From a9caaec18a45ef8d0d0ffe01e430e4739a7fba45 Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <riastradh@NetBSD.org>
Date: Sun, 26 Jun 2022 15:32:15 +0000
Subject: [PATCH 1/4] cgdconfig(8): New -t operation just prints the derived
 key in base64.

For testing purposes.
---
 distrib/sets/lists/tests/mi  |  1 +
 sbin/cgdconfig/cgdconfig.8   |  5 ++
 sbin/cgdconfig/cgdconfig.c   | 57 ++++++++++++++++++++--
 tests/dev/cgd/Makefile       |  3 +-
 tests/dev/cgd/t_cgdconfig.sh | 94 ++++++++++++++++++++++++++++++++++++
 5 files changed, 156 insertions(+), 4 deletions(-)
 create mode 100644 tests/dev/cgd/t_cgdconfig.sh

diff --git a/distrib/sets/lists/tests/mi b/distrib/sets/lists/tests/mi
index a8f2705bbea7..6dc6afb2d236 100644
--- a/distrib/sets/lists/tests/mi
+++ b/distrib/sets/lists/tests/mi
@@ -1426,6 +1426,7 @@
 ./usr/tests/dev/cgd/t_cgd_adiantum			tests-fs-tests		atf,compattestfile,rump
 ./usr/tests/dev/cgd/t_cgd_aes				tests-fs-tests		atf,compattestfile,rump
 ./usr/tests/dev/cgd/t_cgd_blowfish			tests-fs-tests		atf,compattestfile,rump
+./usr/tests/dev/cgd/t_cgdconfig				tests-fs-tests		compattestfile,atf
 ./usr/tests/dev/clock_subr				tests-fs-tests		compattestfile,atf
 ./usr/tests/dev/clock_subr/Atffile			tests-fs-tests		compattestfile,atf
 ./usr/tests/dev/clock_subr/Kyuafile			tests-fs-tests		compattestfile,atf,kyua
diff --git a/sbin/cgdconfig/cgdconfig.8 b/sbin/cgdconfig/cgdconfig.8
index 8e6652349e94..f0d1a1332a00 100644
--- a/sbin/cgdconfig/cgdconfig.8
+++ b/sbin/cgdconfig/cgdconfig.8
@@ -60,6 +60,9 @@
 .Ar alg
 .Op Ar keylen
 .Nm
+.Fl t
+.Ar paramsfile
+.Nm
 .Fl l
 .Op Fl v Ns Op Cm v
 .Op Ar cgd
@@ -114,6 +117,8 @@ from before
 released in 2010; see
 .Xr cgd 4
 for details.
+.It Fl t
+Generate the key and print it to standard output encoded in base64.
 .It Fl k Ar kgmeth
 Specify the key generation method (default: pkcs5_pbkdf2/sha1).
 .It Fl l Op Ar cgd
diff --git a/sbin/cgdconfig/cgdconfig.c b/sbin/cgdconfig/cgdconfig.c
index 53bb2d414d04..e2f28625b94a 100644
--- a/sbin/cgdconfig/cgdconfig.c
+++ b/sbin/cgdconfig/cgdconfig.c
@@ -51,6 +51,11 @@ __RCSID("$NetBSD: cgdconfig.c,v 1.53 2021/11/22 14:34:35 nia Exp $");
 #include <paths.h>
 #include <dirent.h>
 
+/* base64 gunk */
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/bootblock.h>
@@ -83,7 +88,8 @@ enum action {
 	 ACTION_CONFIGALL,		/* configure all from config file */
 	 ACTION_UNCONFIGALL,		/* unconfigure all from config file */
 	 ACTION_CONFIGSTDIN,		/* configure, key from stdin */
-	 ACTION_LIST			/* list configured devices */
+	 ACTION_LIST,			/* list configured devices */
+	 ACTION_PRINTKEY,		/* print key to stdout */
 };
 
 /* if nflag is set, do not configure/unconfigure the cgd's */
@@ -106,6 +112,7 @@ static int	unconfigure(int, char **, struct params *, int);
 static int	do_all(const char *, int, char **,
 		       int (*)(int, char **, struct params *, int));
 static int	do_list(int, char **);
+static int	do_printkey(int, char **);
 
 #define CONFIG_FLAGS_FROMALL	1	/* called from configure_all() */
 #define CONFIG_FLAGS_FROMMAIN	2	/* called from main() */
@@ -155,6 +162,7 @@ usage(void)
 	(void)fprintf(stderr, "       %s -l [-v[v]] [cgd]\n", getprogname());
 	(void)fprintf(stderr, "       %s -s [-nv] [-i ivmeth] cgd dev alg "
 	    "[keylen]\n", getprogname());
+	(void)fprintf(stderr, "       %s -t paramsfile\n", getprogname());
 	(void)fprintf(stderr, "       %s -U [-nv] [-f configfile]\n",
 	    getprogname());
 	(void)fprintf(stderr, "       %s -u [-nv] cgd\n", getprogname());
@@ -209,7 +217,7 @@ main(int argc, char **argv)
 	p = params_new();
 	kg = NULL;
 
