Merge pull request #38 from Tarsnap/passphrase-time

Passphrase time

keygen/keygen.c

@@ -55,10 +55,11 @@ static void
 usage(void)
 {
 
-	fprintf(stderr, "usage: tarsnap-keygen %s %s %s %s %s\n",
+	fprintf(stderr, "usage: tarsnap-keygen %s %s %s %s %s %s\n",
 	    "--keyfile key-file", "--user user-name",
 	    "--machine machine-name",
-	    "[--passphrased]", "[--passphrase-mem maxmem]");
+	    "[--passphrased]", "[--passphrase-mem maxmem]",
+	    "[--passphrase-time maxtime]");
 	exit(1);
 
 	/* NOTREACHED */
@@ -73,6 +74,7 @@ main(int argc, char **argv)
 	NETPACKET_CONNECTION * NPC;
 	int passphrased;
 	uint64_t maxmem;
+	double maxtime = 1.0;
 	char * passphrase;
 
 	WARNP_INIT;
@@ -113,6 +115,16 @@ main(int argc, char **argv)
 				exit(1);
 			}
 			argv++; argc--;
+		} else if (strcmp(argv[0], "--passphrase-time") == 0) {
+			if ((maxtime != 1.0) || (argc < 2))
+				usage();
+			maxtime = strtod(argv[1], NULL);
+			if ((maxtime < 0.05) || (maxtime > 86400)) {
+				warn0("Invalid --passphrase-time argument: %s",
+				    argv[1]);
+				exit(1);
+			}
+			argv++; argc--;
 		} else if (strcmp(argv[0], "--passphrased") == 0) {
 			passphrased = 1;
 		} else {
@@ -125,10 +137,10 @@ main(int argc, char **argv)
 		usage();
 
 	/*
-	 * It doesn't make sense to specify --passphrase-mem if we're not
-	 * using a passphrase.
+	 * It doesn't make sense to specify --passphrase-mem or
+	 * --passphrase-time if we're not using a passphrase.
 	 */
-	if ((maxmem != 0) && (passphrased == 0))
+	if (((maxmem != 0) || (maxtime != 1.0)) && (passphrased == 0))
 		usage();
 
 	/* Sanity-check the user name. */
@@ -260,7 +272,7 @@ main(int argc, char **argv)
 
 	/* Write keys to file. */
 	if (keyfile_write_file(keyfile, C.machinenum,
-	    CRYPTO_KEYMASK_USER, passphrase, maxmem, 1.0))
+	    CRYPTO_KEYMASK_USER, passphrase, maxmem, maxtime))
 		goto err1;
 
 	/* Close the key file. */

keygen/tarsnap-keygen.1-man

@@ -13,6 +13,7 @@
 \fB\--machine\fP \fImachine-name\fP
 [\fB\--passphrased\fP]
 [\fB\--passphrase-mem\fP \fImaxmem\fP]
+[\fB\--passphrase-time\fP \fImaxtime\fP]
 .SH DESCRIPTION
 .ad l
 \fB\%tarsnap-keygen\fP
@@ -40,3 +41,10 @@ bytes of RAM will be used in the scrypt key derivation function to
 encrypt the key file; it may be necessary to set this option if a key
 file is being generated on a system with far more RAM than the system
 on which the key file will be used.
+.PP
+If the
+\fB\--passphrase-time\fP \fImaxtime\fP
+option is specified, a maximum of approximately
+\fImaxtime\fP
+seconds will be used in the scrypt key derivation function to
+encrypt the key file.

keygen/tarsnap-keygen.1-mdoc

@@ -15,6 +15,7 @@
 .Fl -machine Ar machine-name
 .Op Fl -passphrased
 .Op Fl -passphrase-mem Ar maxmem
+.Op Fl -passphrase-time Ar maxtime
 .Sh DESCRIPTION
 .Nm
 generates cryptographic keys, registers with the
@@ -41,3 +42,10 @@ bytes of RAM will be used in the scrypt key derivation function to
 encrypt the key file; it may be necessary to set this option if a key
 file is being generated on a system with far more RAM than the system
 on which the key file will be used.
+.Pp
+If the
+.Fl -passphrase-time Ar maxtime
+option is specified, a maximum of approximately
+.Ar maxtime
+seconds will be used in the scrypt key derivation function to
+encrypt the key file.

