Raise Argon2id iterations.

2026-01-12 05:59:14 +00:00 · 2024-05-03 12:41:59 +01:00
parent 1e03c6c1fb
commit 19209b372c
4 changed files with 64 additions and 5 deletions
--- a/vfs/adiantum/adiantum.go
+++ b/vfs/adiantum/adiantum.go
@@ -28,5 +28,5 @@ func (adiantumCreator) KDF(text string) []byte {
 		n, _ := rand.Read(key)
 		return key[:n]
 	}
-	return argon2.IDKey([]byte(text), []byte(pepper), 1, 64*1024, 4, 32)
+	return argon2.IDKey([]byte(text), []byte(pepper), 3, 64*1024, 4, 32)
 }
--- a/vfs/adiantum/adiantum_test.go
+++ b/vfs/adiantum/adiantum_test.go
@@ -0,0 +1,53 @@
+package adiantum_test
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/ncruces/go-sqlite3"
+	_ "github.com/ncruces/go-sqlite3/embed"
+	_ "github.com/ncruces/go-sqlite3/vfs/adiantum"
+)
+
+func Benchmark_nokey(b *testing.B) {
+	tmp := filepath.Join(b.TempDir(), "test.db")
+	sqlite3.Initialize()
+	b.ResetTimer()
+
+	for n := 0; n < b.N; n++ {
+		db, err := sqlite3.Open("file:" + filepath.ToSlash(tmp) + "?nolock=1")
+		if err != nil {
+			b.Fatal(err)
+		}
+		db.Close()
+	}
+}
+func Benchmark_hexkey(b *testing.B) {
+	tmp := filepath.Join(b.TempDir(), "test.db")
+	sqlite3.Initialize()
+	b.ResetTimer()
+
+	for n := 0; n < b.N; n++ {
+		db, err := sqlite3.Open("file:" + filepath.ToSlash(tmp) + "?nolock=1" +
+			"&vfs=adiantum&hexkey=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855")
+		if err != nil {
+			b.Fatal(err)
+		}
+		db.Close()
+	}
+}
+
+func Benchmark_textkey(b *testing.B) {
+	tmp := filepath.Join(b.TempDir(), "test.db")
+	sqlite3.Initialize()
+	b.ResetTimer()
+
+	for n := 0; n < b.N; n++ {
+		db, err := sqlite3.Open("file:" + filepath.ToSlash(tmp) + "?nolock=1" +
+			"&vfs=adiantum&textkey=correct+horse+battery+staple")
+		if err != nil {
+			b.Fatal(err)
+		}
+		db.Close()
+	}
+}
--- a/vfs/adiantum/api.go
+++ b/vfs/adiantum/api.go
@@ -18,12 +18,18 @@
 // However, this makes your key easily accessible to other parts of
 // your application (e.g. through [vfs.Filename.URIParameters]).
 //
-// To avoid this, use any of the following PRAGMAs:
+// To avoid this, invoke any of the following PRAGMAs
+// immediately after opening a connection:
 //
 //	PRAGMA key='D41d8cD98f00b204e9800998eCf8427e';
 //	PRAGMA hexkey='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855';
 //	PRAGMA textkey='your-secret-key';
 //
+// For an ATTACH-ed database, you must specify the schema name:
+//
+//	ATTACH DATABASE 'demo.db' AS demo;
+//	PRAGMA demo.textkey='your-secret-key';
+//
 // [URI]: https://sqlite.org/uri.html
 package adiantum

--- a/vfs/adiantum/hbsh.go
+++ b/vfs/adiantum/hbsh.go
@@ -21,10 +21,10 @@ func (h *hbshVFS) Open(name string, flags vfs.OpenFlag) (vfs.File, vfs.OpenFlag,
 }

 func (h *hbshVFS) OpenFilename(name *vfs.Filename, flags vfs.OpenFlag) (file vfs.File, _ vfs.OpenFlag, err error) {
-	if h, ok := h.VFS.(vfs.VFSFilename); ok {
-		file, flags, err = h.OpenFilename(name, flags)
+	if hf, ok := h.VFS.(vfs.VFSFilename); ok {
+		file, flags, err = hf.OpenFilename(name, flags)
 	} else {
-		file, flags, err = h.Open(name.String(), flags)
+		file, flags, err = h.VFS.Open(name.String(), flags)
 	}

 	// Encrypt everything except super journals and memory files.