From 5517050d393fc1226611013717d55d4779503b7d Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 14 Jun 2008 17:04:51 +0000 Subject: add a -r option to specify the number of PKCS5 PBKDF2 iterations used to derive the password (minimum: 1000, maximum: more than you want) ok hshoexer@ --- sbin/bioctl/bioctl.8 | 9 ++++++++- sbin/bioctl/bioctl.c | 14 +++++++++++--- 2 files changed, 19 insertions(+), 4 deletions(-) (limited to 'sbin/bioctl') diff --git a/sbin/bioctl/bioctl.8 b/sbin/bioctl/bioctl.8 index 7a1022457d4..c4afac84a40 100644 --- a/sbin/bioctl/bioctl.8 +++ b/sbin/bioctl/bioctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bioctl.8,v 1.54 2008/06/14 00:16:38 hshoexer Exp $ +.\" $OpenBSD: bioctl.8,v 1.55 2008/06/14 17:04:50 djm Exp $ .\" .\" Copyright (c) 2004, 2005 Marco Peereboom .\" @@ -39,6 +39,7 @@ .Op Fl c Ar raidlevel .Op Fl H Ar channel:target[.lun] .Op Fl l Ar special[,special,...] +.Op Fl r Ar rounds .Op Fl u Ar channel:target[.lun] .Ar device .Ek @@ -127,6 +128,12 @@ Requires .Fl c . .It Fl q Show vendor, product, revision, and serial number for the given disk. +.It Fl r Ar rounds +When creating an encrypted volume, specifies the number of iterations of +the algorithm used to convert a passphrase into a key. +Higher iteration counts take more time, but offer more resistance to key +guessing attacks. +The minimum is 1000 rounds and the default is 8192. .It Fl u Ar channel:target[.lun] Instruct the device at .Ar channel:target[.lun] diff --git a/sbin/bioctl/bioctl.c b/sbin/bioctl/bioctl.c index 9ea26511c8f..aff172a0d94 100644 --- a/sbin/bioctl/bioctl.c +++ b/sbin/bioctl/bioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bioctl.c,v 1.67 2008/06/14 06:28:27 djm Exp $ */ +/* $OpenBSD: bioctl.c,v 1.68 2008/06/14 17:04:50 djm Exp $ */ /* * Copyright (c) 2004, 2005 Marco Peereboom @@ -82,6 +82,7 @@ int devh = -1; int human; int verbose; u_int32_t cflags = 0; +int rflag = 8192; struct bio_locate bl; @@ -94,13 +95,14 @@ main(int argc, char *argv[]) char *bioc_dev = NULL, *sd_dev = NULL; char *realname = NULL, *al_arg = NULL; char *bl_arg = NULL, *dev_list = NULL; + const char *errstr; int ch, rv, blink = 0, diskinq = 0; u_int16_t cr_level = 0; if (argc < 2) usage(); - while ((ch = getopt(argc, argv, "b:C:c:dl:u:H:ha:ivq")) != -1) { + while ((ch = getopt(argc, argv, "a:b:C:c:dH:hil:qr:vu:")) != -1) { switch (ch) { case 'a': /* alarm */ func |= BIOC_ALARM; @@ -144,6 +146,12 @@ main(int argc, char *argv[]) func |= BIOC_DEVLIST; dev_list = optarg; break; + case 'r': + rflag = strtonum(optarg, 1000, 1<<30, &errstr); + if (errstr != NULL) + errx(1, "Number of rounds is %s: %s", + errstr, optarg); + break; case 'v': verbose = 1; break; @@ -714,7 +722,7 @@ bio_kdf_generate(struct sr_crypto_kdfinfo *kdfinfo) kdfinfo->pbkdf2.len = sizeof(kdfinfo->pbkdf2); kdfinfo->pbkdf2.type = SR_CRYPTOKDFT_PBKDF2; - kdfinfo->pbkdf2.rounds = 10000; + kdfinfo->pbkdf2.rounds = rflag; kdfinfo->len = sizeof(*kdfinfo); kdfinfo->flags = (SR_CRYPTOKDF_KEY | SR_CRYPTOKDF_HINT); -- cgit v1.2.3