"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "lib/utils_pbkdf.c" between
cryptsetup-2.0.6.tar.xz and cryptsetup-2.1.0.tar.xz

About: cryptsetup is a utility used to conveniently setup disk encryption based on the dm-crypt kernel module. These include plain dm-crypt volumes, LUKS volumes, loop-AES and TrueCrypt compatible format.

utils_pbkdf.c  (cryptsetup-2.0.6.tar.xz):utils_pbkdf.c  (cryptsetup-2.1.0.tar.xz)
/* /*
* utils_pbkdf - PBKDF ssettings for libcryptsetup * utils_pbkdf - PBKDF settings for libcryptsetup
* *
* Copyright (C) 2009-2018, Red Hat, Inc. All rights reserved. * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2018, Milan Broz * Copyright (C) 2009-2019 Milan Broz
* *
* This program is free software; you can redistribute it and/or * This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License * modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2 * as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version. * of the License, or (at your option) any later version.
* *
* This program is distributed in the hope that it will be useful, * This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details. * GNU General Public License for more details.
skipping to change at line 27 skipping to change at line 27
* You should have received a copy of the GNU General Public License * You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software * along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/ */
#include <stdlib.h> #include <stdlib.h>
#include <errno.h> #include <errno.h>
#include "internal.h" #include "internal.h"
const struct crypt_pbkdf_type default_luks2 = { const struct crypt_pbkdf_type default_pbkdf2 = {
.type = DEFAULT_LUKS2_PBKDF, .type = CRYPT_KDF_PBKDF2,
.hash = DEFAULT_LUKS1_HASH,
.time_ms = DEFAULT_LUKS1_ITER_TIME
};
const struct crypt_pbkdf_type default_argon2i = {
.type = CRYPT_KDF_ARGON2I,
.hash = DEFAULT_LUKS1_HASH, .hash = DEFAULT_LUKS1_HASH,
.time_ms = DEFAULT_LUKS2_ITER_TIME, .time_ms = DEFAULT_LUKS2_ITER_TIME,
.max_memory_kb = DEFAULT_LUKS2_MEMORY_KB, .max_memory_kb = DEFAULT_LUKS2_MEMORY_KB,
.parallel_threads = DEFAULT_LUKS2_PARALLEL_THREADS .parallel_threads = DEFAULT_LUKS2_PARALLEL_THREADS
}; };
const struct crypt_pbkdf_type default_luks1 = { const struct crypt_pbkdf_type default_argon2id = {
.type = CRYPT_KDF_PBKDF2, .type = CRYPT_KDF_ARGON2ID,
.hash = DEFAULT_LUKS1_HASH, .hash = DEFAULT_LUKS1_HASH,
.time_ms = DEFAULT_LUKS1_ITER_TIME .time_ms = DEFAULT_LUKS2_ITER_TIME,
.max_memory_kb = DEFAULT_LUKS2_MEMORY_KB,
.parallel_threads = DEFAULT_LUKS2_PARALLEL_THREADS
}; };
const struct crypt_pbkdf_type *crypt_get_pbkdf_type_params(const char *pbkdf_typ
e)
{
if (!pbkdf_type)
return NULL;
if (!strcmp(pbkdf_type, CRYPT_KDF_PBKDF2))
return &default_pbkdf2;
else if (!strcmp(pbkdf_type, CRYPT_KDF_ARGON2I))
return &default_argon2i;
else if (!strcmp(pbkdf_type, CRYPT_KDF_ARGON2ID))
return &default_argon2id;
return NULL;
}
static uint32_t adjusted_phys_memory(void) static uint32_t adjusted_phys_memory(void)
{ {
uint64_t memory_kb = crypt_getphysmemory_kb(); uint64_t memory_kb = crypt_getphysmemory_kb();
/* Ignore bogus value */ /* Ignore bogus value */
if (memory_kb < (128 * 1024) || memory_kb > UINT32_MAX) if (memory_kb < (128 * 1024) || memory_kb > UINT32_MAX)
return DEFAULT_LUKS2_MEMORY_KB; return DEFAULT_LUKS2_MEMORY_KB;
/* /*
* Never use more than half of physical memory. * Never use more than half of physical memory.
