When the following conditions are meet:

- First configured key is based only on keyfile (no passphrase).
- Device is attached.
- User changes first key (setkey) from keyfile to passphrase and doesn't
  specify number of iterations (with -i option).
...geli(8) won't store calculated number of iterations in metadata.
This result in device beeing unaccesable after detach.

One can recover from this situation by guessing number of iterations
generated, storing it in metadata and trying to attach device.
Recovery procedure isn't nice, but one's data is not lost.

Reported by:	Thomas Nickl <T.Nickl@gmx.net>
MFC after:	1 week

1 files changed, 13 insertions, 1 deletions

diff --git a/sbin/geom/class/eli/geom_eli.c b/sbin/geom/class/eli/geom_eli.c
index 85ca83e69174..084fdbd275e7 100644
--- a/sbin/geom/class/eli/geom_eli.c
+++ b/sbin/geom/class/eli/geom_eli.c
@@ -739,18 +739,30 @@ static void
 eli_setkey_attached(struct gctl_req *req, struct g_eli_metadata *md)
 {
 	unsigned char key[G_ELI_USERKEYLEN];
-	intmax_t val;
+	intmax_t val, old = 0;
+	int error;
 
 	val = gctl_get_intmax(req, "iterations");
 	/* Check if iterations number should be changed. */
 	if (val != -1)
 		md->md_iterations = val;
+	else
+		old = md->md_iterations;
 
 	/* Generate key for Master Key encryption. */
 	if (eli_genkey(req, md, key, 1) == NULL) {
 		bzero(key, sizeof(key));
 		return;
 	}
+	/*
+	 * If number of iterations has changed, but wasn't given as a
+	 * command-line argument, update the request.
+	 */
+	if (val == -1 && md->md_iterations != old) {
+		error = gctl_change_param(req, "iterations", sizeof(intmax_t),
+		    &md->md_iterations);
+		assert(error == 0);
+	}
 
 	gctl_ro_param(req, "key", sizeof(key), key);
 	gctl_issue(req);