diff --git a/po/pl.po b/po/pl.po index 789739d..9fe8858 100644 --- a/po/pl.po +++ b/po/pl.po @@ -140,14 +140,14 @@ msgstr "PCR bank \"%s\": nie podano algorytmu; potrzebuję alg:PCR[,PCR]…\n" #. %s=dataset name, then TPM2. noun for "Enter passphrase for" prompt #. %s=dataset, then TPM1.X. noun for "Enter passphrase for" prompt -#: src/tpm2.cpp:374 src/bin/zfs-tpm1x-change-key.cpp:108 +#: src/tpm2.cpp:374 src/bin/zfs-tpm1x-change-key.cpp:109 #, c-format msgid "%s %s wrapping key (or empty for none)" msgstr "klucza zawijania %2$s dla %1$s (puste żeby nie używać żadnego)" #. %s=dataset name, then TPM2. noun for "Enter passphrase for" prompt #. %s=dataset name, then TPM1.x. noun for "Enter passphrase for" prompt -#: src/tpm2.cpp:425 src/bin/zfs-tpm1x-load-key.cpp:63 +#: src/tpm2.cpp:425 src/bin/zfs-tpm1x-load-key.cpp:59 #, c-format msgid "%s %s wrapping key" msgstr "klucza zawijania %2$s dla %1$s" @@ -157,84 +157,84 @@ msgstr "klucza zawijania %2$s dla %1$s" msgid "Couldn't unseal wrapping key with PCR policy: %s\n" msgstr "Nie udało się rozpieczętować klucza zawijania z polityką PCR: %s\n" -#: src/zfs.cpp:98 +#: src/zfs.cpp:110 #, c-format msgid "You might need to run \"zfs inherit %s %s\" and \"zfs inherit %s %s\" to fully clear metadata!\n" msgstr "Możliwe, że potrzebujesz uruchomić \"zfs inherit %s %s\" i \"zfs inherit %s %s\" żeby całkowicie pozbyć się metadanych!\n" -#: src/zfs.cpp:113 +#: src/zfs.cpp:125 #, c-format msgid "Dataset %s not encrypted with tzpfms!\n" msgstr "Dataset %s nie jest szyfrowany tzpfms!\n" -#: src/zfs.cpp:115 +#: src/zfs.cpp:127 #, c-format msgid "Dataset %s encrypted with tzpfms back-end %s, but we are %s.\n" msgstr "Dataset %s szyfrowany tzpfms %s, ale ten program rozumie %s.\n" -#: src/zfs.cpp:119 +#: src/zfs.cpp:131 #, c-format msgid "Dataset %s missing key data.\n" msgstr "Dataset %s nie ma klucza.\n" #. / Mimic libzfs error output -#: src/zfs.hpp:26 +#: src/zfs.hpp:28 #, c-format msgid "Key change error: Key must be loaded.\n" msgstr "Błąd zmiany klucza: Klucz musi być załadowany.\n" #. dataset name: (null), 0A123... #. dataset name: TPM1.X, (null) -#: src/zfs.hpp:70 +#: src/zfs.hpp:68 #, c-format msgid "Inconsistent tzpfms metadata for %s: back-end is %s, but handle is %s?\n" msgstr "Niespójne metadane tzpfms dla %s: tzpfms %s ale obiekt z kluczem %s?\n" -#: src/zfs.hpp:75 +#: src/zfs.hpp:73 #, c-format msgid "Dataset %s was encrypted with tzpfms back-end %s before, but we are %s. You will have to free handle %s for back-end %s manually!\n" msgstr "Dataset %s był zaszyfrowany tzpfms %s, ale ten program rozumie %s. Konieczne będzie ręczne usunięcie obiektu z kluczem %s %s!\n" -#: src/zfs_meat.cpp:33 +#: src/zfs_meat.cpp:29 #, c-format msgid "Key for %s changed\n" msgstr "Klucz do %s zmieniony\n" -#: src/zfs_meat.cpp:46 +#: src/zfs_meat.cpp:42 #, c-format msgid "Key for %s OK\n" msgstr "Klucz do %s OK\n" -#: src/zfs_meat.cpp:48 +#: src/zfs_meat.cpp:44 #, c-format msgid "Key for %s loaded\n" msgstr "Klucz do %s załadowany\n" -#: src/bin/zfs-tpm1x-change-key.cpp:30 +#: src/bin/zfs-tpm1x-change-key.cpp:26 msgid "[-b backup-file] [-P PCR[,PCR]…]" msgstr "[-b plik-z-backupem] [-P PCR[,PCR]…]" #. 