, just like all other bit
strings in cgdconfig parameters files.

If you have multiple disks configured using the same keygen block
except for the info parameter, `cgdconfig -C' will only prompt once
for your passphrase, generate a shared key k with PBKDF2 as usual,
and then reuse it for each of the disks.

Revision 1.21 / (download) - annotate - [select for diffs], Tue May 17 18:56:29 2022 UTC (21 months, 1 week ago) by christos
Branch: MAIN
Changes since 1.20: +6 -12 lines
Diff to previous 1.20 (colored)

Use the from libargon2 (fixes the vax build that requires
a compiler hack).

Revision 1.20 / (download) - annotate - [select for diffs], Mon May 16 14:57:44 2022 UTC (21 months, 1 week ago) by christos
Branch: MAIN
Changes since 1.19: +9 -4 lines
Diff to previous 1.19 (colored)

make things behave just like before the libcrypt symbol renaming:
The normal cgdconfig binary is built with threads and the crunched one
in rescue without.

Revision 1.19 / (download) - annotate - [select for diffs], Mon May 16 10:44:06 2022 UTC (21 months, 1 week ago) by christos
Branch: MAIN
Changes since 1.18: +5 -3 lines
Diff to previous 1.18 (colored)

Re-enable threads; apparently we get different results depending if we are
threaded or not... This tastes like a bug.

Revision 1.18 / (download) - annotate - [select for diffs], Sun May 15 19:53:27 2022 UTC (21 months, 1 week ago) by christos
Branch: MAIN
Changes since 1.17: +6 -14 lines
Diff to previous 1.17 (colored)

Build argon2 inline so that crunched programs work. I also disabled threads
for now; we can put them back if needed.

Revision 1.17 / (download) - annotate - [select for diffs], Sun Nov 28 02:01:30 2021 UTC (2 years, 2 months ago) by christos
Branch: MAIN
Changes since 1.16: +2 -2 lines
Diff to previous 1.16 (colored)

-lpthread to LDADD (fixes lint build)

Revision 1.16 / (download) - annotate - [select for diffs], Mon Nov 22 14:34:35 2021 UTC (2 years, 3 months ago) by nia
Branch: MAIN
Changes since 1.15: +19 -1 lines
Diff to previous 1.15 (colored)

cgdconfig(8): Add an argon2id password-based key generation method

This provides an extra level of side-channel and cracking resistance
compared to the pre-existing pkcs5_pbkdf2/sha1 method used for
password-based disk encryption.

Several new keygen parameters are supported:

	memory (integer, in kilobytes)
	parallelism (integer, usually the number of CPU cores)
	version (integer, usually 19...)

We do our best to calibrate these automatically when the paramsfile
is initially generated.

lgtm riastradh@

Revision 1.15 / (download) - annotate - [select for diffs], Fri Jul 1 22:50:09 2016 UTC (7 years, 7 months ago) by christos
Branch: MAIN
CVS Tags: prg-localcount2-base3, prg-localcount2-base2, prg-localcount2-base1, prg-localcount2-base, prg-localcount2, phil-wifi-base, phil-wifi-20200421, phil-wifi-20200411, phil-wifi-20200406, phil-wifi-20191119, phil-wifi-20190609, phil-wifi, pgoyette-localcount-base, pgoyette-localcount-20170426, pgoyette-localcount-20170320, pgoyette-localcount-20170107, pgoyette-localcount-20161104, pgoyette-localcount-20160806, pgoyette-localcount-20160726, pgoyette-localcount, pgoyette-compat-merge-20190127, pgoyette-compat-base, pgoyette-compat-20190127, pgoyette-compat-20190118, pgoyette-compat-1226, pgoyette-compat-1126, pgoyette-compat-1020, pgoyette-compat-0930, pgoyette-compat-0906, pgoyette-compat-0728, pgoyette-compat-0625, pgoyette-compat-0521, pgoyette-compat-0502, pgoyette-compat-0422, pgoyette-compat-0415, pgoyette-compat-0407, pgoyette-compat-0330, pgoyette-compat-0322, pgoyette-compat-0315, pgoyette-compat, perseant-stdc-iso10646-base, perseant-stdc-iso10646, netbsd-9-base, netbsd-9-3-RELEASE, netbsd-9-2-RELEASE, netbsd-9-1-RELEASE, netbsd-9-0-RELEASE, netbsd-9-0-RC2, netbsd-9-0-RC1, netbsd-9, netbsd-8-base, netbsd-8-2-RELEASE, netbsd-8-1-RELEASE, netbsd-8-1-RC1, netbsd-8-0-RELEASE, netbsd-8-0-RC2, netbsd-8-0-RC1, netbsd-8, matt-nb8-mediatek-base, matt-nb8-mediatek, localcount-20160914, is-mlppp-base, is-mlppp, cjep_sun2x-base1, cjep_sun2x-base, cjep_sun2x, cjep_staticlib_x-base1, cjep_staticlib_x-base, cjep_staticlib_x, bouyer-socketcan-base1, bouyer-socketcan-base, bouyer-socketcan
Changes since 1.14: +3 -3 lines
Diff to previous 1.14 (colored)

replace openssl HMAC(3) with our hmac(3).

