FreeBSD Bugzilla – Attachment 147290 Details for
Bug 193624
GELI boot-time unlock fails with separate passphrase and keyfile
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to modify GELI boot time unlock behaviour
cdn-patch_geli-boot-unlock-keyfile.patch (text/plain), 2.23 KB, created by
cyberleo
on 2014-09-14 03:17:49 UTC
(
hide
)
Description:
Patch to modify GELI boot time unlock behaviour
Filename:
MIME Type:
Creator:
cyberleo
Created:
2014-09-14 03:17:49 UTC
Size:
2.23 KB
patch
obsolete
>From 88ec0728a501d2ee9112ed802e2e1f94aa2ca01b Mon Sep 17 00:00:00 2001 >From: CyberLeo <cyberleo@cyberleo.net> >Date: Sun, 27 Apr 2014 05:16:12 -0500 >Subject: [PATCH] cdn-patch: adjust geli boot-time unlock behaviour > >This patch will cause geli's boot-time unlock code to attempt unlocking >the container using only the preloaded keyfile(s); and only when that >fails will it prompt for a passphrase. > >If a container has a keyfile in one slot and a passphrase in the other, >the boot-time unlock code will get confused and assume they are to be >combined, resulting in a container that cannot be unlocked during boot >when its keyfile is preloaded. >--- > sys/geom/eli/g_eli.c | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > >diff --git a/sys/geom/eli/g_eli.c b/sys/geom/eli/g_eli.c >index 18e3cc4..16cc0b9 100644 >--- a/sys/geom/eli/g_eli.c >+++ b/sys/geom/eli/g_eli.c >@@ -1062,7 +1062,8 @@ g_eli_taste(struct g_class *mp, struct g_provider *pp, int flags __unused) > tries = 1; > } else { > /* Ask for the passphrase no more than g_eli_tries times. */ >- tries = g_eli_tries; >+ /* CyberLeo: Add one to test first without password. */ >+ tries = g_eli_tries + 1; > } > > for (i = 0; i < tries; i++) { >@@ -1088,7 +1089,8 @@ g_eli_taste(struct g_class *mp, struct g_provider *pp, int flags __unused) > } > > /* Ask for the passphrase if defined. */ >- if (md.md_iterations >= 0) { >+ /* CyberLeo: Don't ask if this is the first try */ >+ if (i > 0 && md.md_iterations >= 0) { > printf("Enter passphrase for %s: ", pp->name); > cngets(passphrase, sizeof(passphrase), > g_eli_visible_passphrase); >@@ -1096,14 +1098,15 @@ g_eli_taste(struct g_class *mp, struct g_provider *pp, int flags __unused) > > /* > * Prepare Derived-Key from the user passphrase. >+ * CyberLeo: But only after the first try. > */ >- if (md.md_iterations == 0) { >+ if (i > 0 && md.md_iterations == 0) { > g_eli_crypto_hmac_update(&ctx, md.md_salt, > sizeof(md.md_salt)); > g_eli_crypto_hmac_update(&ctx, passphrase, > strlen(passphrase)); > bzero(passphrase, sizeof(passphrase)); >- } else if (md.md_iterations > 0) { >+ } else if (i > 0 && md.md_iterations > 0) { > u_char dkey[G_ELI_USERKEYLEN]; > > pkcs5v2_genkey(dkey, sizeof(dkey), md.md_salt, >-- >2.1.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=147290">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 193624
:
147290
|
149432