eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-05 16:00:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Do not silently decrease PBKDF parallel cost (threads)

Browse Source 
The maximum parallel cost is set since the introduction of Argon2 to 4.

Do not silently decrease the value (if explicitly set by the option)
but fail instead.
This commit is contained in:
Milan Broz
2025-07-29 16:55:03 +02:00
committed by Ondrej Kozina
parent d77ece493d
commit 4a67af439e
3 changed files with 9 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
lib/utils_pbkdf.c
View File

@@ -169,6 +169,11 @@ int verify_pbkdf_params(struct crypt_device *cd,
log_err(cd, _("Requested maximum PBKDF memory cannot be zero."));
r = -EINVAL;
}
if (pbkdf->parallel_threads > pbkdf_limits.max_parallel) {
log_err(cd, _("Requested maximum PBKDF parallel cost is too high (maximum is %d)."),
pbkdf_limits.max_parallel);
r = -EINVAL;
}
if (!pbkdf->parallel_threads) {
log_err(cd, _("Requested PBKDF parallel threads cannot be zero."));
r = -EINVAL;
@@ -241,12 +246,6 @@ int init_pbkdf_type(struct crypt_device *cd,
cd_pbkdf->max_memory_kb = pbkdf->max_memory_kb;
cd_pbkdf->parallel_threads = pbkdf->parallel_threads;
if (cd_pbkdf->parallel_threads > pbkdf_limits.max_parallel) {
log_dbg(cd, "Maximum PBKDF threads is %d (requested %d).",
pbkdf_limits.max_parallel, cd_pbkdf->parallel_threads);
cd_pbkdf->parallel_threads = pbkdf_limits.max_parallel;
}
/* Do not limit threads by online CPUs if user forced values (no benchmark). */
if (cd_pbkdf->parallel_threads && !(cd_pbkdf->flags & CRYPT_PBKDF_NO_BENCHMARK)) {
cpus = crypt_cpusonline();

4
tests/api-test-2.c
View File

@@ -3044,6 +3044,8 @@ static void Pbkdf(void)
// try to pass illegal values
argon2.parallel_threads = 0;
FAIL_(crypt_set_pbkdf_type(cd, &argon2), "Parallel threads can't be 0");
argon2.parallel_threads = 99;
FAIL_(crypt_set_pbkdf_type(cd, &argon2), "Parallel threads can't be higher than maxiimum");
argon2.parallel_threads = 1;
argon2.max_memory_kb = 0;
FAIL_(crypt_set_pbkdf_type(cd, &argon2), "Memory can't be 0");
@@ -3130,7 +3132,7 @@ static void Pbkdf(void)
argon2.flags = CRYPT_PBKDF_NO_BENCHMARK;
argon2.max_memory_kb = 2 * 1024 * 1024;
argon2.iterations = 6;
argon2.parallel_threads = 8;
argon2.parallel_threads = 4;
OK_(crypt_set_pbkdf_type(cd, &argon2));
NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd));
EQ_(pbkdf->iterations, 6);

1
tests/compat-test2
View File

@@ -1286,6 +1286,7 @@ echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf pbkdf2 --pbkdf-force-
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf pbkdf2 --pbkdf-force-iterations 1234 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Iterations:" | grep -q "1234" || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 3 $LOOPDEV 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2id --pbkdf-parallel 99 $LOOPDEV 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 4 --pbkdf-memory 100000 $LOOPDEV || can_fail_fips
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2id" || can_fail_fips
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2i --pbkdf-force-iterations 4 \