[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v2 2/7] crypto: make PBKDF iterations configurab
|
From: |
Eric Blake |
|
Subject: |
Re: [Qemu-devel] [PATCH v2 2/7] crypto: make PBKDF iterations configurable for LUKS format |
|
Date: |
Mon, 12 Sep 2016 10:38:25 -0500 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 |
On 09/12/2016 09:13 AM, Daniel P. Berrange wrote:
> As protection against bruteforcing passphrases, the PBKDF
> algorithm is tuned by counting the number of iterations
> needed to produce 1 second of running time. If the machine
> that the image will be used on is much faster than the
> machine where the image is created, it can be desirable
> to raise the number of iterations. This change adds a new
> 'iter-time' property that allows the user to choose the
> iteration wallclock time.
>
> Signed-off-by: Daniel P. Berrange <address@hidden>
> ---
> @@ -183,6 +184,11 @@ static QemuOptsList block_crypto_create_opts_luks = {
> .type = QEMU_OPT_STRING,
> .help = "Name of encryption hash algorithm",
> },
> + {
> + .name = BLOCK_CRYPTO_OPT_LUKS_ITER_TIME,
> + .type = QEMU_OPT_NUMBER,
> + .help = "Time to spend in PBKDF in milliseconds",
Worth mentioning the default of 1000?
> @@ -1075,6 +1078,16 @@ qcrypto_block_luks_create(QCryptoBlock *block,
> goto error;
> }
>
> + if (iters > (ULLONG_MAX / luks_opts.iter_time)) {
> + error_setg_errno(errp, ERANGE,
> + "PBKDF iterations %llu too large to scale",
> + (unsigned long long)iters);
As in 1/7, you seem to prefer casts over PRIu64 :)
> +++ b/qapi/crypto.json
> @@ -185,6 +185,9 @@
> # Currently defaults to 'sha256'
> # @hash-alg: #optional the master key hash algorithm
> # Currently defaults to 'sha256'
> +# @iter-time: #optional number of milliseconds to spend in
> +# PBKDF passphrase processing. Currently defaults
> +# to 1000. (since 2.8)
Ah, you mentioned the default here.
Reviewed-by: Eric Blake <address@hidden>
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
- [Qemu-devel] [PATCH v2 0/7] crypto: misc tweaks & improvements to pbkdf code, Daniel P. Berrange, 2016/09/12
- [Qemu-devel] [PATCH v2 3/7] crypto: clear out buffer after timing pbkdf algorithm, Daniel P. Berrange, 2016/09/12
- [Qemu-devel] [PATCH v2 2/7] crypto: make PBKDF iterations configurable for LUKS format, Daniel P. Berrange, 2016/09/12
- Re: [Qemu-devel] [PATCH v2 2/7] crypto: make PBKDF iterations configurable for LUKS format,
Eric Blake <=
- [Qemu-devel] [PATCH v2 4/7] crypto: use correct derived key size when timing pbkdf, Daniel P. Berrange, 2016/09/12
- [Qemu-devel] [PATCH v2 1/7] crypto: use uint64_t for pbkdf iteration count parameters, Daniel P. Berrange, 2016/09/12
- [Qemu-devel] [PATCH v2 5/7] crypto: remove bogus /= 2 for pbkdf iterations, Daniel P. Berrange, 2016/09/12
- [Qemu-devel] [PATCH v2 6/7] crypto: increase default pbkdf2 time for luks to 2 seconds, Daniel P. Berrange, 2016/09/12
- [Qemu-devel] [PATCH v2 7/7] crypto: support more hash algorithms for pbkdf, Daniel P. Berrange, 2016/09/12
- Re: [Qemu-devel] [PATCH v2 0/7] crypto: misc tweaks & improvements to pbkdf code, no-reply, 2016/09/12