From 6227ce12626da0eb8a0013d5ce4eb83187101582 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Sun, 27 Mar 2016 14:22:52 +0200
Subject: [PATCH] geli setkey: Fix key change from passphrase-based to
 passphrase-less

Previously the iterations count wasn't reset resulting in
a passphrase prompt that would not accept any passphrase:

fk@r500 ~ $sudo geli attach -k /bpool/boot/rpool.key /dev/gpt/rpool-ada1
Enter passphrase:
fk@r500 ~ $geli dump /dev/gpt/rpool-ada1
Metadata on /dev/gpt/rpool-ada1:
     magic: GEOM::ELI
   version: 7
     flags: 0x0
     ealgo: AES-XTS
    keylen: 128
  provsize: 1073741824
sectorsize: 512
      keys: 0x01
iterations: 463852
      Salt: [...]
Master Key: [...]
  MD5 hash: e8693274fecc65d2a13c0071fb9413b3

fk@r500 ~ $sudo geli setkey -K /bpool/boot/rpool.key -P /dev/gpt/rpool-ada1
Note, that the master key encrypted with old keys and/or passphrase may still exists in a metadata backup file.
fk@r500 ~ $geli dump /dev/gpt/rpool-ada1
Metadata on /dev/gpt/rpool-ada1:
     magic: GEOM::ELI
   version: 7
     flags: 0x0
     ealgo: AES-XTS
    keylen: 128
  provsize: 1073741824
sectorsize: 512
      keys: 0x01
iterations: 463852
      Salt: [...]
Master Key: [...]
  MD5 hash: a443402c3b97cb37494283f8f722994d
fk@r500 ~ $sudo geli detach gpt/rpool-ada1
fk@r500 ~ $sudo geli attach -k /bpool/boot/rpool.key /dev/gpt/rpool-ada1
Enter passphrase:
geli: Wrong key for gpt/rpool-ada1.

From userland the promt could be suppressed with "-p"
(which is required for passphrase-less keys anyway),
but attaching at boot time wasn't possible.

PR:            196834
Reported by:   Julian Hsiao
Obtained from: ElectroBSD
---
 sbin/geom/class/eli/geom_eli.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/sbin/geom/class/eli/geom_eli.c b/sbin/geom/class/eli/geom_eli.c
index 199a431..2329c35 100644
--- a/sbin/geom/class/eli/geom_eli.c
+++ b/sbin/geom/class/eli/geom_eli.c
@@ -1012,8 +1012,16 @@ eli_setkey_attached(struct gctl_req *req, struct g_eli_metadata *md)
 	/* Check if iterations number should be changed. */
 	if (val != -1)
 		md->md_iterations = val;
-	else
+	else {
 		old = md->md_iterations;
+		/*
+		 * If the new key does not require a passphrase,
+		 * the iterations count has to be reset to reflect
+		 * this.
+		 */
+		if (gctl_get_int(req, "nonewpassphrase") == 1)
+			md->md_iterations = -1;
+	}
 
 	/* Generate key for Master Key encryption. */
 	if (eli_genkey(req, md, key, true) == NULL) {
@@ -1098,7 +1106,14 @@ eli_setkey_detached(struct gctl_req *req, const char *prov,
 			return;
 		}
 		md->md_iterations = val;
-	}
+	} else if (gctl_get_int(req, "nonewpassphrase") == 1) {
+		/*
+		 * If the new key does not require a passphrase,
+		 * the iterations count has to be reset to reflect
+		 * this.
+		 */
+		md->md_iterations = -1;
+        }
 
 	mkeydst = md->md_mkeys + nkey * G_ELI_MKEYLEN;
 	md->md_keys |= (1 << nkey);
-- 
2.7.4