Add new keygen option: passphrase --repeats (-r)

This option controls the number of repeated passphrase prompts when deriving a secret key. It is convenient to set this to zero when relying primarily on fingerprint verification. Alternatively, additional repeat prompts may aid in memorization. The default value is 1.
2018-05-25 18:55:18 +00:00 · 2018-05-25 18:55:18 +00:00 · a38e5e3bb9
parent b7ff1a4b24
commit a38e5e3bb9
2 changed files with 24 additions and 4 deletions
--- a/enchive.1
+++ b/enchive.1
@ -90,6 +90,12 @@ Prints the public key fingerprint after generation or editing.
 Sets the difficulty exponent for deriving the protection key from the protection key passphrase.
 Default is 25.
 .TP
+\fB\-r\fR \fIN\fR, \fB\-\-repeats\fR \fIN\fR
+Number of repeated passphrase prompts when deriving a secret key.
+It is convenient to set this to zero when relying primarily on fingerprint verification.
+Alternatively, additional repeat prompts may aid in memorization.
+Default is 1.
+.TP
 \fB\-u\fR, \fB\-\-plain\fR
 Do not use a protection key, and instead store the secret key unencrypted on the disk.
 Consider using the key agent instead of this option.
--- a/src/enchive.c
+++ b/src/enchive.c
@ -1150,6 +1150,7 @@ command_keygen(struct optparse *options)
        {"fingerprint", 'i', OPTPARSE_NONE},
        {"iterations",  'k', OPTPARSE_REQUIRED},
        {"plain",       'u', OPTPARSE_NONE},
+        {"repeats",     'r', OPTPARSE_REQUIRED},
        {0, 0, 0}
    };

@ -1164,6 +1165,7 @@ command_keygen(struct optparse *options)
    int edit = 0;
    int protect = 1;
    int fingerprint = 0;
+    int repeats = 1;
    int key_derive_iterations = ENCHIVE_KEY_DERIVE_ITERATIONS;
    int seckey_derive_iterations = ENCHIVE_SECKEY_DERIVE_ITERATIONS;

@ -1208,6 +1210,16 @@ command_keygen(struct optparse *options)
                          arg);
                key_derive_iterations = n;
            } break;
+            case 'r': {
+                char *p;
+                char *arg = options->optarg;
+                long n;
+                errno = 0;
+                n = strtol(arg, &p, 10);
+                if (errno || *p || n < 0 || n >= 256)
+                    fatal("invalid --repeats (-r) -- %s", arg);
+                repeats = n;
+            } break;
            case 'u':
                protect = 0;
                break;
@ -1242,10 +1254,12 @@ command_keygen(struct optparse *options)
        char pass[2][ENCHIVE_PASSPHRASE_MAX];
        get_passphrase(pass[0], sizeof(pass[0]),
                       "secret key passphrase: ");
-        get_passphrase(pass[1], sizeof(pass[0]),
-                       "secret key passphrase (repeat): ");
-        if (strcmp(pass[0], pass[1]) != 0)
-            fatal("secret key passphrases don't match");
+        while (repeats--) {
+            get_passphrase(pass[1], sizeof(pass[0]),
+                           "secret key passphrase (repeat): ");
+            if (strcmp(pass[0], pass[1]) != 0)
+                fatal("secret key passphrases don't match");
+        }
        key_derive(pass[0], secret, seckey_derive_iterations, 0);
        secret[0] &= 248;
        secret[31] &= 127;