On Fri, Aug 11, 2023 at 05:38:41PM +0200, Mark Kettenis wrote:
> > From: "Theo de Raadt" <[email protected]>
> > I think this case is different, because the ramdisk has no process
> > contention.
> >
> > The code still sticks to minimum 16:
> >
> > if (r < 16)
> > r = 16;
> >
> > On faster machines, it will increase the rounds. For that machine, for
> > that disk configuration. This is processed early on to bring the disk up,
> > when there is little or no contention. So it will not have a regressive
> > performance impact.
>
> So the man page just lies?
Incomplete and unclear, yes. Code has four default decision points:
* "-r auto" falls back to 16 if the performance based value is below that
(snippet above, undocumented)
* "-r N" must be 4 or higher (strtonum(), manual refers to that)
* no "-r rounds" given means
- default of 16 rounds for new volumes (see 3rd hunk, undocumented)
- previous value when changing passphrase (4th hunk)
New diff a) defaults to "auto" and b) enforces a minium of 16 rounds,
making code easier to follow, imho.
Default rflag = -1 means rflag == 0 is now impossible, so the passphrase
change code can no longer distinguish between explicit "-r auto" and new
default, so it no longer sticks with the old number of rounds, but instead
goes with auto or explicit "-r N".
Does that make more sense?
Index: bioctl.8
===================================================================
RCS file: /cvs/src/sbin/bioctl/bioctl.8,v
retrieving revision 1.111
diff -u -p -r1.111 bioctl.8
--- bioctl.8 6 Jul 2023 21:08:50 -0000 1.111
+++ bioctl.8 14 Aug 2023 06:12:46 -0000
@@ -282,11 +282,12 @@ passphrase into a key, in order to creat
passphrase of an existing encrypted volume.
A larger number of iterations takes more time, but offers increased resistance
against passphrase guessing attacks.
-If
+By default, or if
.Ar rounds
-is specified as "auto", the number of rounds will be automatically determined
-based on system performance.
-Otherwise the minimum is 4 rounds and the default is 16.
+is specified as
+.Cm auto ,
+the number of rounds will automatically be based on system performance.
+The minimum is 16 rounds.
.It Fl s
Read the passphrase for the selected crypto volume from
.Pa /dev/stdin
Index: bioctl.c
===================================================================
RCS file: /cvs/src/sbin/bioctl/bioctl.c,v
retrieving revision 1.151
diff -u -p -r1.151 bioctl.c
--- bioctl.c 18 Oct 2022 07:04:20 -0000 1.151
+++ bioctl.c 14 Aug 2023 06:52:04 -0000
@@ -89,7 +89,7 @@ int devh = -1;
int human;
int verbose;
u_int32_t cflags = 0;
-int rflag = 0;
+int rflag = -1; /* auto */
char *password;
void *bio_cookie;
@@ -182,7 +182,7 @@ main(int argc, char *argv[])
rflag = -1;
break;
}
- rflag = strtonum(optarg, 4, 1<<30, &errstr);
+ rflag = strtonum(optarg, 16, 1<<30, &errstr);
if (errstr != NULL)
errx(1, "number of KDF rounds is %s: %s",
errstr, optarg);
@@ -978,7 +978,7 @@ bio_kdf_generate(struct sr_crypto_kdfinf
kdfinfo->pbkdf.generic.len = sizeof(kdfinfo->pbkdf);
kdfinfo->pbkdf.generic.type = SR_CRYPTOKDFT_BCRYPT_PBKDF;
- kdfinfo->pbkdf.rounds = rflag ? rflag : 16;
+ kdfinfo->pbkdf.rounds = rflag;
kdfinfo->flags = SR_CRYPTOKDF_KEY | SR_CRYPTOKDF_HINT;
kdfinfo->len = sizeof(*kdfinfo);
@@ -1117,13 +1117,6 @@ bio_changepass(char *dev)
/* Current passphrase. */
bio_kdf_derive(&kdfinfo1, &kdfhint, "Old passphrase: ", 0);
-
- /*
- * Unless otherwise specified, keep the previous number of rounds as
- * long as we're using the same KDF.
- */
- if (kdfhint.generic.type == SR_CRYPTOKDFT_BCRYPT_PBKDF && !rflag)
- rflag = kdfhint.rounds;
/* New passphrase. */
bio_kdf_generate(&kdfinfo2);