skipping to change at line 159 skipping to change at line 182
const struct crypt_pbkdf_type *pbkdf, const struct crypt_pbkdf_type *pbkdf,
const char *dev_type) const char *dev_type)
{ {
struct crypt_pbkdf_type *cd_pbkdf = crypt_get_pbkdf(cd); struct crypt_pbkdf_type *cd_pbkdf = crypt_get_pbkdf(cd);
struct crypt_pbkdf_limits pbkdf_limits; struct crypt_pbkdf_limits pbkdf_limits;
const char *hash, *type; const char *hash, *type;
unsigned cpus; unsigned cpus;
uint32_t old_flags, memory_kb; uint32_t old_flags, memory_kb;
int r; int r;
if (crypt_fips_mode()) {
if (pbkdf && strcmp(pbkdf->type, CRYPT_KDF_PBKDF2)) {
log_err(cd, "Only PBKDF2 is supported in FIPS mode.");
return -EINVAL;
}
if (!pbkdf)
pbkdf = crypt_get_pbkdf_type_params(CRYPT_KDF_PBKDF2);
}
if (!pbkdf && dev_type && !strcmp(dev_type, CRYPT_LUKS2)) if (!pbkdf && dev_type && !strcmp(dev_type, CRYPT_LUKS2))
pbkdf = &default_luks2; pbkdf = crypt_get_pbkdf_type_params(DEFAULT_LUKS2_PBKDF);
else if (!pbkdf) else if (!pbkdf)
pbkdf = &default_luks1; pbkdf = crypt_get_pbkdf_type_params(CRYPT_KDF_PBKDF2);
r = verify_pbkdf_params(cd, pbkdf); r = verify_pbkdf_params(cd, pbkdf);
if (r) if (r)
return r; return r;
r = crypt_pbkdf_get_limits(pbkdf->type, &pbkdf_limits); r = crypt_pbkdf_get_limits(pbkdf->type, &pbkdf_limits);
if (r < 0) if (r < 0)
return r; return r;
type = strdup(pbkdf->type); type = strdup(pbkdf->type);
skipping to change at line 204 skipping to change at line 236
if (old_flags & CRYPT_PBKDF_ITER_TIME_SET) if (old_flags & CRYPT_PBKDF_ITER_TIME_SET)
cd_pbkdf->flags |= CRYPT_PBKDF_ITER_TIME_SET; cd_pbkdf->flags |= CRYPT_PBKDF_ITER_TIME_SET;
else else
cd_pbkdf->time_ms = pbkdf->time_ms; cd_pbkdf->time_ms = pbkdf->time_ms;
cd_pbkdf->max_memory_kb = pbkdf->max_memory_kb; cd_pbkdf->max_memory_kb = pbkdf->max_memory_kb;
cd_pbkdf->parallel_threads = pbkdf->parallel_threads; cd_pbkdf->parallel_threads = pbkdf->parallel_threads;
if (cd_pbkdf->parallel_threads > pbkdf_limits.max_parallel) { if (cd_pbkdf->parallel_threads > pbkdf_limits.max_parallel) {
log_dbg("Maximum PBKDF threads is %d (requested %d).", log_dbg(cd, "Maximum PBKDF threads is %d (requested %d).",
pbkdf_limits.max_parallel, cd_pbkdf->parallel_threads); pbkdf_limits.max_parallel, cd_pbkdf->parallel_threads);
cd_pbkdf->parallel_threads = pbkdf_limits.max_parallel; cd_pbkdf->parallel_threads = pbkdf_limits.max_parallel;
} }
if (cd_pbkdf->parallel_threads) { if (cd_pbkdf->parallel_threads) {
cpus = crypt_cpusonline(); cpus = crypt_cpusonline();
if (cd_pbkdf->parallel_threads > cpus) { if (cd_pbkdf->parallel_threads > cpus) {
log_dbg("Only %u active CPUs detected, " log_dbg(cd, "Only %u active CPUs detected, "
"PBKDF threads decreased from %d to %d.", "PBKDF threads decreased from %d to %d.",
cpus, cd_pbkdf->parallel_threads, cpus); cpus, cd_pbkdf->parallel_threads, cpus);
cd_pbkdf->parallel_threads = cpus; cd_pbkdf->parallel_threads = cpus;
} }
} }
if (cd_pbkdf->max_memory_kb) { if (cd_pbkdf->max_memory_kb) {
memory_kb = adjusted_phys_memory(); memory_kb = adjusted_phys_memory();
if (cd_pbkdf->max_memory_kb > memory_kb) { if (cd_pbkdf->max_memory_kb > memory_kb) {
log_dbg("Not enough physical memory detected, " log_dbg(cd, "Not enough physical memory detected, "
"PBKDF max memory decreased from %dkB to %dkB.", "PBKDF max memory decreased from %dkB to %dkB.",
cd_pbkdf->max_memory_kb, memory_kb); cd_pbkdf->max_memory_kb, memory_kb);
cd_pbkdf->max_memory_kb = memory_kb; cd_pbkdf->max_memory_kb = memory_kb;
