From 5eedd5a914ee252d433bbf25ee5ae95a57904551 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sun, 27 Mar 2016 15:24:02 +0200 Subject: [PATCH 116/310] geli setkey: Prevent passphrase removal if two keys are configured The iterations are shared by both keys and resetting it for one would break the other one as a side-effect. If this is the intention the other key can still be removed with delkey before using setkey for the remaining one. Obtained from: ElectroBSD --- lib/geom/eli/geom_eli.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/geom/eli/geom_eli.c b/lib/geom/eli/geom_eli.c index c3cb960a9fa6..38945c7778a9 100644 --- a/lib/geom/eli/geom_eli.c +++ b/lib/geom/eli/geom_eli.c @@ -1436,6 +1436,14 @@ eli_setkey(struct gctl_req *req) if (eli_metadata_read(req, prov, &md) == -1) return; + if (nonewpassphrase && bitcount32(md.md_keys) != 1 && + md.md_iterations != -1) { + gctl_error(req, "To be able to switch from passphrase" + "-based key to passphrase-less key, only one can " + "be defined."); + return; + } + if (eli_is_attached(prov)) eli_setkey_attached(req, &md); else -- 2.37.1