From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ifranzki@linux.ibm.com>
Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com
 [148.163.158.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Mon,  4 Feb 2019 16:15:11 +0100 (CET)
Received: from pps.filterd (m0098417.ppops.net [127.0.0.1])
 by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id
 x14FARBC016985
 for <dm-crypt@saout.de>; Mon, 4 Feb 2019 10:15:10 -0500
Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98])
 by mx0a-001b2d01.pphosted.com with ESMTP id 2qenc8r655-1
 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
 for <dm-crypt@saout.de>; Mon, 04 Feb 2019 10:15:10 -0500
Received: from localhost
 by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
 Violators will be prosecuted
 for <dm-crypt@saout.de> from <ifranzki@linux.ibm.com>;
 Mon, 4 Feb 2019 15:15:08 -0000
From: Ingo Franzki <ifranzki@linux.ibm.com>
References: <a0c18371-8776-0e43-d31c-8e1acb414506@linux.ibm.com>
 <dcba28fe-461c-3998-fe79-0a833ea5a5ed@gmail.com>
 <f32d93fb-55ad-67ea-5cbd-3d2e590412f0@linux.ibm.com>
Date: Mon, 4 Feb 2019 16:15:04 +0100
MIME-Version: 1.0
In-Reply-To: <f32d93fb-55ad-67ea-5cbd-3d2e590412f0@linux.ibm.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Message-Id: <44be54bb-10ce-813d-cfc0-8a97fc097a43@linux.ibm.com>
Subject: Re: [dm-crypt] How to get PBKDF settings of an existing key slot
 via libcryptsetup ?
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <https://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <https://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <https://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: Milan Broz <gmazyland@gmail.com>, dm-crypt@saout.de

On 04.02.2019 14:44, Ingo Franzki wrote:
> On 04.02.2019 14:22, Milan Broz wrote:
>> Hi Ingo,
> Hi Milan,
>>
>> On 31/01/2019 11:14, Ingo Franzki wrote:
>>> Hi,
>>>
>>> is there a way to get the PBKDF settings (struct crypt_pbkdf_type) of an existing key slot in a LUKS2 volume via the libcryptsetup API? 
>>
>> Not yet, but see below.
>>
>>>
>>> This question is related to the default PBKDF algorithm Argon2i for LUKS2 and the out-of-memory errors that you might get when you unlock multiple LUKS2 volumes during system startup via /etc/crypttab.
>>>
>>> One of my application uses crypt_keyslot_add_by_key() to add a new unbound key slot. Unfortunately this new key slot gets the default PBKDF settings, thus it gets Argon2i. I guess if I would use crypt_set_pbkdf_type() before to set PBKDF2, then the new key slot would get PBKDF2 instead of Argon2i. However, I don't want to hard code PBKDF2 here, but I would like to use the PBKDF settings of the key slot that was unlocked before. So I would need a way to get the PBKDF settings of a key slot and then use crypt_set_pbkdf_type() with those settings before calling crypt_keyslot_add_by_key(). That way the new key slot would get the same PBKDF settings as the current one.
>>>
>>> Using crypt_get_pbkdf_type() seems to return the default PBKDF algorithm, thus Argon2i for LUKS2. 
>>
>> Yes, you describe exactly how I intended to use it. (I guess your use key is s390 crypto, so PBKDF2 ok, because it is wrapped key for crypto accelerator,
>> without the hw attacker cannot run offline attacks here.)
>>
>> But since we can now get per-keyslot encryption in LUKS2 through API, there should be also way how to get specific keyslot PBKDF setting (and not only the default).
>>
>> It should be relatively simple, so I tried to add such a call - it something like this what you need?
>>   https://gitlab.com/cryptsetup/cryptsetup/commit/8c3be56418248ef5b96265f901122effa88e446b
>>
> Yes, that's exactly what I need ! 
> Thanks a lot !

It would be nice if I could check via #ifdef if that new function is available or not. 
For example have a symbol in libcryptsetup.h that contains the current version:
#define LIBCRYPTSETUP_VERSION     0x00020006
That way one could use 
#ifdef LIBCRYPTSETUP_VERSION >= 0x00020006
to check for a feature.

That would allow me to write code that does not hardly depend on a certain cryptsetup version. If the new function is not there I could use PBKDF2 unconditionally, and when it is there I use the new function to find out what PBKDF is used by the existing keyslot. 


>> Thanks,
>> Milan
>>
>>
> 
> 


-- 
Ingo Franzki
eMail: ifranzki@linux.ibm.com  
Tel: ++49 (0)7031-16-4648
Fax: ++49 (0)7031-16-3456
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany

IBM Deutschland Research & Development GmbH / Vorsitzender des Aufsichtsrats: Matthias Hartmann
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/