From: Fam Zheng <famz@redhat.com>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>,
qemu-devel@nongnu.org, qemu-block@nongnu.org
Subject: Re: [Qemu-devel] [PATCH v2 03/17] crypto: add support for PBKDF2 algorithm
Date: Thu, 21 Jan 2016 14:59:24 +0800 [thread overview]
Message-ID: <20160121065924.GE31960@ad.usersys.redhat.com> (raw)
In-Reply-To: <1453311539-1193-4-git-send-email-berrange@redhat.com>
On Wed, 01/20 17:38, Daniel P. Berrange wrote:
> The LUKS data format includes use of PBKDF2 (Password-Based
> Key Derivation Function). The Nettle library can provide
> an implementation of this, but we don't want code directly
> depending on a specific crypto library backend. Introduce
> a include/crypto/pbkdf.h header which defines a QEMU
> API for invoking PBKDK2. The initial implementations are
> backed by nettle & gcrypt, which are commonly available
> with distros shipping GNUTLS.
>
> The test suite data is taken from the cryptsetup codebase
> under the LGPLv2.1+ license. This merely aims to verify
> that whatever backend we provide for this function in QEMU
> will comply with the spec.
>
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---
> crypto/Makefile.objs | 6 +-
> crypto/pbkdf-gcrypt.c | 65 ++++++++
> crypto/pbkdf-nettle.c | 64 ++++++++
> crypto/pbkdf-stub.c | 41 +++++
> crypto/pbkdf.c | 68 +++++++++
> include/crypto/pbkdf.h | 152 +++++++++++++++++++
> tests/.gitignore | 1 +
> tests/Makefile | 2 +
> tests/test-crypto-pbkdf.c | 378 ++++++++++++++++++++++++++++++++++++++++++++++
> 9 files changed, 776 insertions(+), 1 deletion(-)
> create mode 100644 crypto/pbkdf-gcrypt.c
> create mode 100644 crypto/pbkdf-nettle.c
> create mode 100644 crypto/pbkdf-stub.c
> create mode 100644 crypto/pbkdf.c
> create mode 100644 include/crypto/pbkdf.h
> create mode 100644 tests/test-crypto-pbkdf.c
>
> diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
> index 1802ff5..4d2cd3e 100644
> --- a/crypto/Makefile.objs
> +++ b/crypto/Makefile.objs
> @@ -10,8 +10,12 @@ crypto-obj-y += tlssession.o
> crypto-obj-y += secret.o
> crypto-obj-$(if $(CONFIG_GNUTLS),n,$(CONFIG_GCRYPT)) += random-gcrypt.o
> crypto-obj-$(CONFIG_GNUTLS) += random-gnutls.o
> +crypto-obj-y += pbkdf.o
> +crypto-obj-$(CONFIG_NETTLE) += pbkdf-nettle.o
> +crypto-obj-$(if $(CONFIG_NETTLE),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o
>
> # Let the userspace emulators avoid linking gnutls/etc
> crypto-aes-obj-y = aes.o
>
> -stub-obj-y += random-stub.o
> \ No newline at end of file
> +stub-obj-y += random-stub.o
> +stub-obj-y += pbkdf-stub.o
> diff --git a/crypto/pbkdf-gcrypt.c b/crypto/pbkdf-gcrypt.c
> new file mode 100644
> index 0000000..94abcf8
> --- /dev/null
> +++ b/crypto/pbkdf-gcrypt.c
> @@ -0,0 +1,65 @@
> +/*
> + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
> + *
> + * Copyright (c) 2015-2016 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#include "crypto/pbkdf.h"
> +#include "gcrypt.h"
> +
> +bool qcrypto_pbkdf2_supports(QCryptoHashAlgorithm hash)
> +{
> + switch (hash) {
> + case QCRYPTO_HASH_ALG_SHA1:
> + case QCRYPTO_HASH_ALG_SHA256:
> + return true;
> + default:
> + return false;
> + }
> +}
> +
> +int qcrypto_pbkdf2(QCryptoHashAlgorithm hash,
> + const uint8_t *key, size_t nkey,
> + const uint8_t *salt, size_t nsalt,
> + unsigned int iterations,
> + uint8_t *out, size_t nout,
> + Error **errp)
> +{
> + static const int hash_map[QCRYPTO_HASH_ALG__MAX] = {
> + [QCRYPTO_HASH_ALG_MD5] = GCRY_MD_MD5,
> + [QCRYPTO_HASH_ALG_SHA1] = GCRY_MD_SHA1,
> + [QCRYPTO_HASH_ALG_SHA256] = GCRY_MD_SHA256,
> + };
> + int ret;
> +
> + if (hash > G_N_ELEMENTS(hash_map)) {
Do you want ">="?
