- Allow to use -b without passphrase or with keyfiles as it will be

supported for a moment. - Don't allow to use -i when no passphrase is given. Now if iterations is equal to -1 (not set), we know that we should not ask for the passphrase on boot. It still doesn't handle situation when one key is protected with passphrase and the other is not. There is no quick fix for this. The complete solution will be to make number of iterations a per-key value. Because this need metadata format change and is only needed for devices attached on boot, I'll leave it as it is for now. MFC after: 3 days
svn path=/head/; revision=155536
2006-02-11 13:04:10 +00:00 · 2006-02-11 13:04:10 +00:00 · f2aa80d883 · 2020-12-20 02:59:44 +00:00
commit f2aa80d883
parent a80f82a4a3
1 changed files with 16 additions and 20 deletions
--- a/sbin/geom/class/eli/geom_eli.c
+++ b/sbin/geom/class/eli/geom_eli.c
@ -501,7 +501,7 @@ eli_init(struct gctl_req *req)
 	unsigned secsize;
 	off_t mediasize;
 	intmax_t val;
-	int error, nargs, boot;
+	int error, nargs;

 	nargs = gctl_get_int(req, "nargs");
 	if (nargs != 1) {
@ -521,26 +521,8 @@ eli_init(struct gctl_req *req)
 	strlcpy(md.md_magic, G_ELI_MAGIC, sizeof(md.md_magic));
 	md.md_version = G_ELI_VERSION;
 	md.md_flags = 0;
-	boot = gctl_get_int(req, "boot");
-	if (boot) {
-		int nonewpassphrase;
-
-		/* Part of key cannot be read on boot from a file. */
-		str = gctl_get_ascii(req, "newkeyfile");
-		if (str[0] != '\0') {
-			gctl_error(req,
-			    "Options -b and -K are mutually exclusive.");
-			return;
-		}
-		/* Key has to be given as a passphrase on boot. */
-		nonewpassphrase = gctl_get_int(req, "nonewpassphrase");
-		if (nonewpassphrase) {
-			gctl_error(req,
-			    "Options -b and -P are mutually exclusive.");
-			return;
-		}
+	if (gctl_get_int(req, "boot"))
 		md.md_flags |= G_ELI_FLAG_BOOT;
-	}
 	str = gctl_get_ascii(req, "algo");
 	md.md_algo = g_eli_str2algo(str);
 	if (md.md_algo < CRYPTO_ALGORITHM_MIN ||
@ -558,6 +540,20 @@ eli_init(struct gctl_req *req)
 	md.md_provsize = mediasize;

 	val = gctl_get_intmax(req, "iterations");
+	if (val != -1) {
+		int nonewpassphrase;
+
+		/*
+		 * Don't allow to set iterations when there will be no
+		 * passphrase.
+		 */
+		nonewpassphrase = gctl_get_int(req, "nonewpassphrase");
+		if (nonewpassphrase) {
+			gctl_error(req,
+			    "Options -i and -P are mutually exclusive.");
+			return;
+		}
+	}
 	md.md_iterations = val;

 	val = gctl_get_intmax(req, "sectorsize");