0A1234... follows -#: src/bin/zfs-tpm1x-load-key.cpp:71 +#: src/bin/zfs-tpm1x-load-key.cpp:67 #, c-format msgid "Wrong sealed data length (%u != %zu): " msgstr "Zła długość zaplombowanych danych (%u != %zu): " -#: src/bin/zfs-tpm2-change-key.cpp:25 +#: src/bin/zfs-tpm2-change-key.cpp:21 msgid "[-b backup-file] [-P algorithm:PCR[,PCR]…[+algorithm:PCR[,PCR]…]… [-A]]" msgstr "[-b plik-z-backupem] [-P algorytm:PCR[,PCR]…[+algorytm:PCR[,PCR]…]… [-A]]" -#: src/bin/zfs-tpm2-change-key.cpp:72 +#: src/bin/zfs-tpm2-change-key.cpp:68 #, c-format msgid "Couldn't parse previous persistent handle for dataset %s. You might need to run \"tpm2_evictcontrol -c %s\" or equivalent!\n" msgstr "Nie udało się rozczytać poprzedniego obiektu z kluczem dla %s. Możliwe, że potrzeba będzie uruchomić \"tpm2_evictcontrol -c %s\", albo jego ekwiwalent!\n" -#: src/bin/zfs-tpm2-change-key.cpp:78 +#: src/bin/zfs-tpm2-change-key.cpp:74 #, c-format msgid "Couldn't free previous persistent handle for dataset %s. You might need to run \"tpm2_evictcontrol -c 0x%X\" or equivalent!\n" msgstr "Nie udało się uwolnić poprzedniego obiektu z kluczem dla %s. Możliwe, że potrzeba będzie uruchomić \"tpm2_evictcontrol -c 0x%X\", albo jego ekwiwalent!\n" -#: src/bin/zfs-tpm2-change-key.cpp:94 +#: src/bin/zfs-tpm2-change-key.cpp:89 #, c-format msgid "Couldn't free persistent handle. You might need to run \"tpm2_evictcontrol -c 0x%X\" or equivalent!\n" msgstr "Nie udało się uwolnić obiektu z kluczem. Możliwe, że potrzeba będzie uruchomić \"tpm2_evictcontrol -c 0x%X\", albo jego ekwiwalent!\n" diff --git a/src/bin/zfs-tpm1x-change-key.cpp b/src/bin/zfs-tpm1x-change-key.cpp index 9ebf34f..824a324 100644 --- a/src/bin/zfs-tpm1x-change-key.cpp +++ b/src/bin/zfs-tpm1x-change-key.cpp @@ -1,10 +1,6 @@ /* SPDX-License-Identifier: MIT */ -#include -// #include -#define WRAPPING_KEY_LEN 32 - #include #include @@ -80,10 +76,15 @@ int main(int argc, char ** argv) { } - uint8_t * wrap_key{}; - TRY_TPM1X("get random data from TPM", Tspi_TPM_GetRandom(tpm_h, WRAPPING_KEY_LEN, &wrap_key)); + uint8_t wrap_key[WRAPPING_KEY_LEN]; + { + BYTE * rand{}; + TRY_TPM1X("get random data from TPM", Tspi_TPM_GetRandom(tpm_h, sizeof(wrap_key), &rand)); + memcpy(wrap_key, rand, sizeof(wrap_key)); + Tspi_Context_FreeMemory(tpm_h, rand); + } if(backup) - TRY_MAIN(write_exact(backup, wrap_key, WRAPPING_KEY_LEN, 0400)); + TRY_MAIN(write_exact(backup, wrap_key, sizeof(wrap_key), 0400)); TSS_HOBJECT parent_key{}; @@ -136,7 +137,7 @@ int main(int argc, char ** argv) { }}; - TRY_TPM1X("seal wrapping key data", Tspi_Data_Seal(sealed_object, parent_key, WRAPPING_KEY_LEN, wrap_key, bound_pcrs)); + TRY_TPM1X("seal wrapping key data", Tspi_Data_Seal(sealed_object, parent_key, sizeof(wrap_key), wrap_key, bound_pcrs)); uint8_t * parent_key_blob{}; diff --git a/src/bin/zfs-tpm1x-load-key.cpp b/src/bin/zfs-tpm1x-load-key.cpp index 616d9fa..d9b023b 100644 --- a/src/bin/zfs-tpm1x-load-key.cpp +++ b/src/bin/zfs-tpm1x-load-key.cpp @@ -1,10 +1,6 @@ /* SPDX-License-Identifier: MIT */ -#include -// #include -#define WRAPPING_KEY_LEN 32 - #include #include #include diff --git a/src/bin/zfs-tpm2-change-key.cpp b/src/bin/zfs-tpm2-change-key.cpp index 5354bf5..e4ed3b9 100644 --- a/src/bin/zfs-tpm2-change-key.cpp +++ b/src/bin/zfs-tpm2-change-key.cpp @@ -1,10 +1,6 @@ /* SPDX-License-Identifier: MIT */ -#include -// #include -#define WRAPPING_KEY_LEN 32 - #include #include "../fd.hpp" @@ -81,12 +77,11 @@ int main(int argc, char ** argv) { })); uint8_t wrap_key[WRAPPING_KEY_LEN]; - TPMI_DH_PERSISTENT