diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2016-09-19 17:46:53 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2016-09-19 17:46:53 +0000 |
| commit | dbeda8c3cb4e4eecb1f5b0fc77dc68b4ca4b57a4 (patch) | |
| tree | 0b230cf50fc2155b9b2dbab666d9c770cd2da820 /sbin/bioctl | |
| parent | 9b5ec4b04ca601fdf003ef06babf5bf2c2604ce3 (diff) | |
Switch softraid crypto from PKCS5 PBKDF2 to bcrypt PBKDF.
New volumes will be created with bcrypt PBKDF, however existing volumes
will continue to use PKCS5 PBKDF2 until a passphrase change is made.
If you're booting from softraid crypto, ensure that your boot loader has
been upgraded to a version that supports bcrypt prior to changing your
passphrase. Also be aware that once the passphrase has been changed, an
older version of bioctl(8) (one that does not support bcrypt PBKDF) will
not be able to "unlock" the volume.
Partly based on a diff from djm@.
Diffstat (limited to 'sbin/bioctl')
| -rw-r--r-- | sbin/bioctl/bioctl.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/sbin/bioctl/bioctl.c b/sbin/bioctl/bioctl.c index c7e57fabc8b..195f159e9f8 100644 --- a/sbin/bioctl/bioctl.c +++ b/sbin/bioctl/bioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bioctl.c,v 1.137 2016/09/10 17:08:44 jsing Exp $ */ +/* $OpenBSD: bioctl.c,v 1.138 2016/09/19 17:46:52 jsing Exp $ */ /* * Copyright (c) 2004, 2005 Marco Peereboom @@ -172,7 +172,7 @@ main(int argc, char *argv[]) password = optarg; break; case 'r': - rflag = strtonum(optarg, 1000, 1<<30, &errstr); + rflag = strtonum(optarg, 4, 1<<30, &errstr); if (errstr != NULL) errx(1, "number of KDF rounds is %s: %s", errstr, optarg); @@ -964,8 +964,8 @@ bio_kdf_generate(struct sr_crypto_kdfinfo *kdfinfo) errx(1, "invalid KDF info"); kdfinfo->pbkdf.generic.len = sizeof(kdfinfo->pbkdf); - kdfinfo->pbkdf.generic.type = SR_CRYPTOKDFT_PKCS5_PBKDF2; - kdfinfo->pbkdf.rounds = rflag ? rflag : 8192; + kdfinfo->pbkdf.generic.type = SR_CRYPTOKDFT_BCRYPT_PBKDF; + kdfinfo->pbkdf.rounds = rflag ? rflag : 16; kdfinfo->flags = SR_CRYPTOKDF_KEY | SR_CRYPTOKDF_HINT; kdfinfo->len = sizeof(*kdfinfo); @@ -1105,8 +1105,11 @@ bio_changepass(char *dev) /* Current passphrase. */ bio_kdf_derive(&kdfinfo1, &kdfhint, "Old passphrase: ", 0); - /* Keep the previous number of rounds, unless specified. */ - if (!rflag) + /* + * Unless otherwise specified, keep the previous number of rounds as + * long as we're using the same KDF. + */ + if (kdfhint.generic.type == SR_CRYPTOKDFT_BCRYPT_PBKDF && !rflag) rflag = kdfhint.rounds; /* New passphrase. */ |