> + error_setg(errp, "Unexpected hash algorithm %d", hash);
> + return -1;
> + }
> +
> + ret = gcry_kdf_derive(key, nkey, GCRY_KDF_PBKDF2,
> + hash_map[hash],
> + salt, nsalt, iterations,
> + nout, out);
We go ahead with QCRYPTO_HASH_ALG_MD5 here, but we didn't accept it in
qcrypto_pbkdf2_supports, is that a mistake?
> + if (ret != 0) {
> + error_setg(errp, "Cannot derive password: %s",
> + gcry_strerror(ret));
> + return -1;
> + }
> +
> + return 0;
> +}
> diff --git a/crypto/pbkdf-nettle.c b/crypto/pbkdf-nettle.c
> new file mode 100644
> index 0000000..b0f2d8e
> --- /dev/null
> +++ b/crypto/pbkdf-nettle.c
> @@ -0,0 +1,64 @@
> +/*
> + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
> + *
> + * Copyright (c) 2015-2016 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#include "crypto/pbkdf.h"
> +#include "nettle/pbkdf2.h"
> +
> +
> +bool qcrypto_pbkdf2_supports(QCryptoHashAlgorithm hash)
> +{
> + switch (hash) {
> + case QCRYPTO_HASH_ALG_SHA1:
> + case QCRYPTO_HASH_ALG_SHA256:
> + return true;
> + default:
> + return false;
> + }
> +}
> +
> +int qcrypto_pbkdf2(QCryptoHashAlgorithm hash,
> + const uint8_t *key, size_t nkey,
> + const uint8_t *salt, size_t nsalt,
> + unsigned int iterations,
> + uint8_t *out, size_t nout,
> + Error **errp)
> +{
> + switch (hash) {
> + case QCRYPTO_HASH_ALG_SHA1:
> + pbkdf2_hmac_sha1(nkey, key,
> + iterations,
> + nsalt, salt,
> + nout, out);
> + break;
> +
> + case QCRYPTO_HASH_ALG_SHA256:
> + pbkdf2_hmac_sha256(nkey, key,
> + iterations,
> + nsalt, salt,
> + nout, out);
> + break;
> +
> + default:
> + error_setg_errno(errp, ENOSYS,
> + "PBKDF does not support hash algorithm %d", hash);
> + return -1;
> + }
> + return 0;
> +}
> diff --git a/crypto/pbkdf-stub.c b/crypto/pbkdf-stub.c
> new file mode 100644
> index 0000000..73a08c3
> --- /dev/null
> +++ b/crypto/pbkdf-stub.c
> @@ -0,0 +1,41 @@
> +/*
> + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
> + *
> + * Copyright (c) 2015-2016 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#include "crypto/pbkdf.h"
> +
> +bool qcrypto_pbkdf2_supports(QCryptoHashAlgorithm hash)
Missing G_GNUC_UNUSED to be consistent with the rest of the file, doesn't
hurt though.
