196834 – geli setkey -P doesn't reset md_iterations

Bug 196834 - geli setkey -P doesn't reset md_iterations

Summary: geli setkey -P doesn't reset md_iterations

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	10.1-RELEASE
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	freebsd-geom (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-01-18 03:32 UTC by Julian Hsiao
Modified:	2019-01-21 10:02 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
geli setkey: Fix key change from passphrase-based to passphrase-less (2.89 KB, patch) 2016-03-27 15:24 UTC, Fabian Keil	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Julian Hsiao 2015-01-18 03:32:47 UTC

Overview:

When removing passphrase from a geli device with both passphrase and keyfile, the iteration counter, md_iterations, isn't reset to the default value of -1.

Steps to Reproduce:

# geli init -b -B none -e AES-XTS -K /boot/encryption.key -l 128 -s 4096 ada1
Enter new passphrase:
Reenter new passphrase:
# geli dump ada1 | grep iterations
iterations: 534226
# geli setkey -k /boot/encryption.key -K /boot/encryption.key -P ada1
Enter passphrase:
Note, that the master key encrypted with old keys and/or passphrase may still exists in a metadata backup file.
# geli dump ada1 | grep iterations
iterations: 534226

Expected Results:

iterations: -1

Additional Information:

The stale md_iterations isn't a problem when manipulating the geli device from the command line, because it's effectively ignored with -p. However, some code, such as g_eli_taste(), checks md_iterations == -1 to determine whether a passphrase is set or not. Thus, even after removing the passphrase, it'll still prompt for one. I ran into that problem here: <http://article.gmane.org/gmane.os.freebsd.questions/311256>.

I was able to work around the problem:

# geli setkey -i $(echo '2^32-1' | bc) -k /boot/encryption.key -K /boot/encryption.key -p -P ada1
Note, that the master key encrypted with old keys and/or passphrase may still exists in a metadata backup file.
# geli dump ada1 | grep iterations
iterations: 4294967295

Note that "geli setkey -i -1" won't work. Also note that while md_iterations is a int32_t, eli_metadata_dump() casts it to a u_int. There are some other minor quirks with eli_metadata_dump(); should I file another PR or just tack it on to this one?

Comment 1 Fabian Keil 2016-03-27 15:24:58 UTC

Created attachment 168685 [details]
geli setkey: Fix key change from passphrase-based to passphrase-less

I rediscovered this bug in ElectroBSD and used the
attached patch to fix it.

I also rediscovered the incorrect iteration count and
filed #208305 for this before I became aware of this PR.

Comment 2 commit-hook freebsd_committer

2017-04-21 07:44:50 UTC

A commit references this bug:

Author: mav
Date: Fri Apr 21 07:43:44 UTC 2017
New revision: 317247
URL: https://svnweb.freebsd.org/changeset/base/317247

Log:
  Dump md_iterations as signed, which it really is.

  PR:		208305
  PR:		196834
  MFC after:	2 weeks

Changes:
  head/sys/geom/eli/g_eli.h

Comment 3 commit-hook freebsd_committer

2017-05-06 00:52:13 UTC

A commit references this bug:

Author: mav
Date: Sat May  6 00:51:26 UTC 2017
New revision: 317859
URL: https://svnweb.freebsd.org/changeset/base/317859

Log:
  MFC r317247: Dump md_iterations as signed, which it really is.

  PR:		208305
  PR:		196834

Changes:
_U  stable/11/
  stable/11/sys/geom/eli/g_eli.h

Comment 4 Oleksandr Tymoshenko freebsd_committer

2019-01-21 10:02:01 UTC

There is a commit referencing this PR, but it's still not closed and has been inactive for some time. Closing the PR as fixed but feel free to re-open it if the issue hasn't been completely resolved.

Thanks