-	while ((ch = getopt(argc, argv, "CGUV:b:ef:gi:k:lno:spuv")) != -1)
+	while ((ch = getopt(argc, argv, "CGUV:b:ef:gi:k:lno:sptuv")) != -1)
 		switch (ch) {
 		case 'C':
 			set_action(&action, ACTION_CONFIGALL);
@@ -276,7 +284,9 @@ main(int argc, char **argv)
 		case 's':
 			set_action(&action, ACTION_CONFIGSTDIN);
 			break;
-
+		case 't':
+			set_action(&action, ACTION_PRINTKEY);
+			break;
 		case 'u':
 			set_action(&action, ACTION_UNCONFIGURE);
 			break;
@@ -319,6 +329,8 @@ main(int argc, char **argv)
 		return configure_stdin(p, argc, argv);
 	case ACTION_LIST:
 		return do_list(argc, argv);
+	case ACTION_PRINTKEY:
+		return do_printkey(argc, argv);
 	default:
 		errx(EXIT_FAILURE, "undefined action");
 		/* NOTREACHED */
@@ -1339,6 +1351,45 @@ do_list(int argc, char **argv)
 	return 0;
 }
 
+static int
+do_printkey(int argc, char **argv)
+{
+	struct params *p;
+	const uint8_t *raw;
+	size_t nbits, nbytes;
+	size_t nb64;
+	char *b64;
+	int ret;
+
+	if (argc != 1)
+		usage();
+	p = params_cget(argv[0]);
+	if (p == NULL)
+		return -1;
+	if (!params_verify(p)) {
+		warnx("invalid parameters file \"%s\"", argv[0]);
+		return -1;
+	}
+	p->key = getkey("key", p->keygen, p->keylen);
+	raw = bits_getbuf(p->key);
+	nbits = bits_len(p->key);
+	assert(nbits <= INT_MAX - 7);
+	nbytes = BITS2BYTES(nbits);
+	assert(nbytes <= 3*(INT_MAX/4) - 2);
+
+	nb64 = 4*((nbytes + 2)/3);
+	b64 = emalloc(nb64 + 2);
+	ret = __b64_ntop(raw, nbytes, b64, nb64 + 1);
+	assert(ret == (int)nb64);
+	b64[nb64] = '\n';
+	b64[nb64 + 1] = '\0';
+
+	if (fwrite(b64, nb64 + 1, 1, stdout) != 1)
+		err(1, "fwrite");
+	fflush(stdout);
+	return ferror(stdout);
+}
+
 static void
 eliminate_cores(void)
 {
diff --git a/tests/dev/cgd/Makefile b/tests/dev/cgd/Makefile
index ffd38063aa59..f1e4f60de63a 100644
--- a/tests/dev/cgd/Makefile
+++ b/tests/dev/cgd/Makefile
@@ -7,7 +7,8 @@ TESTSDIR=	${TESTSBASE}/dev/cgd
 FILES=		paramsfile
 FILESDIR=	${TESTSDIR}
 
-TESTS_SH=	t_cgd
+TESTS_SH+=	t_cgd
+TESTS_SH+=	t_cgdconfig
 
 .if ${MKRUMP} != "no"
 TESTS_C+=	t_cgd_3des
diff --git a/tests/dev/cgd/t_cgdconfig.sh b/tests/dev/cgd/t_cgdconfig.sh
new file mode 100644
index 000000000000..7a4edc21ce1a
--- /dev/null
+++ b/tests/dev/cgd/t_cgdconfig.sh
@@ -0,0 +1,94 @@
+#	$NetBSD$
+#
+# Copyright (c) 2022 The NetBSD Foundation, Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+atf_test_case storedkey
+storedkey_head()
+{
+	atf_set descr "Test key generation with storedkey"
+}
+storedkey_body()
+{
+	cat <<EOF >params
+algorithm adiantum;
+iv-method encblkno1;
+keylength 256;
+verify_method none;
+keygen storedkey key AAABAJtnmp3XZspMBAFpCYnB8Hekn0 \
+                     gj5cDVngslfGLSqwcy;
+EOF
+	atf_check -o inline:'m2eanddmykwEAWkJicHwd6SfSCPlwNWeCyV8YtKrBzI=\n' \
+	    cgdconfig -t params
+}
+
+atf_test_case storedkey2a
+storedkey2a_head()
+{
+	atf_set descr "Test key generation with combined storedkeys"
+}
+storedkey2a_body()
+{
+	cat <<EOF >params
+algorithm adiantum;
+iv-method encblkno1;
+keylength 256;
+verify_method none;
+keygen storedkey key AAABAJtnmp3XZspMBAFpCYnB8Hekn0 \
+                     gj5cDVngslfGLSqwcy;
+keygen storedkey key AAABAK1pbgIayXftX0RQ3AaMK4YEd/ \
+                     fowKwQbENxpu3o1k9m;
+EOF
+	atf_check -o inline:'Ng70n82vvaFbRTnVj03b8aDov8slbMXySFTajzp9SFQ=\n' \
+	    cgdconfig -t params
+}
+
+atf_test_case storedkey2b
+storedkey2b_head()
+{
+	atf_set descr "Test key generation with combined storedkeys, reversed"
+}
+storedkey2b_body()
+{
+	cat <<EOF >params
+algorithm adiantum;
+iv-method encblkno1;
+keylength 256;
+verify_method none;
+keygen storedkey key AAABAK1pbgIayXftX0RQ3AaMK4YEd/ \
+                     fowKwQbENxpu3o1k9m;
+keygen storedkey key AAABAJtnmp3XZspMBAFpCYnB8Hekn0 \
+                     gj5cDVngslfGLSqwcy;
+EOF
+	atf_check -o inline:'Ng70n82vvaFbRTnVj03b8aDov8slbMXySFTajzp9SFQ=\n' \
+	    cgdconfig -t params
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case storedkey
+	atf_add_test_case storedkey2a
+	atf_add_test_case storedkey2b
+}