> +{
> + return false;
> +}
> +
> +int qcrypto_pbkdf2(QCryptoHashAlgorithm hash G_GNUC_UNUSED,
> + const uint8_t *key G_GNUC_UNUSED,
> + size_t nkey G_GNUC_UNUSED,
> + const uint8_t *salt G_GNUC_UNUSED,
> + size_t nsalt G_GNUC_UNUSED,
> + unsigned int iterations G_GNUC_UNUSED,
> + uint8_t *out G_GNUC_UNUSED,
> + size_t nout G_GNUC_UNUSED,
> + Error **errp)
> +{
> + error_setg_errno(errp, ENOSYS,
> + "No crypto library supporting PBKDF in this build");
> + return -1;
> +}
> diff --git a/crypto/pbkdf.c b/crypto/pbkdf.c
> new file mode 100644
> index 0000000..71f96cd
> --- /dev/null
> +++ b/crypto/pbkdf.c
> @@ -0,0 +1,68 @@
> +/*
> + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
> + *
> + * Copyright (c) 2015-2016 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#include "crypto/pbkdf.h"
> +#include <sys/resource.h>
> +
> +
> +int qcrypto_pbkdf2_count_iters(QCryptoHashAlgorithm hash,
> + const uint8_t *key, size_t nkey,
> + const uint8_t *salt, size_t nsalt,
> + Error **errp)
> +{
> + uint8_t out[32];
> + int iterations = (1 << 15);
To be safe from overflow, I'd use at least 64 bits to do the math, just in case
that some machine is too good at computing this stuff. :)
> + struct rusage start, end;
> + unsigned long long delta;
> +
> + while (1) {
> + if (getrusage(RUSAGE_THREAD, &start) < 0) {
> + error_setg_errno(errp, errno, "Unable to get thread CPU usage");
> + return -1;
> + }
> + if (qcrypto_pbkdf2(hash,
> + key, nkey,
> + salt, nsalt,
> + iterations,
> + out, sizeof(out),
> + errp) < 0) {
> + return -1;
> + }
> + if (getrusage(RUSAGE_THREAD, &end) < 0) {
> + error_setg_errno(errp, errno, "Unable to get thread CPU usage");
> + return -1;
> + }
> +
> + delta = (((end.ru_utime.tv_sec * 1000ll) +
> + (end.ru_utime.tv_usec / 1000)) -
> + ((start.ru_utime.tv_sec * 1000ll) +
> + (start.ru_utime.tv_usec / 1000)));
> +
> + if (delta > 500) {
> + break;
> + } else if (delta < 100) {
> + iterations = iterations * 10;
> + } else {
> + iterations = (iterations * 1000 / delta);
> + }
> + }
> +
> + return iterations * 1000 / delta;
> +}
> diff --git a/include/crypto/pbkdf.h b/include/crypto/pbkdf.h
> new file mode 100644
> index 0000000..a5e8267
> --- /dev/null
> +++ b/include/crypto/pbkdf.h
> @@ -0,0 +1,152 @@
> +/*
> + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
> + *
> + * Copyright (c) 2015-2016 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#ifndef QCRYPTO_PBKDF_H__
> +#define QCRYPTO_PBKDF_H__
> +
> +#include "crypto/hash.h"
> +
> +/**
> + * This module provides an interface to the PBKDF2 algorithm
> + *
> + * https://en.wikipedia.org/wiki/PBKDF2
> + *
> + * <example>
> + * <title>Generating a AES encryption key from a user password</title>
s/a AES/an AES/ ?