persistent_handle{}; - TRY_MAIN(tpm2_generate_rand(tpm2_ctx, wrap_key, sizeof(wrap_key))); if(backup) TRY_MAIN(write_exact(backup, wrap_key, sizeof(wrap_key), 0400)); + TPMI_DH_PERSISTENT persistent_handle{}; TRY_MAIN(tpm2_seal(zfs_get_name(dataset), tpm2_ctx, tpm2_session, persistent_handle, pcrs, allow_PCR_or_pass, wrap_key, sizeof(wrap_key))); bool ok = false; // Try to free the persistent handle if we're unsuccessful in actually using it later on quickscope_wrapper persistent_clearer{[&] { diff --git a/src/bin/zfs-tpm2-load-key.cpp b/src/bin/zfs-tpm2-load-key.cpp index 269d83c..3b2c636 100644 --- a/src/bin/zfs-tpm2-load-key.cpp +++ b/src/bin/zfs-tpm2-load-key.cpp @@ -1,10 +1,6 @@ /* SPDX-License-Identifier: MIT */ -#include -// #include -#define WRAPPING_KEY_LEN 32 - #include #include "../fd.hpp" diff --git a/src/zfs.hpp b/src/zfs.hpp index 5a0af1a..75ea457 100644 --- a/src/zfs.hpp +++ b/src/zfs.hpp @@ -6,6 +6,8 @@ #include #include +// #include +#define WRAPPING_KEY_LEN 32 #include "main.hpp" @@ -48,14 +50,10 @@ extern int parse_key_props(zfs_handle_t * in, const char * our_backend, char *& /// Rewrap key on on to wrap_key. -/// -/// wrap_key must be WRAPPING_KEY_LEN long. -extern int change_key(zfs_handle_t * on, const uint8_t * wrap_key); +extern int change_key(zfs_handle_t * on, const uint8_t (&wrap_key)[WRAPPING_KEY_LEN]); /// (Try to) load key wrap_key for for_d. -/// -/// wrap_key must be WRAPPING_KEY_LEN long. -extern int load_key(zfs_handle_t * for_d, const uint8_t * wrap_key, bool noop); +extern int load_key(zfs_handle_t * for_d, const uint8_t (&wrap_key)[WRAPPING_KEY_LEN], bool noop); /// Check back-end integrity; if the previous backend matches this_backend, run func(); otherwise warn. template diff --git a/src/zfs_meat.cpp b/src/zfs_meat.cpp index 2317fb8..fb35490 100644 --- a/src/zfs_meat.cpp +++ b/src/zfs_meat.cpp @@ -5,10 +5,6 @@ #include "main.hpp" #include "zfs.hpp" -#include -// #include -#define WRAPPING_KEY_LEN 32 - template static int with_stdin_at_buffer(const void * buf, size_t buf_len, F && func) { @@ -20,13 +16,13 @@ static int with_stdin_at_buffer(const void * buf, size_t buf_len, F && func) { } -int change_key(zfs_handle_t * on, const uint8_t * wrap_key) { +int change_key(zfs_handle_t * on, const uint8_t (&wrap_key)[WRAPPING_KEY_LEN]) { /// zfs_crypto_rewrap() with "prompt" reads from stdin, but not if it's a TTY; /// this user-proofs the set-up, and means we don't have to touch the filesysten: /// instead, get an FD, write the raw key data there, dup() it onto stdin, /// let libzfs read it, then restore stdin - return with_stdin_at_buffer(wrap_key, WRAPPING_KEY_LEN, [&] { + return with_stdin_at_buffer(wrap_key, sizeof(wrap_key), [&] { if(zfs_crypto_rewrap(on, TRY_PTR("get rewrap args", rewrap_args()), B_FALSE)) return __LINE__; // Error printed by libzfs else @@ -37,8 +33,8 @@ int change_key(zfs_handle_t * on, const uint8_t * wrap_key) { } -int load_key(zfs_handle_t * for_d, const uint8_t * wrap_key, bool noop) { - return with_stdin_at_buffer(wrap_key, WRAPPING_KEY_LEN, [&] { +int load_key(zfs_handle_t * for_d, const uint8_t (&wrap_key)[WRAPPING_KEY_LEN], bool noop) { + return with_stdin_at_buffer(wrap_key, sizeof(wrap_key), [&] { if(zfs_crypto_load_key(for_d, noop ? B_TRUE : B_FALSE, nullptr)) return __LINE__; // Error printed by libzfs else //