CVS log for src/sbin/cgdconfig/params.h
Up to [cvs.NetBSD.org] / src / sbin / cgdconfig
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
Revision 1.14.2.1: download - view: text, markup, annotated - select for diffs
Fri Oct 11 08:54:39 2024 UTC (8 weeks, 3 days ago) by martin
Branches: netbsd-10
Diff to: previous 1.14: preferred, colored; next MAIN 1.15: preferred, colored
Changes since revision 1.14: +2 -1
lines
Pull up following revision(s) (requested by riastradh in ticket #941):
sbin/cgdconfig/params.c: revision 1.35
sbin/cgdconfig/params.h: revision 1.15
sbin/cgdconfig/cgdconfig.c: revision 1.62
sbin/cgdconfig/cgdconfig.c: revision 1.63
sbin/cgdconfig/cgdconfig.8: revision 1.58
sbin/cgdconfig/cgdconfig.8: revision 1.59
sbin/cgdconfig/Makefile: revision 1.23
cgdconfig(8): KNF in cgdconfig.c.
No functional change intended.
PR/58212: Malte Dehling: Add zfs verification method
cgdconfig(8): Estimate verify methods' false accept probabilities.
An addendum following discussion around:
PR bin/58212: cgdconfig(8): Add zfs verification method
Revision 1.15: download - view: text, markup, annotated - select for diffs
Sun May 12 18:02:16 2024 UTC (6 months, 4 weeks ago) by christos
Branches: MAIN
CVS tags: perseant-exfatfs-base-20240630,
perseant-exfatfs-base,
perseant-exfatfs,
HEAD
Diff to: previous 1.14: preferred, colored
Changes since revision 1.14: +2 -1
lines
PR/58212: Malte Dehling: Add zfs verification method
Revision 1.14: download - view: text, markup, annotated - select for diffs
Fri Aug 12 10:49:35 2022 UTC (2 years, 3 months ago) by riastradh
Branches: MAIN
CVS tags: netbsd-10-base,
netbsd-10-0-RELEASE,
netbsd-10-0-RC6,
netbsd-10-0-RC5,
netbsd-10-0-RC4,
netbsd-10-0-RC3,
netbsd-10-0-RC2,
netbsd-10-0-RC1
Branch point for: netbsd-10
Diff to: previous 1.13: preferred, colored
Changes since revision 1.13: +4 -1
lines
cgdconfig(8): Add support for generating shared-key parameters files.
Usage model:
- Generate a parameters file that supports sharing its main key:
cgdconfig -g -S -o /etc/cgd/wd0e -V gpt adiantum
- Make another parameters file that uses the same shared main key but
derives an independent subkey from it:
cgdconfig -g -S -P /etc/cgd/wd0e -o /etc/cgd/ld1e \
-V disklabel aes-cbc 256
Revision 1.13: download - view: text, markup, annotated - select for diffs
Fri Aug 12 10:49:17 2022 UTC (2 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.12: preferred, colored
Changes since revision 1.12: +11 -1
lines
cgdconfig(8): Add support for shared keys.
New clause `shared <id> algorithm <alg> subkey <info>' in a keygen
block enables `cgdconfig -C' to reuse a key between different params
files, so you can, e.g., use a single password for multiple disks.
This is better than simply caching the password itself because:
- Hashing the password is expensive, so it should only be done once.
Suppose your budget is time t before you get bored, and you
calibrate password hash parameters to unlock n disks before you get
bored waiting for `cgdconfig -C'.
. With n password hashings the adversary's cost goes up only by a
factor of t/n.
. With one password hashing and n subkeys the adversary's cost goes
up by a factor of n.
And if you ever add a disk, rehashing it will make `cgdconfig -C'
go over budget, whereas another subkey adds negligible cost to you.
- Subkeys work for other types of keygen blocks, like shell_cmd,
which could be used to get a key from a hardware token that needs a
button press.
The <info> parameter must be different for each params file;
everything else in the keygen block must be the same. With this
clause, the keygen block determines a shared key used only to derive
keys; the actual key used by cgdconfig is derived from the shared key
by the specified algorithm.
The only supported algorithm is hkdf-hmac-sha256, which uses
HKDF-Expand of RFC 5869 instantiated with SHA-256.
Example:
algorithm aes-cbc;
iv-method encblkno1;
keylength 128;
verify_method none;
keygen pkcs5_pbkdf2/sha1 {
iterations 39361;
salt AAAAgMoHiYonye6KogdYJAobCHE=;
shared "pw" algorithm hkdf-hmac-sha256
subkey AAAAgFlw0BMQ5gY+haYkZ6JC+yY=;
};
The key used for this disk will be derived by
HKDF-HMAC-SHA256_k(WXDQExDmBj6FpiRnokL7Jg==),
where k is the outcome of PBKDF2-SHA1 with the given parameters.
