PBKDF2 iteration count in `openssl pkcs8 -topk8` is hardcoded to a low (by today's "standards") value of 2048

Sun, 29 Dec 2013 13:17:57 -0800 

Hello.

Subject of this message says it all. I have created a patch to address
this concern, included below. Raising the default value would also be
appreciated as it is currently far too low and even if this patch is
accepted for inclusion, many users might not know of the option it
provides or why it is important.

I apologise if the patch below does not render correctly. My MUA seems
to insist on breaking "long" lines. For that reason I have also included
the patch as an attachment to this message.



--- apps/pkcs8.c
+++ apps/pkcs8.c
@@ -155,6 +155,12 @@
                        }
                else if (!strcmp (*args, "-topk8"))
                        topk8 = 1;
+               else if (!strcmp (*args, "-iterrounds"))
+                       {
+                       if (!args[1]) goto bad;
+                       iter= atoi(*(++args));
+                       if (iter == 0) badarg = 1;
+                       }
                else if (!strcmp (*args, "-noiter"))
                        iter = 1;
                else if (!strcmp (*args, "-nocrypt"))
@@ -219,6 +225,7 @@
                BIO_printf(bio_err, "-nooct          use (nonstandard) no octet
format\n");
                BIO_printf(bio_err, "-embed          use (nonstandard) embedded 
DSA
parameters format\n");
                BIO_printf(bio_err, "-nsdb           use (nonstandard) DSA 
Netscape
DB format\n");
+               BIO_printf(bio_err, "-iterrounds n   use a custom iteration 
count\n");
                BIO_printf(bio_err, "-noiter         use 1 as iteration 
count\n");
                BIO_printf(bio_err, "-nocrypt        use or expect unencrypted
private key\n");
                BIO_printf(bio_err, "-v2 alg         use PKCS#5 v2.0 and cipher
\"alg\"\n");




--- apps/pkcs8.c
+++ apps/pkcs8.c
@@ -155,6 +155,12 @@
 			}
 		else if (!strcmp (*args, "-topk8"))
 			topk8 = 1;
+		else if (!strcmp (*args, "-iterrounds"))
+			{
+			if (!args[1]) goto bad;
+			iter= atoi(*(++args));
+			if (iter == 0) badarg = 1;
+			}
 		else if (!strcmp (*args, "-noiter"))
 			iter = 1;
 		else if (!strcmp (*args, "-nocrypt"))
@@ -219,6 +225,7 @@
 		BIO_printf(bio_err, "-nooct          use (nonstandard) no octet format\n");
 		BIO_printf(bio_err, "-embed          use (nonstandard) embedded DSA parameters format\n");
 		BIO_printf(bio_err, "-nsdb           use (nonstandard) DSA Netscape DB format\n");
+		BIO_printf(bio_err, "-iterrounds n   use a custom iteration count\n");
 		BIO_printf(bio_err, "-noiter         use 1 as iteration count\n");
 		BIO_printf(bio_err, "-nocrypt        use or expect unencrypted private key\n");
 		BIO_printf(bio_err, "-v2 alg         use PKCS#5 v2.0 and cipher \"alg\"\n");

Reply via email to