Warn, if pbkdf2 took longer than 100ms

[michaelortmann]

Found by: michaelortmann
Patch by: michaelortmann
Fixes:

One-line summary:
Warn, if pbkdf2 took longer than 100ms. Tell user to consider lowering pbkdf2-rounds

Additional description (if needed):
Eggdrop should be responsive. That means, functions should not block for longer than 100ms. But if the user desides to ignore this, warn only once as long as pbkdf2-rounds setting aint changed.

Test cases demonstrating functionality (if applicable):

.console -d
[...]
.set pbkdf2-rounds 300000
[01:55:15] #-HQ# set pbkdf2-rounds 300000
Ok, set.
.chpass testuser 123456
[01:55:22] #-HQ# chpass testuser [something]
Changed password.
.chpass testuser 123456
[01:55:23] #-HQ# chpass testuser [something]
Changed password.
.set pbkdf2-rounds 600000
[01:55:27] #-HQ# set pbkdf2-rounds 600000
Ok, set.
.chpass testuser 123456
[01:55:31] PBKDF2 warning: pbkdf2 method SHA256 rounds 600000 took more than 100ms (user 123.591ms sys 0.000ms). Consider lowering pbkdf2-rounds for eggdrops responsiveness.
[01:55:31] #-HQ# chpass testuser [something]
Changed password.
.chpass testuser 123456
[01:55:32] #-HQ# chpass testuser [something]
Changed password.

[thommey]

eggdrop's

[thommey]

We are not going to merge this, but I do see why it is challenging to find the right rounds value to set.

Maybe we could implement something like "openssl speed" that would test a few values and benchmark eggdrop on that specific server?

[michaelortmann]

passwords are botnet wide. different servers. there could always a slower server be added later.

for reference, on a Raspberry Pi 3 this PR would have logged:

$ uname -a
Linux raspberrypi 6.6.31+rpt-rpi-v8 #1 SMP PREEMPT Debian 1:6.6.31-1+rpt1 (2024-05-29) aarch64 GNU/Linux
.chpass testuser hunter
[09:22:00] pbkdf2 method SHA256 rounds 16000, user 137.310ms sys 0.008ms
[09:22:00] PBKDF2 warning: pbkdf2 method SHA256 rounds 16000 took more than 100ms (user 137.310ms sys 0.008ms). Consider lowering pbkdf2-rounds for eggdrop's responsiveness.

so this PR would have logged a WARNING for Raspberry Pi 3 because default rounds took more than 100 ms.

for reference, on a NanoPi NEO (using commonly used Allwinner H3 CPU) this PR would have logged:

$ uname -a
Linux NanoPi-NEO 4.14.111 #193 SMP Thu Jun 10 18:20:47 CST 2021 armv7l GNU/Linux
.chpass testuser hunter
[12:31:25] pbkdf2 method SHA256 rounds 16000, user 348.961ms sys 0.000ms
[12:31:25] PBKDF2 warning: pbkdf2 method SHA256 rounds 16000 took more than 100ms (user 348.961ms sys 0.000ms). Consider lowering pbkdf2-rounds for eggdrop's responsiveness.

so, for this example, eggdrop's default pbkdf2 rounds config value of 16000 results in blocking eggdrop for 1/3s for each password creation or verification.