} }
} }
log_dbg("PBKDF %s, hash %s, time_ms %u (iterations %u), max_memory_kb %u, parallel_threads %u.", log_dbg(cd, "PBKDF %s, hash %s, time_ms %u (iterations %u), max_memory_kb %u, parallel_threads %u.",
cd_pbkdf->type ?: "(none)", cd_pbkdf->hash ?: "(none)", cd_pbkdf- >time_ms, cd_pbkdf->type ?: "(none)", cd_pbkdf->hash ?: "(none)", cd_pbkdf- >time_ms,
cd_pbkdf->iterations, cd_pbkdf->max_memory_kb, cd_pbkdf->parallel _threads); cd_pbkdf->iterations, cd_pbkdf->max_memory_kb, cd_pbkdf->parallel _threads);
return 0; return 0;
} }
/* Libcryptsetup API */ /* Libcryptsetup API */
int crypt_set_pbkdf_type(struct crypt_device *cd, const struct crypt_pbkdf_type *pbkdf) int crypt_set_pbkdf_type(struct crypt_device *cd, const struct crypt_pbkdf_type *pbkdf)
{ {
if (!cd) if (!cd)
return -EINVAL; return -EINVAL;
if (!pbkdf) if (!pbkdf)
log_dbg("Resetting pbkdf type to default"); log_dbg(cd, "Resetting pbkdf type to default");
crypt_get_pbkdf(cd)->flags = 0; crypt_get_pbkdf(cd)->flags = 0;
return init_pbkdf_type(cd, pbkdf, crypt_get_type(cd)); return init_pbkdf_type(cd, pbkdf, crypt_get_type(cd));
} }
const struct crypt_pbkdf_type *crypt_get_pbkdf_type(struct crypt_device *cd) const struct crypt_pbkdf_type *crypt_get_pbkdf_type(struct crypt_device *cd)
{ {
if (!cd) if (!cd)
return NULL; return NULL;
return crypt_get_pbkdf(cd)->type ? crypt_get_pbkdf(cd) : NULL; return crypt_get_pbkdf(cd)->type ? crypt_get_pbkdf(cd) : NULL;
} }
const struct crypt_pbkdf_type *crypt_get_pbkdf_default(const char *type) const struct crypt_pbkdf_type *crypt_get_pbkdf_default(const char *type)
{ {
if (!type) if (!type)
return NULL; return NULL;
if (!strcmp(type, CRYPT_LUKS1)) if (!strcmp(type, CRYPT_LUKS1) || crypt_fips_mode())
return &default_luks1; return crypt_get_pbkdf_type_params(CRYPT_KDF_PBKDF2);
else if (!strcmp(type, CRYPT_LUKS2)) else if (!strcmp(type, CRYPT_LUKS2))
return &default_luks2; return crypt_get_pbkdf_type_params(DEFAULT_LUKS2_PBKDF);
return NULL; return NULL;
} }
void crypt_set_iteration_time(struct crypt_device *cd, uint64_t iteration_time_m s) void crypt_set_iteration_time(struct crypt_device *cd, uint64_t iteration_time_m s)
{ {
struct crypt_pbkdf_type *pbkdf; struct crypt_pbkdf_type *pbkdf;
uint32_t old_time_ms; uint32_t old_time_ms;
if (!cd || iteration_time_ms > UINT32_MAX) if (!cd || iteration_time_ms > UINT32_MAX)
return; return;
pbkdf = crypt_get_pbkdf(cd); pbkdf = crypt_get_pbkdf(cd);
old_time_ms = pbkdf->time_ms; old_time_ms = pbkdf->time_ms;
pbkdf->time_ms = (uint32_t)iteration_time_ms; pbkdf->time_ms = (uint32_t)iteration_time_ms;
if (pbkdf->type && verify_pbkdf_params(cd, pbkdf)) { if (pbkdf->type && verify_pbkdf_params(cd, pbkdf)) {
pbkdf->time_ms = old_time_ms; pbkdf->time_ms = old_time_ms;
log_dbg("Invalid iteration time."); log_dbg(cd, "Invalid iteration time.");
return; return;
} }
pbkdf->flags |= CRYPT_PBKDF_ITER_TIME_SET; pbkdf->flags |= CRYPT_PBKDF_ITER_TIME_SET;
/* iterations must be benchmarked now */ /* iterations must be benchmarked now */
pbkdf->flags &= ~(CRYPT_PBKDF_NO_BENCHMARK); pbkdf->flags &= ~(CRYPT_PBKDF_NO_BENCHMARK);
pbkdf->iterations = 0; pbkdf->iterations = 0;
log_dbg("Iteration time set to %" PRIu64 " milliseconds.", iteration_time _ms); log_dbg(cd, "Iteration time set to %" PRIu64 " milliseconds.", iteration_ time_ms);
} }
 End of changes. 18 change blocks. 
20 lines changed or deleted 53 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)