Bug 196834 - geli setkey -P doesn't reset md_iterations
Summary: geli setkey -P doesn't reset md_iterations
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 10.1-RELEASE
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-geom mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-18 03:32 UTC by Julian Hsiao
Modified: 2017-05-06 00:52 UTC (History)
3 users (show)

See Also:


Attachments
geli setkey: Fix key change from passphrase-based to passphrase-less (2.89 KB, patch)
2016-03-27 15:24 UTC, Fabian Keil
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Julian Hsiao 2015-01-18 03:32:47 UTC
Overview:

When removing passphrase from a geli device with both passphrase and keyfile, the iteration counter, md_iterations, isn't reset to the default value of -1.

Steps to Reproduce:

# geli init -b -B none -e AES-XTS -K /boot/encryption.key -l 128 -s 4096 ada1
Enter new passphrase:
Reenter new passphrase:
# geli dump ada1 | grep iterations
iterations: 534226
# geli setkey -k /boot/encryption.key -K /boot/encryption.key -P ada1
Enter passphrase:
Note, that the master key encrypted with old keys and/or passphrase may still exists in a metadata backup file.
# geli dump ada1 | grep iterations
iterations: 534226

Expected Results:

iterations: -1

Additional Information:

The stale md_iterations isn't a problem when manipulating the geli device from the command line, because it's effectively ignored with -p.  However, some code, such as g_eli_taste(), checks md_iterations == -1 to determine whether a passphrase is set or not.  Thus, even after removing the passphrase, it'll still prompt for one.  I ran into that problem here: <http://article.gmane.org/gmane.os.freebsd.questions/311256>.

I was able to work around the problem:

# geli setkey -i $(echo '2^32-1' | bc) -k /boot/encryption.key -K /boot/encryption.key -p -P ada1
Note, that the master key encrypted with old keys and/or passphrase may still exists in a metadata backup file.
# geli dump ada1 | grep iterations
iterations: 4294967295

Note that "geli setkey -i -1" won't work.  Also note that while md_iterations is a int32_t, eli_metadata_dump() casts it to a u_int.  There are some other minor quirks with eli_metadata_dump(); should I file another PR or just tack it on to this one?
Comment 1 Fabian Keil 2016-03-27 15:24:58 UTC
Created attachment 168685 [details]
geli setkey: Fix key change from passphrase-based to passphrase-less

I rediscovered this bug in ElectroBSD and used the
attached patch to fix it.

I also rediscovered the incorrect iteration count and
filed #208305 for this before I became aware of this PR.
Comment 2 commit-hook freebsd_committer 2017-04-21 07:44:50 UTC
A commit references this bug:

Author: mav
Date: Fri Apr 21 07:43:44 UTC 2017
New revision: 317247
URL: https://svnweb.freebsd.org/changeset/base/317247

Log:
  Dump md_iterations as signed, which it really is.

  PR:		208305
  PR:		196834
  MFC after:	2 weeks

Changes:
  head/sys/geom/eli/g_eli.h
Comment 3 commit-hook freebsd_committer 2017-05-06 00:52:13 UTC
A commit references this bug:

Author: mav
Date: Sat May  6 00:51:26 UTC 2017
New revision: 317859
URL: https://svnweb.freebsd.org/changeset/base/317859

Log:
  MFC r317247: Dump md_iterations as signed, which it really is.

  PR:		208305
  PR:		196834

Changes:
_U  stable/11/
  stable/11/sys/geom/eli/g_eli.h