[17] Crypto configuration tuning

d59fceb5 · Daniel Lyubomirov · 2a1b80f6 · d59fceb5 · d59fceb5 · d59fceb5
Verified Commit d59fceb5 authored 4 years ago by Daniel Lyubomirov
--- a/cpp/src/csandbox.cc
+++ b/cpp/src/csandbox.cc
+#include "vereign/crypto/rand.hh"
 #include "vereign/kvstore/sqlite_storage.hh"
 #include <boost/core/ignore_unused.hpp>
 #include <iostream>
 #include <boost/filesystem.hpp>
+#include <openssl/digest.h>
+#include <openssl/evp.h>
 #include <vereign/core/string.hh>

 #include <vereign/bytes/view.hh>
@@ -17,13 +20,5 @@ auto main(int argc, char** argv) -> int {
  boost::ignore_unused(argc);
  boost::ignore_unused(argv);

-  auto dir = fs::TempDir("trtr_");
-  auto rm = fs::RemoveAllGuard{dir};
-  std::cout << dir << std::endl;
-
-  std::ofstream f{fs::path::Join(dir, "hello")};
-  f << "ops";
-  f.close();
-
  return 0;
 }
--- a/cpp/src/vereign/kvstore/detail/base_crypto_storage.cc
+++ b/cpp/src/vereign/kvstore/detail/base_crypto_storage.cc
@@ -17,7 +17,7 @@
 namespace {

  // FIXME: should these be injected and provided by the integrator
-  constexpr int tagSizeBytes = 64;
+  constexpr int tagSizeBytes = 16;
  constexpr int lockRetryCount = 10;
  constexpr auto lockRetrySleep = std::chrono::milliseconds{1000};
 }

--- a/cpp/src/vereign/kvstore/detail/linux_crypto_storage.cc
+++ b/cpp/src/vereign/kvstore/detail/linux_crypto_storage.cc
@@ -17,7 +17,7 @@
 namespace {
  // FIXME: should these be injected and provided by the integrator
  constexpr int iterations = 1 << 18;
-  constexpr int saltSizeBytes = 64;
+  constexpr int saltSizeBytes = 16;
  constexpr int aesKeySizeBytes = 32;

  constexpr int lockRetryCount = 10;
@@ -44,12 +44,13 @@ void CryptoStorageImpl::Open(const std::string& pin) {

  bytes::Buffer key{aesKeySizeBytes};

-  int result = PKCS5_PBKDF2_HMAC_SHA1(
+  int result = PKCS5_PBKDF2_HMAC(
    pin.data(),
    pin.length(),
    salt.View().Data(),
    salt.View().Size(),
    iterations,
+    EVP_sha256(),
    key.FreeCap(),
    key.end()
  );
@@ -70,12 +71,13 @@ void CryptoStorageImpl::Reset(const std::string& pin) {

  bytes::Buffer key{aesKeySizeBytes};

-  int result = PKCS5_PBKDF2_HMAC_SHA1(
+  int result = PKCS5_PBKDF2_HMAC(
    pin.data(),
    pin.length(),
    salt.View().Data(),
    salt.View().Size(),
    iterations,
+    EVP_sha256(),
    key.FreeCap(),
    key.end()
  );