Note that <info> encodes a four-byte prefix giving the big-endian
length in bits of the info argument to HKDF, just like all other bit
strings in cgdconfig parameters files.
If you have multiple disks configured using the same keygen block
except for the info parameter, `cgdconfig -C' will only prompt once
for your passphrase, generate a shared key k with PBKDF2 as usual,
and then reuse it for each of the disks.
Revision 1.12: download - view: text, markup, annotated - select for diffs
Mon Nov 22 14:34:35 2021 UTC (3 years ago) by nia
Branches: MAIN
Diff to: previous 1.11: preferred, colored
Changes since revision 1.11: +8 -1
lines
cgdconfig(8): Add an argon2id password-based key generation method
This provides an extra level of side-channel and cracking resistance
compared to the pre-existing pkcs5_pbkdf2/sha1 method used for
password-based disk encryption.
Several new keygen parameters are supported:
memory (integer, in kilobytes)
parallelism (integer, usually the number of CPU cores)
version (integer, usually 19...)
We do our best to calibrate these automatically when the paramsfile
is initially generated.
lgtm riastradh@
Revision 1.11: download - view: text, markup, annotated - select for diffs
Sun Dec 14 12:31:39 2014 UTC (9 years, 11 months ago) by mlelstv
Branches: MAIN
CVS tags: prg-localcount2-base3,
prg-localcount2-base2,
prg-localcount2-base1,
prg-localcount2-base,
prg-localcount2,
phil-wifi-base,
phil-wifi-20200421,
phil-wifi-20200411,
phil-wifi-20200406,
phil-wifi-20191119,
phil-wifi-20190609,
phil-wifi,
pgoyette-localcount-base,
pgoyette-localcount-20170426,
pgoyette-localcount-20170320,
pgoyette-localcount-20170107,
pgoyette-localcount-20161104,
pgoyette-localcount-20160806,
pgoyette-localcount-20160726,
pgoyette-localcount,
pgoyette-compat-merge-20190127,
pgoyette-compat-base,
pgoyette-compat-20190127,
pgoyette-compat-20190118,
pgoyette-compat-1226,
pgoyette-compat-1126,
pgoyette-compat-1020,
pgoyette-compat-0930,
pgoyette-compat-0906,
pgoyette-compat-0728,
pgoyette-compat-0625,
pgoyette-compat-0521,
pgoyette-compat-0502,
pgoyette-compat-0422,
pgoyette-compat-0415,
pgoyette-compat-0407,
pgoyette-compat-0330,
pgoyette-compat-0322,
pgoyette-compat-0315,
pgoyette-compat,
perseant-stdc-iso10646-base,
perseant-stdc-iso10646,
netbsd-9-base,
netbsd-9-4-RELEASE,
netbsd-9-3-RELEASE,
netbsd-9-2-RELEASE,
netbsd-9-1-RELEASE,
netbsd-9-0-RELEASE,
netbsd-9-0-RC2,
netbsd-9-0-RC1,
netbsd-9,
netbsd-8-base,
netbsd-8-3-RELEASE,
netbsd-8-2-RELEASE,
netbsd-8-1-RELEASE,
netbsd-8-1-RC1,
netbsd-8-0-RELEASE,
netbsd-8-0-RC2,
netbsd-8-0-RC1,
netbsd-8,
matt-nb8-mediatek-base,
matt-nb8-mediatek,
localcount-20160914,
is-mlppp-base,
is-mlppp,
cjep_sun2x-base1,
cjep_sun2x-base,
cjep_sun2x,
cjep_staticlib_x-base1,
cjep_staticlib_x-base,
cjep_staticlib_x,
bouyer-socketcan-base1,
bouyer-socketcan-base,
bouyer-socketcan
Diff to: previous 1.10: preferred, colored
Changes since revision 1.10: +3 -1
lines
Add validation methods "mbr" and "gpt" for disks without a valid disklabel.
Revision 1.9.2.1: download - view: text, markup, annotated - select for diffs
Mon Jun 23 04:29:57 2008 UTC (16 years, 5 months ago) by wrstuden
Branches: wrstuden-revivesa
Diff to: previous 1.9: preferred, colored; next MAIN 1.10: preferred, colored
Changes since revision 1.9: +4 -1
lines
Sync w/ -current. 34 merge conflicts to follow.
