mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-14 12:20:00 +01:00
Change PBKDF insterface to allow forced iterations (time cost) count.
Also move functions to separate utils_pbkdf.c file. PBKDF can be now set for any context. TODO: new setting is not covered by tests.
This commit is contained in:
Milan Broz
@@ -48,7 +48,6 @@ static uint64_t opt_offset = 0;
|
||||
static uint64_t opt_skip = 0;
|
||||
static int opt_skip_valid = 0;
|
||||
static int opt_readonly = 0;
|
||||
static int opt_iteration_time = DEFAULT_LUKS1_ITER_TIME;
|
||||
static int opt_version_mode = 0;
|
||||
static int opt_timeout = 0;
|
||||
static int opt_tries = 3;
|
||||
@@ -68,9 +67,12 @@ static int opt_veracrypt = 0;
|
||||
static int opt_veracrypt_pim = -1;
|
||||
static int opt_veracrypt_query_pim = 0;
|
||||
static int opt_deferred_remove = 0;
|
||||
//FIXME: check uint32 overflow for long type
|
||||
static const char *opt_pbkdf = NULL;
|
||||
static long opt_pbkdf_memory = 1024;
|
||||
static long opt_pbkdf_parallel = 2;
|
||||
static long opt_pbkdf_iterations = 0;
|
||||
static int opt_iteration_time = 0;
|
||||
|
||||
static const char **action_argv;
|
||||
static int action_argc;
|
||||
@@ -753,6 +755,27 @@ fail:
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
static int set_pbkdf_params(struct crypt_device *cd, const char *dev_type)
|
||||
{
|
||||
struct crypt_pbkdf_type pbkdf = {};
|
||||
|
||||
if (!strcmp(dev_type, CRYPT_LUKS1)) {
|
||||
if (opt_pbkdf && strcmp(opt_pbkdf, CRYPT_KDF_PBKDF2))
|
||||
return -EINVAL;
|
||||
pbkdf.type = CRYPT_KDF_PBKDF2;
|
||||
pbkdf.hash = opt_hash ?: DEFAULT_LUKS1_HASH;
|
||||
pbkdf.time_ms = opt_iteration_time ?: DEFAULT_LUKS1_ITER_TIME;
|
||||
} else
|
||||
return 0;
|
||||
|
||||
if (opt_pbkdf_iterations) {
|
||||
pbkdf.iterations = opt_pbkdf_iterations;
|
||||
pbkdf.flags |= CRYPT_PBKDF_NO_BENCHMARK;
|
||||
}
|
||||
|
||||
return crypt_set_pbkdf_type(cd, &pbkdf);
|
||||
}
|
||||
|
||||
static int action_luksRepair(void)
|
||||
{
|
||||
struct crypt_device *cd = NULL;
|
||||
@@ -825,9 +848,6 @@ static int action_luksFormat(void)
|
||||
|
||||
keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
|
||||
|
||||
if (opt_iteration_time)
|
||||
crypt_set_iteration_time(cd, opt_iteration_time);
|
||||
|
||||
if (opt_random)
|
||||
crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
|
||||
else if (opt_urandom)
|
||||
@@ -845,6 +865,12 @@ static int action_luksFormat(void)
|
||||
goto out;
|
||||
}
|
||||
|
||||
r = set_pbkdf_params(cd, CRYPT_LUKS1);
|
||||
if (r) {
|
||||
log_err(_("Failed to set pbkdf parameters.\n"));
|
||||
goto out;
|
||||
}
|
||||
|
||||
r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
|
||||
opt_uuid, key, keysize, ¶ms);
|
||||
check_signal(&r);
|
||||
@@ -892,9 +918,6 @@ static int action_open_luks(void)
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (opt_iteration_time)
|
||||
crypt_set_iteration_time(cd, opt_iteration_time);
|
||||
|
||||
_set_activation_flags(&activate_flags);
|
||||
|
||||
if (opt_master_key_file) {
|
||||
@@ -1094,8 +1117,11 @@ static int action_luksAddKey(void)
|
||||
opt_force_password = 1;
|
||||
|
||||
keysize = crypt_get_volume_key_size(cd);
|
||||
if (opt_iteration_time)
|
||||
crypt_set_iteration_time(cd, opt_iteration_time);
|
||||
r = set_pbkdf_params(cd, crypt_get_type(cd));
|
||||
if (r) {
|
||||
log_err(_("Failed to set pbkdf parameters.\n"));
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (opt_master_key_file) {
