From owner-freebsd-bugs@freebsd.org Sun Apr 9 19:39:36 2017 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A6F9AD36367 for ; Sun, 9 Apr 2017 19:39:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 702D614A6 for ; Sun, 9 Apr 2017 19:39:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v39Jda2p013620 for ; Sun, 9 Apr 2017 19:39:36 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 218512] Geli arbitrarily prevents setting passphrases Date: Sun, 09 Apr 2017 19:39:36 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: fhriley@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Apr 2017 19:39:36 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D218512 Bug ID: 218512 Summary: Geli arbitrarily prevents setting passphrases Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: fhriley@gmail.com In the geli metadata, there is one field that specifies the pkcs5v2 iterati= ons, which means it used for both keys. Because of this, the code needs to preve= nt the user from setting a passphrase with a given (or calculated) iterations,= and then setting a second passphrase with a different iterations. If it didn't,= the first passphrase would get invalidated. The existing geli code does this, b= ut in a naive way that leads to weird failures that, logically, should not fai= l, and drastically reduce the usability of geli. For example, the current code prevents the following: - Set two keys, then set a passphrase on one key - Set one key, then set a second key with passphrase using -i - Set one passphrase, then change the iterations The first and second ones are especially bad because it means you have to reissue keys if you want to set password on an existing key (FreeNAS does this). Also, if you set two keys with passphrases, geli will forever think a passphrase is set, even if you replace those two keys without passphrases, because the current code has no way to know if a passphrase is set on a key. I am submitting a git pull request to fix all of the above. --=20 You are receiving this mail because: You are the assignee for the bug.=