Re: installer: disk crypto: crank KDF rounds to hardware based default

Mon, 14 Aug 2023 10:49:33 -0700 

Klemens Nanni <k...@openbsd.org> wrote:
> @@ -1117,13 +1117,6 @@ bio_changepass(char *dev)
>  
>       /* Current passphrase. */
>       bio_kdf_derive(&kdfinfo1, &kdfhint, "Old passphrase: ", 0);
> -
> -     /*
> -      * Unless otherwise specified, keep the previous number of rounds as
> -      * long as we're using the same KDF.
> -      */
> -     if (kdfhint.generic.type == SR_CRYPTOKDFT_BCRYPT_PBKDF && !rflag)
> -             rflag = kdfhint.rounds;
>  
>       /* New passphrase. */
>       bio_kdf_generate(&kdfinfo2);

This will potentially downgrade the amount of rounds on password change
if `-r` is omitted, which is not ideal imo. What about the following to
keep the previous amount of rounds if its bigger than the automatic
estimate?

-Lucas


diff refs/heads/master 758422c5a8c4e618082a6dc3dc0f268ed05e9cd9
commit - d4b9d4747036fa562b886f23a67e486ba94b3dc6
commit + 758422c5a8c4e618082a6dc3dc0f268ed05e9cd9
blob - d6617b14595e278f687a9f114767438f5fe51326
blob + 951df4da4db2e69c058a2bcb0d460543b602cc7a
--- sbin/bioctl/bioctl.8
+++ sbin/bioctl/bioctl.8
@@ -282,11 +282,12 @@ If
 passphrase of an existing encrypted volume.
 A larger number of iterations takes more time, but offers increased resistance
 against passphrase guessing attacks.
-If
+By default, or if
 .Ar rounds
-is specified as "auto", the number of rounds will be automatically determined
-based on system performance.
-Otherwise the minimum is 4 rounds and the default is 16.
+is specified as
+.Cm auto ,
+the number of rounds will automatically be based on system performance.
+The minimum is 16 rounds.
 .It Fl s
 Read the passphrase for the selected crypto volume from
 .Pa /dev/stdin
blob - 2928cfba3d52f5f3a4c6589d4e363e09f6da30d4
blob + ba4a15bab4d8d1ac1211aec9a6c315bfb6f29bb6
--- sbin/bioctl/bioctl.c
+++ sbin/bioctl/bioctl.c
@@ -66,7 +66,7 @@ void                  bio_kdf_generate(struct 
sr_crypto_kdfinfo *);
 int                    bio_parse_devlist(char *, dev_t *);
 void                   bio_kdf_derive(struct sr_crypto_kdfinfo *,
                            struct sr_crypto_pbkdf *, char *, int);
-void                   bio_kdf_generate(struct sr_crypto_kdfinfo *);
+void                   bio_kdf_generate(struct sr_crypto_kdfinfo *, int);
 int                    bcrypt_pbkdf_autorounds(void);
 void                   derive_key(u_int32_t, int, u_int8_t *, size_t,
                            u_int8_t *, size_t, char *, int);
@@ -89,7 +89,7 @@ int                   rflag = 0;
 int                    human;
 int                    verbose;
 u_int32_t              cflags = 0;
-int                    rflag = 0;
+int                    rflag = -1;     /* auto */
 char                   *password;
 
 void                   *bio_cookie;
@@ -182,7 +182,7 @@ main(int argc, char *argv[])
                                rflag = -1;
                                break;
                        }
-                       rflag = strtonum(optarg, 4, 1<<30, &errstr);
+                       rflag = strtonum(optarg, 16, 1<<30, &errstr);
                        if (errstr != NULL)
                                errx(1, "number of KDF rounds is %s: %s",
                                    errstr, optarg);
@@ -902,7 +902,7 @@ bio_createraid(u_int16_t level, char *dev_list, char *
                        bio_kdf_derive(&kdfinfo, &kdfhint, "Passphrase: ", 0);
                        memset(&kdfhint, 0, sizeof(kdfhint));
                } else {
-                       bio_kdf_generate(&kdfinfo);
+                       bio_kdf_generate(&kdfinfo, -1);
                }
 
                create.bc_opaque = &kdfinfo;
@@ -968,17 +968,20 @@ bio_kdf_generate(struct sr_crypto_kdfinfo *kdfinfo)
 }
 
 void
-bio_kdf_generate(struct sr_crypto_kdfinfo *kdfinfo)
+bio_kdf_generate(struct sr_crypto_kdfinfo *kdfinfo, int hint_rounds)
 {
        if (!kdfinfo)
                errx(1, "invalid KDF info");
 
-       if (rflag == -1)
+       if (rflag == -1) {
                rflag = bcrypt_pbkdf_autorounds();
+               if (rflag < hint_rounds)
+                       rflag = hint_rounds;
+       }
 
        kdfinfo->pbkdf.generic.len = sizeof(kdfinfo->pbkdf);
        kdfinfo->pbkdf.generic.type = SR_CRYPTOKDFT_BCRYPT_PBKDF;
-       kdfinfo->pbkdf.rounds = rflag ? rflag : 16;
+       kdfinfo->pbkdf.rounds = rflag;
 
        kdfinfo->flags = SR_CRYPTOKDF_KEY | SR_CRYPTOKDF_HINT;
        kdfinfo->len = sizeof(*kdfinfo);
@@ -1097,7 +1100,7 @@ bio_changepass(char *dev)
        struct sr_crypto_kdfpair kdfpair;
        struct sr_crypto_kdfinfo kdfinfo1, kdfinfo2;
        struct sr_crypto_pbkdf kdfhint;
-       int rv;
+       int rv, hint_rounds = -1;
 
        memset(&bd, 0, sizeof(bd));
        memset(&kdfhint, 0, sizeof(kdfhint));
@@ -1119,14 +1122,14 @@ bio_changepass(char *dev)
        bio_kdf_derive(&kdfinfo1, &kdfhint, "Old passphrase: ", 0);
 
        /*
-        * Unless otherwise specified, keep the previous number of rounds as
-        * long as we're using the same KDF.
+        * Broadcast the previous number of rounds as long as we're using the
+        * same KDF.
         */
-       if (kdfhint.generic.type == SR_CRYPTOKDFT_BCRYPT_PBKDF && !rflag)
-               rflag = kdfhint.rounds;
+       if (kdfhint.generic.type == SR_CRYPTOKDFT_BCRYPT_PBKDF)
+               hint_rounds = kdfhint.rounds;
 
        /* New passphrase. */
-       bio_kdf_generate(&kdfinfo2);
+       bio_kdf_generate(&kdfinfo2, hint_rounds);
 
        kdfpair.kdfinfo1 = &kdfinfo1;
        kdfpair.kdfsize1 = sizeof(kdfinfo1);

Reply via email to