Revision 1.14 / (download) - annotate - [select for diffs], Tue Dec 14 17:46:21 2010 UTC (13 years, 2 months ago) by pooka
Branch: MAIN
CVS Tags: yamt-pagecache-tag8, yamt-pagecache-base9, yamt-pagecache-base8, yamt-pagecache-base7, yamt-pagecache-base6, yamt-pagecache-base5, yamt-pagecache-base4, yamt-pagecache-base3, yamt-pagecache-base2, yamt-pagecache-base, yamt-pagecache, tls-maxphys-base, tls-maxphys, tls-earlyentropy-base, tls-earlyentropy, riastradh-xf86-video-intel-2-7-1-pre-2-21-15, riastradh-drm2-base3, riastradh-drm2-base2, riastradh-drm2-base1, riastradh-drm2-base, riastradh-drm2, netbsd-7-nhusb-base-20170116, netbsd-7-nhusb-base, netbsd-7-nhusb, netbsd-7-base, netbsd-7-2-RELEASE, netbsd-7-1-RELEASE, netbsd-7-1-RC2, netbsd-7-1-RC1, netbsd-7-1-2-RELEASE, netbsd-7-1-1-RELEASE, netbsd-7-1, netbsd-7-0-RELEASE, netbsd-7-0-RC3, netbsd-7-0-RC2, netbsd-7-0-RC1, netbsd-7-0-2-RELEASE, netbsd-7-0-1-RELEASE, netbsd-7-0, netbsd-7, netbsd-6-base, netbsd-6-1-RELEASE, netbsd-6-1-RC4, netbsd-6-1-RC3, netbsd-6-1-RC2, netbsd-6-1-RC1, netbsd-6-1-5-RELEASE, netbsd-6-1-4-RELEASE, netbsd-6-1-3-RELEASE, netbsd-6-1-2-RELEASE, netbsd-6-1-1-RELEASE, netbsd-6-1, netbsd-6-0-RELEASE, netbsd-6-0-RC2, netbsd-6-0-RC1, netbsd-6-0-6-RELEASE, netbsd-6-0-5-RELEASE, netbsd-6-0-4-RELEASE, netbsd-6-0-3-RELEASE, netbsd-6-0-2-RELEASE, netbsd-6-0-1-RELEASE, netbsd-6-0, netbsd-6, matt-nb6-plus-nbase, matt-nb6-plus-base, matt-nb6-plus, matt-mips64-premerge-20101231, cherry-xenmp-base, cherry-xenmp, bouyer-quota2-nbase, bouyer-quota2-base, bouyer-quota2, agc-symver-base, agc-symver
Changes since 1.13: +15 -3 lines
Diff to previous 1.13 (colored)

Convert from the oldstyle cgd_kops.op_open to the newstyle prog_open
and define RUMPPRG.  Get rid of the stuff, since it was
useful only for the oldstyle regime.

Revision 1.13 / (download) - annotate - [select for diffs], Sat Dec 19 15:03:34 2009 UTC (14 years, 2 months ago) by pooka
Branch: MAIN
Changes since 1.12: +1 -3 lines
Diff to previous 1.12 (colored)

Use RUMP_ACTION to avoid having to specify the same information
in the Makefiles of all the consumers.

Revision 1.12 / (download) - annotate - [select for diffs], Tue Sep 8 21:36:35 2009 UTC (14 years, 5 months ago) by pooka
Branch: MAIN
CVS Tags: matt-premerge-20091211
Changes since 1.11: +3 -13 lines
Diff to previous 1.11 (colored)

* allow specification of kernel operations vector
* make it possible to build cgdconfig as a library

Revision / (download) - annotate - [select for diffs], Wed May 13 19:19:00 2009 UTC (14 years, 9 months ago) by jym
Branch: jym-xensuspend
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored) next main 1.11 (colored)

Sync with HEAD.

