From 88ec0728a501d2ee9112ed802e2e1f94aa2ca01b Mon Sep 17 00:00:00 2001 From: CyberLeo Date: Sun, 27 Apr 2014 05:16:12 -0500 Subject: [PATCH] cdn-patch: adjust geli boot-time unlock behaviour This patch will cause geli's boot-time unlock code to attempt unlocking the container using only the preloaded keyfile(s); and only when that fails will it prompt for a passphrase. If a container has a keyfile in one slot and a passphrase in the other, the boot-time unlock code will get confused and assume they are to be combined, resulting in a container that cannot be unlocked during boot when its keyfile is preloaded. --- sys/geom/eli/g_eli.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/sys/geom/eli/g_eli.c b/sys/geom/eli/g_eli.c index 18e3cc4..16cc0b9 100644 --- a/sys/geom/eli/g_eli.c +++ b/sys/geom/eli/g_eli.c @@ -1062,7 +1062,8 @@ g_eli_taste(struct g_class *mp, struct g_provider *pp, int flags __unused) tries = 1; } else { /* Ask for the passphrase no more than g_eli_tries times. */ - tries = g_eli_tries; + /* CyberLeo: Add one to test first without password. */ + tries = g_eli_tries + 1; } for (i = 0; i < tries; i++) { @@ -1088,7 +1089,8 @@ g_eli_taste(struct g_class *mp, struct g_provider *pp, int flags __unused) } /* Ask for the passphrase if defined. */ - if (md.md_iterations >= 0) { + /* CyberLeo: Don't ask if this is the first try */ + if (i > 0 && md.md_iterations >= 0) { printf("Enter passphrase for %s: ", pp->name); cngets(passphrase, sizeof(passphrase), g_eli_visible_passphrase); @@ -1096,14 +1098,15 @@ g_eli_taste(struct g_class *mp, struct g_provider *pp, int flags __unused) /* * Prepare Derived-Key from the user passphrase. + * CyberLeo: But only after the first try. */ - if (md.md_iterations == 0) { + if (i > 0 && md.md_iterations == 0) { g_eli_crypto_hmac_update(&ctx, md.md_salt, sizeof(md.md_salt)); g_eli_crypto_hmac_update(&ctx, passphrase, strlen(passphrase)); bzero(passphrase, sizeof(passphrase)); - } else if (md.md_iterations > 0) { + } else if (i > 0 && md.md_iterations > 0) { u_char dkey[G_ELI_USERKEYLEN]; pkcs5v2_genkey(dkey, sizeof(dkey), md.md_salt, -- 2.1.0