[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v2 2/7] crypto: make PBKDF iterations configurab
From: |
Daniel P. Berrange |
Subject: |
Re: [Qemu-devel] [PATCH v2 2/7] crypto: make PBKDF iterations configurable for LUKS format |
Date: |
Tue, 13 Sep 2016 11:37:26 +0100 |
User-agent: |
Mutt/1.7.0 (2016-08-17) |
On Mon, Sep 12, 2016 at 10:38:25AM -0500, Eric Blake wrote:
> On 09/12/2016 09:13 AM, Daniel P. Berrange wrote:
> > As protection against bruteforcing passphrases, the PBKDF
> > algorithm is tuned by counting the number of iterations
> > needed to produce 1 second of running time. If the machine
> > that the image will be used on is much faster than the
> > machine where the image is created, it can be desirable
> > to raise the number of iterations. This change adds a new
> > 'iter-time' property that allows the user to choose the
> > iteration wallclock time.
> >
> > Signed-off-by: Daniel P. Berrange <address@hidden>
> > ---
>
> > @@ -183,6 +184,11 @@ static QemuOptsList block_crypto_create_opts_luks = {
> > .type = QEMU_OPT_STRING,
> > .help = "Name of encryption hash algorithm",
> > },
> > + {
> > + .name = BLOCK_CRYPTO_OPT_LUKS_ITER_TIME,
> > + .type = QEMU_OPT_NUMBER,
> > + .help = "Time to spend in PBKDF in milliseconds",
>
> Worth mentioning the default of 1000?
I tried to keep all the defaults listed just in the QAPI schema,
to avoid remembering to update multiple docs.
> > @@ -1075,6 +1078,16 @@ qcrypto_block_luks_create(QCryptoBlock *block,
> > goto error;
> > }
> >
> > + if (iters > (ULLONG_MAX / luks_opts.iter_time)) {
> > + error_setg_errno(errp, ERANGE,
> > + "PBKDF iterations %llu too large to scale",
> > + (unsigned long long)iters);
>
> As in 1/7, you seem to prefer casts over PRIu64 :)
>
> > +++ b/qapi/crypto.json
> > @@ -185,6 +185,9 @@
> > # Currently defaults to 'sha256'
> > # @hash-alg: #optional the master key hash algorithm
> > # Currently defaults to 'sha256'
> > +# @iter-time: #optional number of milliseconds to spend in
> > +# PBKDF passphrase processing. Currently defaults
> > +# to 1000. (since 2.8)
>
> Ah, you mentioned the default here.
>
> Reviewed-by: Eric Blake <address@hidden>
>
> --
> Eric Blake eblake redhat com +1-919-301-3266
> Libvirt virtualization library http://libvirt.org
>
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
- [Qemu-devel] [PATCH v2 0/7] crypto: misc tweaks & improvements to pbkdf code, Daniel P. Berrange, 2016/09/12
- [Qemu-devel] [PATCH v2 3/7] crypto: clear out buffer after timing pbkdf algorithm, Daniel P. Berrange, 2016/09/12
- [Qemu-devel] [PATCH v2 2/7] crypto: make PBKDF iterations configurable for LUKS format, Daniel P. Berrange, 2016/09/12
- [Qemu-devel] [PATCH v2 4/7] crypto: use correct derived key size when timing pbkdf, Daniel P. Berrange, 2016/09/12
- [Qemu-devel] [PATCH v2 1/7] crypto: use uint64_t for pbkdf iteration count parameters, Daniel P. Berrange, 2016/09/12
- [Qemu-devel] [PATCH v2 5/7] crypto: remove bogus /= 2 for pbkdf iterations, Daniel P. Berrange, 2016/09/12
- [Qemu-devel] [PATCH v2 6/7] crypto: increase default pbkdf2 time for luks to 2 seconds, Daniel P. Berrange, 2016/09/12
- [Qemu-devel] [PATCH v2 7/7] crypto: support more hash algorithms for pbkdf, Daniel P. Berrange, 2016/09/12
- Re: [Qemu-devel] [PATCH v2 0/7] crypto: misc tweaks & improvements to pbkdf code, no-reply, 2016/09/12