Date: Sun, 09 Apr 2017 19:39:36 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 218512] Geli arbitrarily prevents setting passphrases Message-ID: <bug-218512-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D218512 Bug ID: 218512 Summary: Geli arbitrarily prevents setting passphrases Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: fhriley@gmail.com In the geli metadata, there is one field that specifies the pkcs5v2 iterati= ons, which means it used for both keys. Because of this, the code needs to preve= nt the user from setting a passphrase with a given (or calculated) iterations,= and then setting a second passphrase with a different iterations. If it didn't,= the first passphrase would get invalidated. The existing geli code does this, b= ut in a naive way that leads to weird failures that, logically, should not fai= l, and drastically reduce the usability of geli. For example, the current code prevents the following: - Set two keys, then set a passphrase on one key - Set one key, then set a second key with passphrase using -i - Set one passphrase, then change the iterations The first and second ones are especially bad because it means you have to reissue keys if you want to set password on an existing key (FreeNAS does this). Also, if you set two keys with passphrases, geli will forever think a passphrase is set, even if you replace those two keys without passphrases, because the current code has no way to know if a passphrase is set on a key. I am submitting a git pull request to fix all of the above. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-218512-8>