On Fri, Aug 11, 2023 at 05:38:41PM +0200, Mark Kettenis wrote: > > From: "Theo de Raadt" <dera...@openbsd.org> > > I think this case is different, because the ramdisk has no process > > contention. > > > > The code still sticks to minimum 16: > > > > if (r < 16) > > r = 16; > > > > On faster machines, it will increase the rounds. For that machine, for > > that disk configuration. This is processed early on to bring the disk up, > > when there is little or no contention. So it will not have a regressive > > performance impact. > > So the man page just lies?
Incomplete and unclear, yes. Code has four default decision points: * "-r auto" falls back to 16 if the performance based value is below that (snippet above, undocumented) * "-r N" must be 4 or higher (strtonum(), manual refers to that) * no "-r rounds" given means - default of 16 rounds for new volumes (see 3rd hunk, undocumented) - previous value when changing passphrase (4th hunk) New diff a) defaults to "auto" and b) enforces a minium of 16 rounds, making code easier to follow, imho. Default rflag = -1 means rflag == 0 is now impossible, so the passphrase change code can no longer distinguish between explicit "-r auto" and new default, so it no longer sticks with the old number of rounds, but instead goes with auto or explicit "-r N". Does that make more sense? Index: bioctl.8 =================================================================== RCS file: /cvs/src/sbin/bioctl/bioctl.8,v retrieving revision 1.111 diff -u -p -r1.111 bioctl.8 --- bioctl.8 6 Jul 2023 21:08:50 -0000 1.111 +++ bioctl.8 14 Aug 2023 06:12:46 -0000 @@ -282,11 +282,12 @@ passphrase into a key, in order to creat passphrase of an existing encrypted volume. A larger number of iterations takes more time, but offers increased resistance against passphrase guessing attacks. -If +By default, or if .Ar rounds -is specified as "auto", the number of rounds will be automatically determined -based on system performance. -Otherwise the minimum is 4 rounds and the default is 16. +is specified as +.Cm auto , +the number of rounds will automatically be based on system performance. +The minimum is 16 rounds. .It Fl s Read the passphrase for the selected crypto volume from .Pa /dev/stdin Index: bioctl.c =================================================================== RCS file: /cvs/src/sbin/bioctl/bioctl.c,v retrieving revision 1.151 diff -u -p -r1.151 bioctl.c --- bioctl.c 18 Oct 2022 07:04:20 -0000 1.151 +++ bioctl.c 14 Aug 2023 06:52:04 -0000 @@ -89,7 +89,7 @@ int devh = -1; int human; int verbose; u_int32_t cflags = 0; -int rflag = 0; +int rflag = -1; /* auto */ char *password; void *bio_cookie; @@ -182,7 +182,7 @@ main(int argc, char *argv[]) rflag = -1; break; } - rflag = strtonum(optarg, 4, 1<<30, &errstr); + rflag = strtonum(optarg, 16, 1<<30, &errstr); if (errstr != NULL) errx(1, "number of KDF rounds is %s: %s", errstr, optarg); @@ -978,7 +978,7 @@ bio_kdf_generate(struct sr_crypto_kdfinf kdfinfo->pbkdf.generic.len = sizeof(kdfinfo->pbkdf); kdfinfo->pbkdf.generic.type = SR_CRYPTOKDFT_BCRYPT_PBKDF; - kdfinfo->pbkdf.rounds = rflag ? rflag : 16; + kdfinfo->pbkdf.rounds = rflag; kdfinfo->flags = SR_CRYPTOKDF_KEY | SR_CRYPTOKDF_HINT; kdfinfo->len = sizeof(*kdfinfo); @@ -1117,13 +1117,6 @@ bio_changepass(char *dev) /* Current passphrase. */ bio_kdf_derive(&kdfinfo1, &kdfhint, "Old passphrase: ", 0); - - /* - * Unless otherwise specified, keep the previous number of rounds as - * long as we're using the same KDF. - */ - if (kdfhint.generic.type == SR_CRYPTOKDFT_BCRYPT_PBKDF && !rflag) - rflag = kdfhint.rounds; /* New passphrase. */ bio_kdf_generate(&kdfinfo2);