Revision 1.8.8.1: download - view: text, markup, annotated - select for diffs
Mon Jun 2 13:21:21 2008 UTC (16 years, 6 months ago) by mjf
Branches: mjf-devfs2
Diff to: previous 1.8: preferred, colored; next MAIN 1.9: preferred, colored
Changes since revision 1.8: +4 -8
lines
Sync with HEAD.
Revision 1.8.10.1: download - view: text, markup, annotated - select for diffs
Sun May 18 12:30:50 2008 UTC (16 years, 6 months ago) by yamt
Branches: yamt-pf42
Diff to: previous 1.8: preferred, colored; next MAIN 1.9: preferred, colored
Changes since revision 1.8: +4 -8
lines
sync with head.
Revision 1.10: download - view: text, markup, annotated - select for diffs
Sun May 11 03:15:21 2008 UTC (16 years, 7 months ago) by elric
Branches: MAIN
CVS tags: yamt-pf42-base4,
yamt-pf42-base3,
yamt-pf42-base2,
yamt-pagecache-tag8,
yamt-pagecache-base9,
yamt-pagecache-base8,
yamt-pagecache-base7,
yamt-pagecache-base6,
yamt-pagecache-base5,
yamt-pagecache-base4,
yamt-pagecache-base3,
yamt-pagecache-base2,
yamt-pagecache-base,
yamt-pagecache,
wrstuden-revivesa-base-3,
wrstuden-revivesa-base-2,
wrstuden-revivesa-base-1,
wrstuden-revivesa-base,
tls-maxphys-base,
tls-maxphys,
tls-earlyentropy-base,
tls-earlyentropy,
riastradh-xf86-video-intel-2-7-1-pre-2-21-15,
riastradh-drm2-base3,
riastradh-drm2-base2,
riastradh-drm2-base1,
riastradh-drm2-base,
riastradh-drm2,
netbsd-7-nhusb-base-20170116,
netbsd-7-nhusb-base,
netbsd-7-nhusb,
netbsd-7-base,
netbsd-7-2-RELEASE,
netbsd-7-1-RELEASE,
netbsd-7-1-RC2,
netbsd-7-1-RC1,
netbsd-7-1-2-RELEASE,
netbsd-7-1-1-RELEASE,
netbsd-7-1,
netbsd-7-0-RELEASE,
netbsd-7-0-RC3,
netbsd-7-0-RC2,
netbsd-7-0-RC1,
netbsd-7-0-2-RELEASE,
netbsd-7-0-1-RELEASE,
netbsd-7-0,
netbsd-7,
netbsd-6-base,
netbsd-6-1-RELEASE,
netbsd-6-1-RC4,
netbsd-6-1-RC3,
netbsd-6-1-RC2,
netbsd-6-1-RC1,
netbsd-6-1-5-RELEASE,
netbsd-6-1-4-RELEASE,
netbsd-6-1-3-RELEASE,
netbsd-6-1-2-RELEASE,
netbsd-6-1-1-RELEASE,
netbsd-6-1,
netbsd-6-0-RELEASE,
netbsd-6-0-RC2,
netbsd-6-0-RC1,
netbsd-6-0-6-RELEASE,
netbsd-6-0-5-RELEASE,
netbsd-6-0-4-RELEASE,
netbsd-6-0-3-RELEASE,
netbsd-6-0-2-RELEASE,
netbsd-6-0-1-RELEASE,
netbsd-6-0,
netbsd-6,
netbsd-5-base,
netbsd-5-2-RELEASE,
netbsd-5-2-RC1,
netbsd-5-2-3-RELEASE,
netbsd-5-2-2-RELEASE,
netbsd-5-2-1-RELEASE,
netbsd-5-2,
netbsd-5-1-RELEASE,
netbsd-5-1-RC4,
netbsd-5-1-RC3,
netbsd-5-1-RC2,
netbsd-5-1-RC1,
netbsd-5-1-5-RELEASE,
netbsd-5-1-4-RELEASE,
netbsd-5-1-3-RELEASE,
netbsd-5-1-2-RELEASE,
netbsd-5-1-1-RELEASE,
netbsd-5-1,
netbsd-5-0-RELEASE,
netbsd-5-0-RC4,
netbsd-5-0-RC3,
netbsd-5-0-RC2,
netbsd-5-0-RC1,
netbsd-5-0-2-RELEASE,
netbsd-5-0-1-RELEASE,
netbsd-5-0,
netbsd-5,
mjf-devfs2-base,
matt-premerge-20091211,
matt-nb6-plus-nbase,
matt-nb6-plus-base,
matt-nb6-plus,
matt-nb5-pq3-base,
matt-nb5-pq3,
matt-nb5-mips64-u2-k2-k4-k7-k8-k9,
matt-nb5-mips64-u1-k1-k5,
matt-nb5-mips64-premerge-20101231,
matt-nb5-mips64-premerge-20091211,
matt-nb5-mips64-k15,
matt-nb5-mips64,
matt-nb4-mips64-k7-u2a-k9b,
matt-mips64-premerge-20101231,
matt-mips64-base2,
jym-xensuspend-nbase,
jym-xensuspend-base,
jym-xensuspend,
hpcarm-cleanup-nbase,
cherry-xenmp-base,
cherry-xenmp,
bouyer-quota2-nbase,
bouyer-quota2-base,
bouyer-quota2,
agc-symver-base,
agc-symver
Diff to: previous 1.9: preferred, colored
Changes since revision 1.9: +4 -1
lines
Add a new keygen method which will execute an external command and
take its output as the key. I've been meaning to do this for quite
a while...