keymgmt/keymgmt.c

@@ -19,9 +19,10 @@ static void
 usage(void)
 {
 
-	fprintf(stderr, "usage: tarsnap-keymgmt %s %s %s %s key-file ...\n",
+	fprintf(stderr, "usage: tarsnap-keymgmt %s %s %s %s %s key-file ...\n",
 	    "--outkeyfile new-key-file", "[--passphrased]",
-	    "[--passphrase-mem maxmem]", "[-r] [-w] [-d] [--nuke]");
+	    "[--passphrase-mem maxmem]", "[--passphrase-time maxtime]",
+	    "[-r] [-w] [-d] [--nuke]");
 	exit(1);
 
 	/* NOTREACHED */
@@ -39,6 +40,7 @@ main(int argc, char **argv)
 	const char * missingkey;
 	int passphrased = 0;
 	uint64_t maxmem = 0;
+	double maxtime = 1.0;
 	char * passphrase;
 
 	WARNP_INIT;
@@ -105,6 +107,16 @@ main(int argc, char **argv)
 				exit(1);
 			}
 			argv++; argc--;
+		} else if (strcmp(argv[0], "--passphrase-time") == 0) {
+			if ((maxtime != 1.0) || (argc < 2))
+				usage();
+			maxtime = strtod(argv[1], NULL);
+			if ((maxtime < 0.05) || (maxtime > 86400)) {
+				warn0("Invalid --passphrase-time argument: %s",
+				    argv[1]);
+				exit(1);
+			}
+			argv++; argc--;
 		} else if (strcmp(argv[0], "--passphrased") == 0) {
 			passphrased = 1;
 		} else {
@@ -118,10 +130,10 @@ main(int argc, char **argv)
 		usage();
 
 	/*
-	 * It doesn't make sense to specify --passphrase-mem if we're not
-	 * using a passphrase.
+	 * It doesn't make sense to specify --passphrase-mem or
+	 * --passphrase-time if we're not using a passphrase.
 	 */
-	if ((maxmem != 0) && (passphrased == 0))
+	if (((maxmem != 0) || (maxtime != 1.0)) && (passphrased == 0))
 		usage();
 
 	/* Warn the user if they're being silly. */
@@ -180,7 +192,7 @@ main(int argc, char **argv)
 
 	/* Write out new key file. */
 	if (keyfile_write(newkeyfile, machinenum, keyswanted,
-	    passphrase, maxmem, 1.0))
+	    passphrase, maxmem, maxtime))
 		exit(1);
 
 	/* Success! */

keymgmt/tarsnap-keymgmt.1-man

@@ -16,6 +16,7 @@ key files
 [\fB\--nuke\fP]
 [\fB\--passphrased\fP]
 [\fB\--passphrase-mem\fP \fImaxmem\fP]
+[\fB\--passphrase-time\fP \fImaxtime\fP]
 \fIkey-file\fP ...
 .SH DESCRIPTION
 .ad l
@@ -80,6 +81,13 @@ encrypt the key file; it may be necessary to set this option if a key
 file is being created on a system with far more RAM than the system
 on which the key file will be used.
 .PP
+If the
+\fB\--passphrase-time\fP \fImaxtime\fP
+option is specified, a maximum of approximately
+\fImaxtime\fP
+seconds will be used in the scrypt key derivation function to encrypt
+the key file.
+.PP
 Note that if none of the
 \fB\-w\fP,
 \fB\-r\fP,

keymgmt/tarsnap-keymgmt.1-mdoc

@@ -18,6 +18,7 @@ key files
 .Op Fl -nuke
 .Op Fl -passphrased
 .Op Fl -passphrase-mem Ar maxmem
+.Op Fl -passphrase-time Ar maxtime
 .Ar key-file ...
 .Sh DESCRIPTION
 .Nm
@@ -81,6 +82,13 @@ encrypt the key file; it may be necessary to set this option if a key
 file is being created on a system with far more RAM than the system
 on which the key file will be used.
 .Pp
+If the
+.Fl -passphrase-time Ar maxtime
+option is specified, a maximum of approximately
+.Ar maxtime
+seconds will be used in the scrypt key derivation function to encrypt
+the key file.
+.Pp
 Note that if none of the
 .Fl w ,
 .Fl r ,

keyregen/keyregen.c

@@ -55,10 +55,11 @@ static void
 usage(void)
 {
 
-	fprintf(stderr, "usage: tarsnap-keyregen %s %s %s %s %s %s\n",
+	fprintf(stderr, "usage: tarsnap-keyregen %s %s %s %s %s %s %s\n",
 	    "--keyfile key-file", "--oldkey old-key-file",
 	    "--user user-name", "--machine machine-name",
-	    "[--passphrased]", "[--passphrase-mem maxmem]");
+	    "[--passphrased]", "[--passphrase-mem maxmem]",
+	    "[--passphrase-time maxtime]");
 	exit(1);
 
