Finally put the WRAPPING_KEY_LEN inlining into zfs.hpp

po/pl.po

@@ -140,14 +140,14 @@ msgstr  "PCR bank \"%s\": nie podano algorytmu; potrzebuję alg:PCR[,PCR]…\n"
 
 #. %s=dataset name, then TPM2. noun for "Enter passphrase for" prompt
 #. %s=dataset, then TPM1.X. noun for "Enter passphrase for" prompt
-#: src/tpm2.cpp:374 src/bin/zfs-tpm1x-change-key.cpp:108
+#: src/tpm2.cpp:374 src/bin/zfs-tpm1x-change-key.cpp:109
 #, c-format
 msgid   "%s %s wrapping key (or empty for none)"
 msgstr  "klucza zawijania %2$s dla %1$s (puste żeby nie używać żadnego)"
 
 #. %s=dataset name, then TPM2. noun for "Enter passphrase for" prompt
 #. %s=dataset name, then TPM1.x. noun for "Enter passphrase for" prompt
-#: src/tpm2.cpp:425 src/bin/zfs-tpm1x-load-key.cpp:63
+#: src/tpm2.cpp:425 src/bin/zfs-tpm1x-load-key.cpp:59
 #, c-format
 msgid   "%s %s wrapping key"
 msgstr  "klucza zawijania %2$s dla %1$s"
@@ -157,84 +157,84 @@ msgstr  "klucza zawijania %2$s dla %1$s"
 msgid   "Couldn't unseal wrapping key with PCR policy: %s\n"
 msgstr  "Nie udało się rozpieczętować klucza zawijania z polityką PCR: %s\n"
 
-#: src/zfs.cpp:98
+#: src/zfs.cpp:110
 #, c-format
 msgid   "You might need to run \"zfs inherit %s %s\" and \"zfs inherit %s %s\" to fully clear metadata!\n"
 msgstr  "Możliwe, że potrzebujesz uruchomić \"zfs inherit %s %s\" i \"zfs inherit %s %s\" żeby całkowicie pozbyć się metadanych!\n"
 
-#: src/zfs.cpp:113
+#: src/zfs.cpp:125
 #, c-format
 msgid   "Dataset %s not encrypted with tzpfms!\n"
 msgstr  "Dataset %s nie jest szyfrowany tzpfms!\n"
 
-#: src/zfs.cpp:115
+#: src/zfs.cpp:127
 #, c-format
 msgid   "Dataset %s encrypted with tzpfms back-end %s, but we are %s.\n"
 msgstr  "Dataset %s szyfrowany tzpfms %s, ale ten program rozumie %s.\n"
 
-#: src/zfs.cpp:119
+#: src/zfs.cpp:131
 #, c-format
 msgid   "Dataset %s missing key data.\n"
 msgstr  "Dataset %s nie ma klucza.\n"
 
 #. / Mimic libzfs error output
-#: src/zfs.hpp:26
+#: src/zfs.hpp:28
 #, c-format
 msgid   "Key change error: Key must be loaded.\n"
 msgstr  "Błąd zmiany klucza: Klucz musi być załadowany.\n"
 
 #. dataset name: (null), 0A123...
 #. dataset name: TPM1.X, (null)
-#: src/zfs.hpp:70
+#: src/zfs.hpp:68
 #, c-format
 msgid   "Inconsistent tzpfms metadata for %s: back-end is %s, but handle is %s?\n"
 msgstr  "Niespójne metadane tzpfms dla %s: tzpfms %s ale obiekt z kluczem %s?\n"
 
-#: src/zfs.hpp:75
+#: src/zfs.hpp:73
 #, c-format
 msgid   "Dataset %s was encrypted with tzpfms back-end %s before, but we are %s. You will have to free handle %s for back-end %s manually!\n"
 msgstr  "Dataset %s był zaszyfrowany tzpfms %s, ale ten program rozumie %s. Konieczne będzie ręczne usunięcie obiektu z kluczem %s %s!\n"
 
-#: src/zfs_meat.cpp:33
+#: src/zfs_meat.cpp:29
 #, c-format
 msgid   "Key for %s changed\n"
 msgstr  "Klucz do %s zmieniony\n"
 
-#: src/zfs_meat.cpp:46
+#: src/zfs_meat.cpp:42
 #, c-format
 msgid   "Key for %s OK\n"
 msgstr  "Klucz do %s OK\n"
 
-#: src/zfs_meat.cpp:48
+#: src/zfs_meat.cpp:44
 #, c-format
 msgid   "Key for %s loaded\n"
 msgstr  "Klucz do %s załadowany\n"
 
-#: src/bin/zfs-tpm1x-change-key.cpp:30
+#: src/bin/zfs-tpm1x-change-key.cpp:26
 msgid   "[-b backup-file] [-P PCR[,PCR]…]"
 msgstr  "[-b plik-z-backupem] [-P PCR[,PCR]…]"
 
