diff options
author | pjd <pjd@FreeBSD.org> | 2006-02-11 13:04:10 +0000 |
---|---|---|
committer | pjd <pjd@FreeBSD.org> | 2006-02-11 13:04:10 +0000 |
commit | 8f76601c2594cd9bef0e7f8439fcfc9f4487911d (patch) | |
tree | f268b0edc1508624c84386a43e0f2701b4b9b5e5 | |
parent | f9926daa991d642b6d76923afa06dabe1a4b0b74 (diff) | |
download | FreeBSD-src-8f76601c2594cd9bef0e7f8439fcfc9f4487911d.zip FreeBSD-src-8f76601c2594cd9bef0e7f8439fcfc9f4487911d.tar.gz |
- Allow to use -b without passphrase or with keyfiles as it will be
supported for a moment.
- Don't allow to use -i when no passphrase is given. Now if iterations is
equal to -1 (not set), we know that we should not ask for the passphrase
on boot.
It still doesn't handle situation when one key is protected with
passphrase and the other is not. There is no quick fix for this.
The complete solution will be to make number of iterations a per-key
value. Because this need metadata format change and is only needed for
devices attached on boot, I'll leave it as it is for now.
MFC after: 3 days
-rw-r--r-- | sbin/geom/class/eli/geom_eli.c | 36 |
1 files changed, 16 insertions, 20 deletions
diff --git a/sbin/geom/class/eli/geom_eli.c b/sbin/geom/class/eli/geom_eli.c index 76655a3..c4577a1 100644 --- a/sbin/geom/class/eli/geom_eli.c +++ b/sbin/geom/class/eli/geom_eli.c @@ -501,7 +501,7 @@ eli_init(struct gctl_req *req) unsigned secsize; off_t mediasize; intmax_t val; - int error, nargs, boot; + int error, nargs; nargs = gctl_get_int(req, "nargs"); if (nargs != 1) { @@ -521,26 +521,8 @@ eli_init(struct gctl_req *req) strlcpy(md.md_magic, G_ELI_MAGIC, sizeof(md.md_magic)); md.md_version = G_ELI_VERSION; md.md_flags = 0; - boot = gctl_get_int(req, "boot"); - if (boot) { - int nonewpassphrase; - - /* Part of key cannot be read on boot from a file. */ - str = gctl_get_ascii(req, "newkeyfile"); - if (str[0] != '\0') { - gctl_error(req, - "Options -b and -K are mutually exclusive."); - return; - } - /* Key has to be given as a passphrase on boot. */ - nonewpassphrase = gctl_get_int(req, "nonewpassphrase"); - if (nonewpassphrase) { - gctl_error(req, - "Options -b and -P are mutually exclusive."); - return; - } + if (gctl_get_int(req, "boot")) md.md_flags |= G_ELI_FLAG_BOOT; - } str = gctl_get_ascii(req, "algo"); md.md_algo = g_eli_str2algo(str); if (md.md_algo < CRYPTO_ALGORITHM_MIN || @@ -558,6 +540,20 @@ eli_init(struct gctl_req *req) md.md_provsize = mediasize; val = gctl_get_intmax(req, "iterations"); + if (val != -1) { + int nonewpassphrase; + + /* + * Don't allow to set iterations when there will be no + * passphrase. + */ + nonewpassphrase = gctl_get_int(req, "nonewpassphrase"); + if (nonewpassphrase) { + gctl_error(req, + "Options -i and -P are mutually exclusive."); + return; + } + } md.md_iterations = val; val = gctl_get_intmax(req, "sectorsize"); |