Revision 1.9: download - view: text, markup, annotated - select for diffs
Mon Apr 28 20:23:08 2008 UTC (16 years, 7 months ago) by martin
Branches: MAIN
Branch point for: wrstuden-revivesa
Diff to: previous 1.8: preferred, colored
Changes since revision 1.8: +1 -8
lines
Remove clause 3 and 4 from TNF licenses
Revision 1.7.16.1: download - view: text, markup, annotated - select for diffs
Tue Nov 6 23:12:31 2007 UTC (17 years, 1 month ago) by matt
Branches: matt-armv6
CVS tags: matt-armv6-prevmlocking
Diff to: previous 1.7: preferred, colored; next MAIN 1.8: preferred, colored
Changes since revision 1.7: +8 -8
lines
sync with HEAD
Revision 1.8: download - view: text, markup, annotated - select for diffs
Tue Nov 6 02:50:49 2007 UTC (17 years, 1 month ago) by christos
Branches: MAIN
CVS tags: yamt-pf42-baseX,
yamt-pf42-base,
mjf-devfs-base,
mjf-devfs,
matt-armv6-nbase,
matt-armv6-base,
keiichi-mipv6-base,
keiichi-mipv6,
hpcarm-cleanup-base,
cube-autoconf-base,
cube-autoconf
Branch point for: yamt-pf42,
mjf-devfs2
Diff to: previous 1.7: preferred, colored
Changes since revision 1.7: +8 -8
lines
3 month roland feedback timeout:
- Pass lint
- knf
- convert ints to size_t's
Revision 1.7: download - view: text, markup, annotated - select for diffs
Fri Aug 13 15:03:57 2004 UTC (20 years, 4 months ago) by tv
Branches: MAIN
CVS tags: wrstuden-fixsa-newbase,
wrstuden-fixsa-base-1,
wrstuden-fixsa-base,
wrstuden-fixsa,
netbsd-4-base,
netbsd-4-0-RELEASE,
netbsd-4-0-RC5,
netbsd-4-0-RC4,
netbsd-4-0-RC3,
netbsd-4-0-RC2,
netbsd-4-0-RC1,
netbsd-4-0-1-RELEASE,
netbsd-4-0,
netbsd-4,
netbsd-3-base,
netbsd-3-1-RELEASE,
netbsd-3-1-RC4,
netbsd-3-1-RC3,
netbsd-3-1-RC2,
netbsd-3-1-RC1,
netbsd-3-1-1-RELEASE,
netbsd-3-1,
netbsd-3-0-RELEASE,
netbsd-3-0-RC6,
netbsd-3-0-RC5,
netbsd-3-0-RC4,
netbsd-3-0-RC3,
netbsd-3-0-RC2,
netbsd-3-0-RC1,
netbsd-3-0-3-RELEASE,
netbsd-3-0-2-RELEASE,
netbsd-3-0-1-RELEASE,
netbsd-3-0,
netbsd-3,
matt-mips64-base,
matt-mips64,
hpcarm-cleanup,
abandoned-netbsd-4-base,
abandoned-netbsd-4
Branch point for: matt-armv6
Diff to: previous 1.6: preferred, colored
Changes since revision 1.6: +2 -1
lines
Add "urandomkey" key generation method as described in PR kern/22766;
useful for configuring a throwaway key for cgd-on-swap at boot time.