 #. 0A1234... follows
-#: src/bin/zfs-tpm1x-load-key.cpp:71
+#: src/bin/zfs-tpm1x-load-key.cpp:67
 #, c-format
 msgid   "Wrong sealed data length (%u != %zu): "
 msgstr  "Zła długość zaplombowanych danych (%u != %zu): "
 
-#: src/bin/zfs-tpm2-change-key.cpp:25
+#: src/bin/zfs-tpm2-change-key.cpp:21
 msgid   "[-b backup-file] [-P algorithm:PCR[,PCR]…[+algorithm:PCR[,PCR]…]… [-A]]"
 msgstr  "[-b plik-z-backupem] [-P algorytm:PCR[,PCR]…[+algorytm:PCR[,PCR]…]… [-A]]"
 
-#: src/bin/zfs-tpm2-change-key.cpp:72
+#: src/bin/zfs-tpm2-change-key.cpp:68
 #, c-format
 msgid   "Couldn't parse previous persistent handle for dataset %s. You might need to run \"tpm2_evictcontrol -c %s\" or equivalent!\n"
 msgstr  "Nie udało się rozczytać poprzedniego obiektu z kluczem dla %s. Możliwe, że potrzeba będzie uruchomić \"tpm2_evictcontrol -c %s\", albo jego ekwiwalent!\n"
 
-#: src/bin/zfs-tpm2-change-key.cpp:78
+#: src/bin/zfs-tpm2-change-key.cpp:74
 #, c-format
 msgid   "Couldn't free previous persistent handle for dataset %s. You might need to run \"tpm2_evictcontrol -c 0x%X\" or equivalent!\n"
 msgstr  "Nie udało się uwolnić poprzedniego obiektu z kluczem dla %s. Możliwe, że potrzeba będzie uruchomić \"tpm2_evictcontrol -c 0x%X\", albo jego ekwiwalent!\n"
 
-#: src/bin/zfs-tpm2-change-key.cpp:94
+#: src/bin/zfs-tpm2-change-key.cpp:89
 #, c-format
 msgid   "Couldn't free persistent handle. You might need to run \"tpm2_evictcontrol -c 0x%X\" or equivalent!\n"
 msgstr  "Nie udało się uwolnić obiektu z kluczem. Możliwe, że potrzeba będzie uruchomić \"tpm2_evictcontrol -c 0x%X\", albo jego ekwiwalent!\n"

src/bin/zfs-tpm1x-change-key.cpp

@@ -1,10 +1,6 @@
 /* SPDX-License-Identifier: MIT */
 
 
-#include <libzfs.h>
-// #include <sys/zio_crypt.h>
-#define WRAPPING_KEY_LEN 32
-
 #include <algorithm>
 #include <stdio.h>
 
@@ -80,10 +76,15 @@ int main(int argc, char ** argv) {
 			    }
 
 
-			    uint8_t * wrap_key{};
-			    TRY_TPM1X("get random data from TPM", Tspi_TPM_GetRandom(tpm_h, WRAPPING_KEY_LEN, &wrap_key));
+			    uint8_t wrap_key[WRAPPING_KEY_LEN];
+			    {
+				    BYTE * rand{};
+				    TRY_TPM1X("get random data from TPM", Tspi_TPM_GetRandom(tpm_h, sizeof(wrap_key), &rand));
+				    memcpy(wrap_key, rand, sizeof(wrap_key));
+				    Tspi_Context_FreeMemory(tpm_h, rand);
+			    }
 			    if(backup)
-				    TRY_MAIN(write_exact(backup, wrap_key, WRAPPING_KEY_LEN, 0400));
+				    TRY_MAIN(write_exact(backup, wrap_key, sizeof(wrap_key), 0400));
 
 
 			    TSS_HOBJECT parent_key{};
@@ -136,7 +137,7 @@ int main(int argc, char ** argv) {
 			    }};
 
 
-			    TRY_TPM1X("seal wrapping key data", Tspi_Data_Seal(sealed_object, parent_key, WRAPPING_KEY_LEN, wrap_key, bound_pcrs));
+			    TRY_TPM1X("seal wrapping key data", Tspi_Data_Seal(sealed_object, parent_key, sizeof(wrap_key), wrap_key, bound_pcrs));
 
 
 			    uint8_t * parent_key_blob{};

src/bin/zfs-tpm1x-load-key.cpp

@@ -1,10 +1,6 @@
 /* SPDX-License-Identifier: MIT */
 
 
-#include <libzfs.h>
-// #include <sys/zio_crypt.h>
-#define WRAPPING_KEY_LEN 32
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>

src/bin/zfs-tpm2-change-key.cpp

@@ -1,10 +1,6 @@
 /* SPDX-License-Identifier: MIT */
 
 
-#include <libzfs.h>
-// #include <sys/zio_crypt.h>
-#define WRAPPING_KEY_LEN 32
-
 #include <stdio.h>
 