|
||||
r = _read_mk(opt_master_key_file, &key, keysize);
|
||||
@@ -1175,8 +1201,11 @@ static int action_luksChangeKey(void)
|
||||
if (tools_is_cipher_null(crypt_get_cipher(cd)))
|
||||
opt_force_password = 1;
|
||||
|
||||
if (opt_iteration_time)
|
||||
crypt_set_iteration_time(cd, opt_iteration_time);
|
||||
r = set_pbkdf_params(cd, crypt_get_type(cd));
|
||||
if (r) {
|
||||
log_err(_("Failed to set pbkdf parameters.\n"));
|
||||
goto out;
|
||||
}
|
||||
|
||||
r = tools_get_key(_("Enter passphrase to be changed: "),
|
||||
&password, &password_size,
|
||||
@@ -1632,7 +1661,6 @@ int main(int argc, const char **argv)
|
||||
{ "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
|
||||
{ "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
|
||||
{ "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
|
||||
{ "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
|
||||
{ "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
|
||||
{ "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
|
||||
{ "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
|
||||
@@ -1656,9 +1684,11 @@ int main(int argc, const char **argv)
|
||||
{ "perf-same_cpu_crypt",'\0', POPT_ARG_NONE, &opt_perf_same_cpu_crypt, 0, N_("Use dm-crypt same_cpu_crypt performance compatibility option."), NULL },
|
||||
{ "perf-submit_from_crypt_cpus",'\0', POPT_ARG_NONE, &opt_perf_submit_from_crypt_cpus,0,N_("Use dm-crypt submit_from_crypt_cpus performance compatibility option."), NULL },
|
||||
{ "deferred", '\0', POPT_ARG_NONE, &opt_deferred_remove, 0, N_("Device removal is deferred until the last user closes it."), NULL },
|
||||
{ "pbkdf", '\0', POPT_ARG_STRING, &opt_pbkdf, 0, N_("Password-based key derivation algorithm (PBKDF) for LUKS2 (argon2/pbkdf2)."), NULL },
|
||||
{ "pbkdf-memory", '\0', POPT_ARG_LONG, &opt_pbkdf_memory, 0, N_("Password-based key derivation algorithm (PBKDF) memory cost limit"), N_("kilobytes") },
|
||||
{ "pbkdf-parallel", '\0', POPT_ARG_LONG, &opt_pbkdf_parallel, 0, N_("Password-based key derivation algorithm (PBKDF) parallel cost "), N_("threads") },
|
||||
{ "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF iteration time for LUKS (in ms)"), N_("msecs") },
|
||||
{ "pbkdf", '\0', POPT_ARG_STRING, &opt_pbkdf, 0, N_("PBKDF algorithm (for LUKS2) (argon2i/argon2id/pbkdf2)."), NULL },
|
||||
{ "pbkdf-memory", '\0', POPT_ARG_LONG, &opt_pbkdf_memory, 0, N_("PBKDF memory cost limit"), N_("kilobytes") },
|
||||
{ "pbkdf-parallel", '\0', POPT_ARG_LONG, &opt_pbkdf_parallel, 0, N_("PBKDF parallel cost "), N_("threads") },
|
||||
{ "pbkdf-force-iterations",'\0',POPT_ARG_LONG, &opt_pbkdf_iterations, 0, N_("PBKDF iterations cost (forced, disables benchmark)"), NULL },
|
||||
POPT_TABLEEND
|
||||
};
|
||||
poptContext popt_context;
|
||||
@@ -1915,6 +1945,16 @@ int main(int argc, const char **argv)
|
||||
}
|
||||
}
|
||||
|
||||
if (opt_pbkdf && crypt_parse_pbkdf(opt_pbkdf, &opt_pbkdf))
|
||||
usage(popt_context, EXIT_FAILURE,
|
||||
_("PBKDF can be only pbkdf2 or argon2i/argon2id.\n"),
|
||||
poptGetInvocationName(popt_context));
|
||||
|
||||
if (opt_pbkdf_iterations && opt_iteration_time)
|
||||
usage(popt_context, EXIT_FAILURE,
|
||||
_("PBKDF forced iterations cannot be combined with iteration time option.\n"),
|
||||
poptGetInvocationName(popt_context));
|
||||
|
||||
if (opt_debug) {
|
||||
opt_verbose = 1;
|
||||
crypt_set_debug_level(-1);
|
||||
|
||||
Reference in New Issue
Block a user