 	/* NOTREACHED */
@@ -74,6 +75,7 @@ main(int argc, char **argv)
 	NETPACKET_CONNECTION * NPC;
 	int passphrased;
 	uint64_t maxmem;
+	double maxtime = 1.0;
 	char * passphrase;
 	uint64_t dummy;
 
@@ -124,6 +126,16 @@ main(int argc, char **argv)
 				exit(1);
 			}
 			argv++; argc--;
+		} else if (strcmp(argv[0], "--passphrase-time") == 0) {
+			if ((maxtime != 1.0) || (argc < 2))
+				usage();
+			maxtime = strtod(argv[1], NULL);
+			if ((maxtime < 0.05) || (maxtime > 86400)) {
+				warn0("Invalid --passphrase-time argument: %s",
+				    argv[1]);
+				exit(1);
+			}
+			argv++; argc--;
 		} else if (strcmp(argv[0], "--passphrased") == 0) {
 			passphrased = 1;
 		} else {
@@ -140,10 +152,10 @@ main(int argc, char **argv)
 		usage();
 
 	/*
-	 * It doesn't make sense to specify --passphrase-mem if we're not
-	 * using a passphrase.
+	 * It doesn't make sense to specify --passphrase-mem or
+	 * --passphrase-time if we're not using a passphrase.
 	 */
-	if ((maxmem != 0) && (passphrased == 0))
+	if (((maxmem != 0) || (maxtime != 1.0)) && (passphrased == 0))
 		usage();
 
 	/* Sanity-check the user name. */
@@ -296,7 +308,7 @@ main(int argc, char **argv)
 
 	/* Write keys to file. */
 	if (keyfile_write_file(keyfile, C.machinenum,
-	    CRYPTO_KEYMASK_USER, passphrase, maxmem, 1.0))
+	    CRYPTO_KEYMASK_USER, passphrase, maxmem, maxtime))
 		goto err1;
 
 	/* Close the key file. */

keyregen/tarsnap-keyregen.1-man

@@ -14,6 +14,7 @@
 \fB\--machine\fP \fImachine-name\fP
 [\fB\--passphrased\fP]
 [\fB\--passphrase-mem\fP \fImaxmem\fP]
+[\fB\--passphrase-time\fP \fImaxtime\fP]
 .SH DESCRIPTION
 .ad l
 \fB\%tarsnap-keyregen\fP
@@ -49,3 +50,10 @@ bytes of RAM will be used in the scrypt key derivation function to
 encrypt the key file; it may be necessary to set this option if a key
 file is being generated on a system with far more RAM than the system
 on which the key file will be used.
+.PP
+If the
+\fB\--passphrase-time\fP \fImaxtime\fP
+option is specified, a maximum of approximately
+\fImaxtime\fP
+seconds will be used in the scrypt key derivation function to
+encrypt the key file.

keyregen/tarsnap-keyregen.1-mdoc

@@ -16,6 +16,7 @@
 .Fl -machine Ar machine-name
 .Op Fl -passphrased
 .Op Fl -passphrase-mem Ar maxmem
+.Op Fl -passphrase-time Ar maxtime
 .Sh DESCRIPTION
 .Nm
 generates a set of cryptographic keys which are compatible
@@ -50,3 +51,10 @@ bytes of RAM will be used in the scrypt key derivation function to
 encrypt the key file; it may be necessary to set this option if a key
 file is being generated on a system with far more RAM than the system
 on which the key file will be used.
+.Pp
+If the
+.Fl -passphrase-time Ar maxtime
+option is specified, a maximum of approximately
+.Ar maxtime
+seconds will be used in the scrypt key derivation function to
+encrypt the key file.