pit
Owner: IIIlllIIIllI URL: git@github.com:nyangkosense/pit.git
key generation: actually try with sensitive, fallback to moderate and minimum
Commit d6dff066ac4883f833cd70225b008f28fd748551 by SM <seb.michalk@gmail.com> on 2025-03-26 09:30:02 +0100
diff --git a/pit.c b/pit.c
index deea272..e592ae1 100644
--- a/pit.c
+++ b/pit.c
@@ -321,7 +321,8 @@ generate_key(const char *keyfile)
char *password = secure_alloc(1024);
char *verify = secure_alloc(1024);
int pwlen;
- int ret = -1; /* def to error */
+ int ret = -1; /* def to error */
+ int pwhash_result = -1;
if (!key || !salt || !encrypted || !password || !verify) {
fprintf(stderr, "pit: failed to allocate secure memory\n");
@@ -352,26 +353,46 @@ generate_key(const char *keyfile)
goto cleanup;
}
- if (crypto_pwhash(
+ /* Try with SENSITIVE settings first */
+ pwhash_result = crypto_pwhash(
+ encrypted + SALT_SIZE, KEY_SIZE,
+ password, pwlen,
+ salt,
+ crypto_pwhash_OPSLIMIT_SENSITIVE,
+ crypto_pwhash_MEMLIMIT_SENSITIVE,
+ crypto_pwhash_ALG_DEFAULT);
+
+ /* If SENSITIVE fails, try MODERATE */
+ if (pwhash_result != 0) {
+ fprintf(stderr, "pit: key derivation failed with sensitive memory settings - trying with moderate...\n");
+ pwhash_result = crypto_pwhash(
encrypted + SALT_SIZE, KEY_SIZE,
password, pwlen,
salt,
crypto_pwhash_OPSLIMIT_MODERATE,
crypto_pwhash_MEMLIMIT_MODERATE,
- crypto_pwhash_ALG_DEFAULT) != 0) {
- fprintf(stderr, "pit: key derivation failed - trying with minimal settings\n");
- if (crypto_pwhash(
+ crypto_pwhash_ALG_DEFAULT);
+ }
+
+ /* If MODERATE fails, try MINIMAL */
+ if (pwhash_result != 0) {
+ fprintf(stderr, "pit: key derivation with moderate memory settings failed - trying minimal...\n");
+ pwhash_result = crypto_pwhash(
encrypted + SALT_SIZE, KEY_SIZE,
password, pwlen,
salt,
crypto_pwhash_OPSLIMIT_MIN,
crypto_pwhash_MEMLIMIT_MIN,
- crypto_pwhash_ALG_DEFAULT) != 0) {
- fprintf(stderr, "pit: key derivation failed - insufficient memory\n");
- }
+ crypto_pwhash_ALG_DEFAULT);
+ }
+
+ /* If all attempts failed */
+ if (pwhash_result != 0) {
+ fprintf(stderr, "pit: key derivation failed - system has insufficient memory\n");
goto cleanup;
}
+ /* If we reached here, one of the pwhash attempts succeeded */
memcpy(encrypted, salt, SALT_SIZE);
FILE *f = fopen(keyfile, "wb");
@@ -388,7 +409,7 @@ generate_key(const char *keyfile)
fclose(f);
printf("pit: key generated successfully\n");
- ret = 0; // success
+ ret = 0; // success
cleanup:
secure_free(key, KEY_SIZE);
@@ -479,26 +500,36 @@ read_key_file(const char *path, char **key)
decrypted, KEY_SIZE,
password, pwlen,
encrypted,
- crypto_pwhash_OPSLIMIT_MODERATE,
- crypto_pwhash_MEMLIMIT_MODERATE,
+ crypto_pwhash_OPSLIMIT_MIN,
+ crypto_pwhash_MEMLIMIT_MIN,
crypto_pwhash_ALG_DEFAULT);
if (r != 0) {
- fprintf(stderr, "pit: trying with minimal memory settings .. \n");
+ fprintf(stderr, "pit: trying with moderate memory settings ... \n");
r = crypto_pwhash(
decrypted, KEY_SIZE,
password, pwlen,
encrypted,
- crypto_pwhash_OPSLIMIT_MIN,
- crypto_pwhash_MEMLIMIT_MIN,
+ crypto_pwhash_OPSLIMIT_MODERATE,
+ crypto_pwhash_MEMLIMIT_MODERATE,
crypto_pwhash_ALG_DEFAULT);
}
if (r !=0) {
- fprintf(stderr, "pit: key derivation faield - insufficient memory or wrong password\n");
- goto cleanup;
+ fprintf(stderr, "pit: trying with sensitive memory settings ...\n");
+ r = crypto_pwhash(
+ decrypted, KEY_SIZE,
+ password, pwlen,
+ encrypted,
+ crypto_pwhash_OPSLIMIT_SENSITIVE,
+ crypto_pwhash_MEMLIMIT_SENSITIVE,
+ crypto_pwhash_ALG_DEFAULT);
}
+ if (r != 0) {
+ fprintf(stderr, "pit: key derivation failed - insufficient memory or wrong password\n");
+ goto cleanup;
+ }
*key = (char*)decrypted;
decrypted = NULL;