Third (and last) commit. See

Revision 1.11 / (download) - annotate - [select for diffs], Mon Apr 20 16:05:30 2009 UTC (14 years, 10 months ago) by drochner
Branch: MAIN
CVS Tags: jym-xensuspend-nbase, jym-xensuspend-base
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)

define YY_NO_INPUT where appropriate, from Kurt J. Lidl per PR misc/41160

Revision / (download) - annotate - [select for diffs], Sun Sep 28 11:17:10 2008 UTC (15 years, 4 months ago) by mjf
Branch: mjf-devfs2
Changes since 1.8: +1 -5 lines
Diff to previous 1.8 (colored) next main 1.9 (colored)

Sync with HEAD.

Revision / (download) - annotate - [select for diffs], Thu Sep 18 04:28:22 2008 UTC (15 years, 5 months ago) by wrstuden
Branch: wrstuden-revivesa
Changes since 1.8: +1 -5 lines
Diff to previous 1.8 (colored) next main 1.9 (colored)

Sync with wrstuden-revivesa-base-2.

Revision 1.10 / (download) - annotate - [select for diffs], Thu Jul 24 05:32:45 2008 UTC (15 years, 7 months ago) by dholland
Branch: MAIN
CVS Tags: wrstuden-revivesa-base-3, wrstuden-revivesa-base-2, netbsd-5-base, netbsd-5-2-RELEASE, netbsd-5-2-RC1, netbsd-5-2-3-RELEASE, netbsd-5-2-2-RELEASE, netbsd-5-2-1-RELEASE, netbsd-5-2, netbsd-5-1-RELEASE, netbsd-5-1-RC4, netbsd-5-1-RC3, netbsd-5-1-RC2, netbsd-5-1-RC1, netbsd-5-1-5-RELEASE, netbsd-5-1-4-RELEASE, netbsd-5-1-3-RELEASE, netbsd-5-1-2-RELEASE, netbsd-5-1-1-RELEASE, netbsd-5-1, netbsd-5-0-RELEASE, netbsd-5-0-RC4, netbsd-5-0-RC3, netbsd-5-0-RC2, netbsd-5-0-RC1, netbsd-5-0-2-RELEASE, netbsd-5-0-1-RELEASE, netbsd-5-0, netbsd-5, mjf-devfs2-base, matt-nb5-pq3-base, matt-nb5-pq3, matt-nb5-mips64-u2-k2-k4-k7-k8-k9, matt-nb5-mips64-u1-k1-k5, matt-nb5-mips64-premerge-20101231, matt-nb5-mips64-premerge-20091211, matt-nb5-mips64-k15, matt-nb5-mips64, matt-nb4-mips64-k7-u2a-k9b, matt-mips64-base2
Branch point for: jym-xensuspend
Changes since 1.9: +1 -5 lines
Diff to previous 1.9 (colored)

Adjust this to not need -Wno-pointer-sign.

Revision 1.9 / (download) - annotate - [select for diffs], Mon Jul 21 11:38:44 2008 UTC (15 years, 7 months ago) by gmcgarry
Branch: MAIN
Changes since 1.8: +2 -2 lines
Diff to previous 1.8 (colored)

Add HAVE_PCC tests for -Wno-pointer-sign.

Revision / (download) - annotate - [select for diffs], Sun Mar 23 00:44:22 2008 UTC (15 years, 11 months ago) by matt
Branch: matt-armv6
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored) next main 1.8 (colored)

sync with HEAD

Revision / (download) - annotate - [select for diffs], Mon Feb 18 21:04:16 2008 UTC (16 years ago) by mjf
Branch: mjf-devfs
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored) next main 1.8 (colored)

Sync with HEAD.

Revision 1.8 / (download) - annotate - [select for diffs], Sat Feb 16 17:56:36 2008 UTC (16 years ago) by matt
Branch: MAIN
CVS Tags: yamt-pf42-baseX, yamt-pf42-base4, yamt-pf42-base3, yamt-pf42-base2, yamt-pf42-base, yamt-pf42, wrstuden-revivesa-base-1, wrstuden-revivesa-base, mjf-devfs-base, matt-armv6-nbase, keiichi-mipv6-base, keiichi-mipv6, hpcarm-cleanup-nbase, hpcarm-cleanup-base
Branch point for: wrstuden-revivesa, mjf-devfs2
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored)