> + * <programlisting>
next prev parent reply other threads:[~2016-01-21 6:59 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-20 17:38 [Qemu-devel] [PATCH v2 00/17] Support LUKS encryption in block devices Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 01/17] crypto: ensure qcrypto_hash_digest_len is always defined Daniel P. Berrange
2016-01-21 6:12 ` Fam Zheng
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 02/17] crypto: add cryptographic random byte source Daniel P. Berrange
2016-01-21 6:12 ` Fam Zheng
2016-01-21 8:59 ` Daniel P. Berrange
2016-02-04 17:44 ` Eric Blake
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 03/17] crypto: add support for PBKDF2 algorithm Daniel P. Berrange
2016-01-21 6:59 ` Fam Zheng [this message]
2016-01-21 10:59 ` Daniel P. Berrange
2016-02-04 22:14 ` Eric Blake
2016-02-05 9:23 ` Daniel P. Berrange
2016-02-05 10:13 ` Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 04/17] crypto: add support for generating initialization vectors Daniel P. Berrange
2016-01-21 7:51 ` Fam Zheng
2016-01-21 11:00 ` Daniel P. Berrange
2016-02-04 22:57 ` Eric Blake
2016-02-05 10:23 ` Daniel P. Berrange
2016-02-05 13:23 ` Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 05/17] crypto: add support for anti-forensic split algorithm Daniel P. Berrange
2016-01-21 8:37 ` Fam Zheng
2016-01-21 11:01 ` Daniel P. Berrange
2016-02-04 23:26 ` Eric Blake
2016-02-05 12:37 ` Daniel P. Berrange
2016-02-05 12:39 ` Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 06/17] crypto: add block encryption framework Daniel P. Berrange
2016-02-05 0:23 ` Eric Blake
2016-02-05 12:43 ` Daniel P. Berrange
2016-02-05 18:48 ` Eric Blake
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 07/17] crypto: implement the LUKS block encryption format Daniel P. Berrange
2016-02-05 17:38 ` Eric Blake
2016-02-08 16:03 ` Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 08/17] block: add flag to indicate that no I/O will be performed Daniel P. Berrange
2016-02-05 19:08 ` Eric Blake
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 09/17] qemu-img/qemu-io: don't prompt for passwords if not required Daniel P. Berrange
2016-02-05 19:52 ` Eric Blake
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 10/17] block: add generic full disk encryption driver Daniel P. Berrange
2016-01-21 9:12 ` Fam Zheng
2016-01-21 11:02 ` Daniel P. Berrange
2016-01-21 13:01 ` Fam Zheng
2016-01-21 13:12 ` Daniel P. Berrange
2016-02-05 22:20 ` Eric Blake
2016-02-08 16:28 ` Daniel P. Berrange
2016-02-08 20:23 ` Eric Blake
2016-02-09 9:55 ` Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 11/17] qcow2: make qcow2_encrypt_sectors encrypt in place Daniel P. Berrange
2016-01-21 9:13 ` Fam Zheng
2016-02-05 23:22 ` Eric Blake
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 12/17] qcow2: convert QCow2 to use QCryptoBlock for encryption Daniel P. Berrange
2016-01-21 9:54 ` Fam Zheng
2016-01-21 10:50 ` Daniel P. Berrange
2016-01-21 13:56 ` Fam Zheng
2016-01-21 14:03 ` Daniel P. Berrange
2016-02-08 18:12 ` Eric Blake
2016-02-09 12:32 ` Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 13/17] qcow: make encrypt_sectors encrypt in place Daniel P. Berrange
2016-02-08 20:30 ` Eric Blake
2016-02-09 12:33 ` Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 14/17] qcow: convert QCow to use QCryptoBlock for encryption Daniel P. Berrange
2016-02-08 20:57 ` Eric Blake
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 15/17] block: rip out all traces of password prompting Daniel P. Berrange
2016-01-21 13:02 ` Fam Zheng
2016-01-21 13:11 ` Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 16/17] block: remove all encryption handling APIs Daniel P. Berrange
2016-02-08 21:23 ` Eric Blake
2016-02-09 12:34 ` Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 17/17] block: remove support for legecy AES qcow/qcow2 encryption Daniel P. Berrange
2016-02-08 21:26 ` Eric Blake
2016-02-09 12:35 ` Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160121065924.GE31960@ad.usersys.redhat.com \
--to=famz@redhat.com \
--cc=berrange@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.