[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v2 6/7] crypto: increase default pbkdf2 time for luk
From: |
Daniel P. Berrange |
Subject: |
[Qemu-devel] [PATCH v2 6/7] crypto: increase default pbkdf2 time for luks to 2 seconds |
Date: |
Mon, 12 Sep 2016 15:13:42 +0100 |
cryptsetup recently increased the default pbkdf2 time to 2 seconds
to partially mitigate improvements in hardware performance wrt
brute-forcing the pbkdf algorithm. This updates QEMU defaults to
match.
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
---
crypto/block-luks.c | 2 +-
qapi/crypto.json | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/block-luks.c b/crypto/block-luks.c
index 3ab3250..a848232 100644
--- a/crypto/block-luks.c
+++ b/crypto/block-luks.c
@@ -921,7 +921,7 @@ qcrypto_block_luks_create(QCryptoBlock *block,
memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts));
if (!luks_opts.has_iter_time) {
- luks_opts.iter_time = 1000;
+ luks_opts.iter_time = 2000;
}
if (!luks_opts.has_cipher_alg) {
luks_opts.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256;
diff --git a/qapi/crypto.json b/qapi/crypto.json
index 2b6118f..6933b13 100644
--- a/qapi/crypto.json
+++ b/qapi/crypto.json
@@ -187,7 +187,7 @@
# Currently defaults to 'sha256'
# @iter-time: #optional number of milliseconds to spend in
# PBKDF passphrase processing. Currently defaults
-# to 1000. (since 2.8)
+# to 2000. (since 2.8)
# Since: 2.6
##
{ 'struct': 'QCryptoBlockCreateOptionsLUKS',
--
2.7.4
- [Qemu-devel] [PATCH v2 3/7] crypto: clear out buffer after timing pbkdf algorithm, (continued)
- [Qemu-devel] [PATCH v2 3/7] crypto: clear out buffer after timing pbkdf algorithm, Daniel P. Berrange, 2016/09/12
- [Qemu-devel] [PATCH v2 2/7] crypto: make PBKDF iterations configurable for LUKS format, Daniel P. Berrange, 2016/09/12
- [Qemu-devel] [PATCH v2 4/7] crypto: use correct derived key size when timing pbkdf, Daniel P. Berrange, 2016/09/12
- [Qemu-devel] [PATCH v2 1/7] crypto: use uint64_t for pbkdf iteration count parameters, Daniel P. Berrange, 2016/09/12
- [Qemu-devel] [PATCH v2 5/7] crypto: remove bogus /= 2 for pbkdf iterations, Daniel P. Berrange, 2016/09/12
- [Qemu-devel] [PATCH v2 6/7] crypto: increase default pbkdf2 time for luks to 2 seconds,
Daniel P. Berrange <=
- [Qemu-devel] [PATCH v2 7/7] crypto: support more hash algorithms for pbkdf, Daniel P. Berrange, 2016/09/12
- Re: [Qemu-devel] [PATCH v2 0/7] crypto: misc tweaks & improvements to pbkdf code, no-reply, 2016/09/12