 #include "../fd.hpp"
@@ -81,12 +77,11 @@ int main(int argc, char ** argv) {
 			    }));
 
 			    uint8_t wrap_key[WRAPPING_KEY_LEN];
-			    TPMI_DH_PERSISTENT persistent_handle{};
-
 			    TRY_MAIN(tpm2_generate_rand(tpm2_ctx, wrap_key, sizeof(wrap_key)));
 			    if(backup)
 				    TRY_MAIN(write_exact(backup, wrap_key, sizeof(wrap_key), 0400));
 
+			    TPMI_DH_PERSISTENT persistent_handle{};
 			    TRY_MAIN(tpm2_seal(zfs_get_name(dataset), tpm2_ctx, tpm2_session, persistent_handle, pcrs, allow_PCR_or_pass, wrap_key, sizeof(wrap_key)));
 			    bool ok = false;  // Try to free the persistent handle if we're unsuccessful in actually using it later on
 			    quickscope_wrapper persistent_clearer{[&] {

src/bin/zfs-tpm2-load-key.cpp

@@ -1,10 +1,6 @@
 /* SPDX-License-Identifier: MIT */
 
 
-#include <libzfs.h>
-// #include <sys/zio_crypt.h>
-#define WRAPPING_KEY_LEN 32
-
 #include <stdio.h>
 
 #include "../fd.hpp"

src/zfs.hpp

@@ -6,6 +6,8 @@
 
 #include <libzfs.h>
 #include <sys/nvpair.h>
+// #include <sys/zio_crypt.h>
+#define WRAPPING_KEY_LEN 32
 
 #include "main.hpp"
 
@@ -48,14 +50,10 @@ extern int parse_key_props(zfs_handle_t * in, const char * our_backend, char *&
 
 
 /// Rewrap key on on to wrap_key.
-///
-/// wrap_key must be WRAPPING_KEY_LEN long.
-extern int change_key(zfs_handle_t * on, const uint8_t * wrap_key);
+extern int change_key(zfs_handle_t * on, const uint8_t (&wrap_key)[WRAPPING_KEY_LEN]);
 
 /// (Try to) load key wrap_key for for_d.
-///
-/// wrap_key must be WRAPPING_KEY_LEN long.
-extern int load_key(zfs_handle_t * for_d, const uint8_t * wrap_key, bool noop);
+extern int load_key(zfs_handle_t * for_d, const uint8_t (&wrap_key)[WRAPPING_KEY_LEN], bool noop);
 
 /// Check back-end integrity; if the previous backend matches this_backend, run func(); otherwise warn.
 template <class F>

src/zfs_meat.cpp

@@ -5,10 +5,6 @@
 #include "main.hpp"
 #include "zfs.hpp"
 
-#include <libzfs.h>
-// #include <sys/zio_crypt.h>
-#define WRAPPING_KEY_LEN 32
-
 
 template <class F>
 static int with_stdin_at_buffer(const void * buf, size_t buf_len, F && func) {
@@ -20,13 +16,13 @@ static int with_stdin_at_buffer(const void * buf, size_t buf_len, F && func) {
 }
 
 
-int change_key(zfs_handle_t * on, const uint8_t * wrap_key) {
+int change_key(zfs_handle_t * on, const uint8_t (&wrap_key)[WRAPPING_KEY_LEN]) {
 	/// zfs_crypto_rewrap() with "prompt" reads from stdin, but not if it's a TTY;
 	/// this user-proofs the set-up, and means we don't have to touch the filesysten:
 	/// instead, get an FD, write the raw key data there, dup() it onto stdin,
 	/// let libzfs read it, then restore stdin
 
-	return with_stdin_at_buffer(wrap_key, WRAPPING_KEY_LEN, [&] {
+	return with_stdin_at_buffer(wrap_key, sizeof(wrap_key), [&] {
 		if(zfs_crypto_rewrap(on, TRY_PTR("get rewrap args", rewrap_args()), B_FALSE))
 			return __LINE__;  // Error printed by libzfs
 		else
@@ -37,8 +33,8 @@ int change_key(zfs_handle_t * on, const uint8_t * wrap_key) {
 }
 
 
-int load_key(zfs_handle_t * for_d, const uint8_t * wrap_key, bool noop) {
-	return with_stdin_at_buffer(wrap_key, WRAPPING_KEY_LEN, [&] {
+int load_key(zfs_handle_t * for_d, const uint8_t (&wrap_key)[WRAPPING_KEY_LEN], bool noop) {
+	return with_stdin_at_buffer(wrap_key, sizeof(wrap_key), [&] {
 		if(zfs_crypto_load_key(for_d, noop ? B_TRUE : B_FALSE, nullptr))
 			return __LINE__;  // Error printed by libzfs
 		else                //