Change incorrect usage of CFLAGS to CPPFLAGS

Revision 1.7 / (download) - annotate - [select for diffs], Thu May 11 23:16:29 2006 UTC (17 years, 9 months ago) by mrg
Branch: MAIN
CVS Tags: wrstuden-fixsa-newbase, wrstuden-fixsa-base-1, wrstuden-fixsa-base, wrstuden-fixsa, netbsd-4-base, netbsd-4-0-RELEASE, netbsd-4-0-RC5, netbsd-4-0-RC4, netbsd-4-0-RC3, netbsd-4-0-RC2, netbsd-4-0-RC1, netbsd-4-0-1-RELEASE, netbsd-4-0, netbsd-4, matt-mips64-base, matt-mips64, matt-armv6-prevmlocking, matt-armv6-base, hpcarm-cleanup, cube-autoconf-base, cube-autoconf, abandoned-netbsd-4-base, abandoned-netbsd-4
Branch point for: mjf-devfs, matt-armv6
Changes since 1.6: +5 -1 lines
Diff to previous 1.6 (colored)

sprinkle some -fno-strict-aliasing and -Wno-pointer-sign with GCC4.

Revision 1.6 / (download) - annotate - [select for diffs], Sat Feb 25 11:57:52 2006 UTC (18 years ago) by simonb
Branch: MAIN
Changes since 1.5: +2 -2 lines
Diff to previous 1.5 (colored)

We link against libl and liby, so depend on them too.

Revision 1.5 / (download) - annotate - [select for diffs], Wed Mar 9 03:11:22 2005 UTC (18 years, 11 months ago) by christos
Branch: MAIN
CVS Tags: netbsd-3-base, netbsd-3-1-RELEASE, netbsd-3-1-RC4, netbsd-3-1-RC3, netbsd-3-1-RC2, netbsd-3-1-RC1, netbsd-3-1-1-RELEASE, netbsd-3-1, netbsd-3-0-RELEASE, netbsd-3-0-RC6, netbsd-3-0-RC5, netbsd-3-0-RC4, netbsd-3-0-RC3, netbsd-3-0-RC2, netbsd-3-0-RC1, netbsd-3-0-3-RELEASE, netbsd-3-0-2-RELEASE, netbsd-3-0-1-RELEASE, netbsd-3-0, netbsd-3
Changes since 1.4: +3 -3 lines
Diff to previous 1.4 (colored)

Add -lcrypt where -lcrypto is specified.

Revision 1.4 / (download) - annotate - [select for diffs], Thu Apr 17 22:12:50 2003 UTC (20 years, 10 months ago) by thorpej
Branch: MAIN
CVS Tags: netbsd-2-base, netbsd-2-1-RELEASE, netbsd-2-1-RC6, netbsd-2-1-RC5, netbsd-2-1-RC4, netbsd-2-1-RC3, netbsd-2-1-RC2, netbsd-2-1-RC1, netbsd-2-1, netbsd-2-0-base, netbsd-2-0-RELEASE, netbsd-2-0-RC5, netbsd-2-0-RC4, netbsd-2-0-RC3, netbsd-2-0-RC2, netbsd-2-0-RC1, netbsd-2-0-3-RELEASE, netbsd-2-0-2-RELEASE, netbsd-2-0-1-RELEASE, netbsd-2-0, netbsd-2
Changes since 1.3: +2 -2 lines
Diff to previous 1.3 (colored)

We need -I., too.

Revision 1.3 / (download) - annotate - [select for diffs], Thu Apr 17 10:55:43 2003 UTC (20 years, 10 months ago) by fvdl
Branch: MAIN
Changes since 1.2: +2 -2 lines
Diff to previous 1.2 (colored)

-I. -> -I${.CURDIR}

Revision 1.2 / (download) - annotate - [select for diffs], Mon Mar 24 02:02:49 2003 UTC (20 years, 11 months ago) by elric
Branch: MAIN
Changes since 1.1: +8 -2 lines
Diff to previous 1.1 (colored)

substantial rototill of the code.

	o  added new features:
		o  -G:  generate a new paramsfile that produces the same
			key as the old paramsfile,
		o  ffs verify_method,
		o  multiple keygen methods that are xor'ed together
		   (for n-factor authentication), and
		o  calibrating the iteration count of PKCS#5 PBKDF2 to
		   the current machine's speed.
	o  changed paramsfile format to allow for the new features.
	o  replaced open-coded parser with yacc grammar.
	o  lots of supporting changes.
	o  updated documentation to reflect new features and new
	   paramsfile format.

Revision 1.1 / (download) - annotate - [select for diffs], Fri Oct 4 18:37:19 2002 UTC (21 years, 4 months ago) by elric
Branch: MAIN
CVS Tags: fvdl_fs64_base

Initial checkin of cgdconfig(8), a program to configure a cgd.

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.

CVSweb <>