signify and hardcoded 42 rounds (patch)

Sun, 05 Mar 2017 07:02:19 -0800 

I wanted to wait longer when creating new keys so here is a simple
diff to add an argument to be able to set rounds to something larger
than a hardcoded 42.

Below that it is another diff instead using a copy (slightly modified)
of_bcrypt_autorounds() from libc (only ifndef VERIFYONLY).

Index: signify.c
===================================================================
RCS file: /cvs/src/usr.bin/signify/signify.c,v
retrieving revision 1.126
diff -u -p -u -r1.126 signify.c
--- signify.c   6 Oct 2016 22:38:25 -0000       1.126
+++ signify.c   5 Mar 2017 14:29:37 -0000
@@ -79,7 +79,7 @@ usage(const char *error)
        fprintf(stderr, "usage:"
 #ifndef VERIFYONLY
            "\t%1$s -C [-q] -p pubkey -x sigfile [file ...]\n"
-           "\t%1$s -G [-n] [-c comment] -p pubkey -s seckey\n"
+           "\t%1$s -G [-n] [-c comment] -p pubkey -s seckey [-r rounds]\n"
            "\t%1$s -S [-ez] [-x sigfile] -s seckey -m message\n"
 #endif
            "\t%1$s -V [-eqz] [-p pubkey] [-t keytype] [-x sigfile] -m 
message\n",
@@ -751,6 +751,7 @@ main(int argc, char **argv)
            *sigfile = NULL;
        char sigfilebuf[PATH_MAX];
        const char *comment = "signify";
+       const char *errstr = NULL;
        char *keytype = NULL;
        int ch, rounds;
        int embedded = 0;
@@ -769,7 +770,7 @@ main(int argc, char **argv)
 
        rounds = 42;
 
-       while ((ch = getopt(argc, argv, "CGSVzc:em:np:qs:t:x:")) != -1) {
+       while ((ch = getopt(argc, argv, "CGSVzc:em:np:qs:t:x:r:")) != -1) {
                switch (ch) {
 #ifndef VERIFYONLY
                case 'C':
@@ -790,6 +791,10 @@ main(int argc, char **argv)
                case 'z':
                        gzip = 1;
                        break;
+               case 'r':
+                       rounds = strtonum(optarg, 42, (1U << 31) - 1, &errstr);
+                       if (errstr != NULL)
+                               err(1, "rounds");
 #endif
                case 'V':
                        if (verb)



------------------------------



Index: signify.c
===================================================================
RCS file: /cvs/src/usr.bin/signify/signify.c,v
retrieving revision 1.126
diff -u -p -u -r1.126 signify.c
--- signify.c   6 Oct 2016 22:38:25 -0000       1.126
+++ signify.c   5 Mar 2017 14:36:32 -0000
@@ -451,6 +451,41 @@ sign(const char *seckeyfile, const char 
 
        free(msg);
 }
+
+int
+bcrypt_autorounds(void)
+{
+       struct timespec before, after;
+       int r = 8;
+       char buf[SECRETBYTES];
+       char salt[16];
+       int duration;
+
+       clock_gettime(CLOCK_THREAD_CPUTIME_ID, &before);
+       bcrypt_pbkdf("testpassword", 12, salt, sizeof(salt), buf, sizeof(buf), 
r);
+       clock_gettime(CLOCK_THREAD_CPUTIME_ID, &after);
+
+       duration = after.tv_sec - before.tv_sec;
+       duration *= 1000000;
+       duration += (after.tv_nsec - before.tv_nsec) / 1000;
+
+       /* too quick? slow it down. */
+       while (r < 16 && duration <= 60000) {
+               r += 1;
+               duration *= 2;
+       }
+       /* too slow? speed it up. */
+       while (r > 6 && duration > 120000) {
+               r -= 1;
+               duration /= 2;
+       }
+
+       /* sanity (from bcrypt_initsalt()) */
+       if (r < 4)
+               r = 4;
+
+       return r;
+}
 #endif
 
 static void
@@ -767,7 +802,9 @@ main(int argc, char **argv)
        if (pledge("stdio rpath wpath cpath tty", NULL) == -1)
                err(1, "pledge");
 
-       rounds = 42;
+#ifndef VERIFYONLY
+       rounds = 1U << bcrypt_autorounds();
+#endif
 
        while ((ch = getopt(argc, argv, "CGSVzc:em:np:qs:t:x:")) != -1) {
                switch (ch) {

Reply via email to