Revision 1.6.2.1: download - view: text, markup, annotated - select for diffs
Fri Aug 13 15:02:17 2004 UTC (20 years, 4 months ago) by tv
Branches: netbsd-2-0
CVS tags: netbsd-2-base,
netbsd-2-1-RELEASE,
netbsd-2-1-RC6,
netbsd-2-1-RC5,
netbsd-2-1-RC4,
netbsd-2-1-RC3,
netbsd-2-1-RC2,
netbsd-2-1-RC1,
netbsd-2-1,
netbsd-2-0-RELEASE,
netbsd-2-0-RC5,
netbsd-2-0-RC4,
netbsd-2-0-RC3,
netbsd-2-0-RC2,
netbsd-2-0-RC1,
netbsd-2-0-3-RELEASE,
netbsd-2-0-2-RELEASE,
netbsd-2-0-1-RELEASE,
netbsd-2
Diff to: previous 1.6: preferred, colored; next MAIN 1.7: preferred, colored
Changes since revision 1.6: +1 -1
lines
Oy, sometimes CVS sticky tags hurt. Revert urandomkey; that should be on HEAD.
Revision 1.6: download - view: text, markup, annotated - select for diffs
Wed Mar 17 01:29:13 2004 UTC (20 years, 8 months ago) by dan
Branches: MAIN
CVS tags: netbsd-2-0-base
Branch point for: netbsd-2-0
Diff to: previous 1.5: preferred, colored
Changes since revision 1.5: +6 -5
lines
Fix a longstanding algorithmic flaw in PKCS#5 key generation.
The existing pkcs5_pbdkf2 keygen method is retained functionally
as-is, for compatibility with existing params files. The corrected
algorithm, which is now the default for new params file generation, is
called pkcs5_pbkdf2/sha1.
NB. The backwards compatibility for the miscreant keygen method will
be removed at the same time as support for the previous parameters
file syntax. Sometime between now and then, users should update their
params files using -G, which will create a new params file including
an xor value so that the resulting generated key is the same; they
should also
Problem discovery and 2-char algorithm fix by Charles Blundell, messy
compat goop by me, long complicated names by Roland Dowdeswell.
Update manpage accordingly and bump date.
Revision 1.5: download - view: text, markup, annotated - select for diffs
Tue Sep 23 17:24:46 2003 UTC (21 years, 2 months ago) by cb
Branches: MAIN
Diff to: previous 1.4: preferred, colored
Changes since revision 1.4: +2 -1
lines
add a new verification method that prompts for the pkcs#5 pbkdf2
passphrase again and checks the generated key against the original.
Revision 1.4: download - view: text, markup, annotated - select for diffs
Mon Mar 24 02:02:51 2003 UTC (21 years, 8 months ago) by elric
Branches: MAIN
Diff to: previous 1.3: preferred, colored
Changes since revision 1.3: +60 -40
lines
substantial rototill of the code.
o added new features:
o -G: generate a new paramsfile that produces the same
key as the old paramsfile,
o ffs verify_method,
o multiple keygen methods that are xor'ed together
(for n-factor authentication), and
o calibrating the iteration count of PKCS#5 PBKDF2 to
the current machine's speed.
o changed paramsfile format to allow for the new features.
o replaced open-coded parser with yacc grammar.
o lots of supporting changes.
o updated documentation to reflect new features and new
paramsfile format.
Revision 1.3: download - view: text, markup, annotated - select for diffs
Wed Dec 4 05:02:29 2002 UTC (22 years ago) by elric
Branches: MAIN
CVS tags: fvdl_fs64_base
Diff to: previous 1.2: preferred, colored
Changes since revision 1.2: +2 -1
lines
Make iteration count for PKCS#5 settable in the parameters files.
Revision 1.2: download - view: text, markup, annotated - select for diffs
Sat Oct 12 21:02:18 2002 UTC (22 years, 2 months ago) by elric
Branches: MAIN
Diff to: previous 1.1: preferred, colored
Changes since revision 1.1: +12 -1
lines
Add the concept of a verification method which allows cgdconfig(8)
to reprompt for the passphrase if the key does not meet certain
criteria. The currently implemented methods are ``none'' and
``disklabel''. The first behaves in the original fashion, the
second will scan for a disklabel on the cgd after configuration
and if it does not find a disklabel then it will reprompt for the
password and reconfigure the disk.
Revision 1.1: download - view: text, markup, annotated - select for diffs
Fri Oct 4 18:37:20 2002 UTC (22 years, 2 months ago) by elric
Branches: MAIN
Initial checkin of cgdconfig(8), a program to configure a cgd.
CVSweb <webmaster@jp.NetBSD.org>