From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49802)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1aRSAL-0005a0-DB
	for qemu-devel@nongnu.org; Thu, 04 Feb 2016 17:14:18 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1aRSAK-0001t2-13
	for qemu-devel@nongnu.org; Thu, 04 Feb 2016 17:14:17 -0500
References: <1453311539-1193-1-git-send-email-berrange@redhat.com>
	<1453311539-1193-4-git-send-email-berrange@redhat.com>
From: Eric Blake <eblake@redhat.com>
Message-ID: <56B3CD32.7080307@redhat.com>
Date: Thu, 4 Feb 2016 15:14:10 -0700
MIME-Version: 1.0
In-Reply-To: <1453311539-1193-4-git-send-email-berrange@redhat.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="0DOP8SNOUX0alcHsQ5ewK1k8qlV1XHC5M"
Subject: Re: [Qemu-devel] [PATCH v2 03/17] crypto: add support for PBKDF2
	algorithm
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>, qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>, Fam Zheng <famz@redhat.com>, qemu-block@nongnu.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--0DOP8SNOUX0alcHsQ5ewK1k8qlV1XHC5M
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 01/20/2016 10:38 AM, Daniel P. Berrange wrote:
> The LUKS data format includes use of PBKDF2 (Password-Based
> Key Derivation Function). The Nettle library can provide
> an implementation of this, but we don't want code directly
> depending on a specific crypto library backend. Introduce
> a include/crypto/pbkdf.h header which defines a QEMU

'an include/...', or maybe 'a new include/...'?

> API for invoking PBKDK2. The initial implementations are
> backed by nettle & gcrypt, which are commonly available
> with distros shipping GNUTLS.
>=20
> The test suite data is taken from the cryptsetup codebase
> under the LGPLv2.1+ license. This merely aims to verify
> that whatever backend we provide for this function in QEMU
> will comply with the spec.
>=20
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---

In addition to Fam's review,

> +++ b/crypto/pbkdf-gcrypt.c

> +int qcrypto_pbkdf2(QCryptoHashAlgorithm hash,
> +                   const uint8_t *key, size_t nkey,
> +                   const uint8_t *salt, size_t nsalt,
> +                   unsigned int iterations,
> +                   uint8_t *out, size_t nout,
> +                   Error **errp)
> +{
> +    static const int hash_map[QCRYPTO_HASH_ALG__MAX] =3D {
> +        [QCRYPTO_HASH_ALG_MD5] =3D GCRY_MD_MD5,
> +        [QCRYPTO_HASH_ALG_SHA1] =3D GCRY_MD_SHA1,
> +        [QCRYPTO_HASH_ALG_SHA256] =3D GCRY_MD_SHA256,
> +    };

If QCRYPTO_HASH_ gains future enum values, those elements of the array
will be 0-initialized.

> +    int ret;
> +
> +    if (hash > G_N_ELEMENTS(hash_map)) {
> +        error_setg(errp, "Unexpected hash algorithm %d", hash);
> +        return -1;
> +    }

This checks for beyond the bounds of the array, but not for an element
that was 0-initialized.  Is that a problem we need to worry about?

> +int qcrypto_pbkdf2(QCryptoHashAlgorithm hash,
> +                   const uint8_t *key, size_t nkey,
> +                   const uint8_t *salt, size_t nsalt,
> +                   unsigned int iterations,
> +                   uint8_t *out, size_t nout,
> +                   Error **errp);
> +
> +/**
> + * qcrypto_pbkdf2_count_iters:
> + * @hash: the hash algorithm to use
> + * @key: the user password / key
> + * @nkey: the length of @key in bytes
> + * @salt: a random salt
> + * @nsalt: length of @salt in bytes
> + * @errp: pointer to a NULL-initialized error object
> + *
> + * Time the PBKDF2 algorithm to determine how many
> + * iterations are required to derive an encryption
> + * key from a user password provided in @key in 1
> + * second of compute time. The result of this can
> + * be used as a the @iterations parameter of a later
> + * call to qcrypto_pbkdf2().

As machines get faster, will 2^31 still be enough, or do we want a
64-bit iterations counter?


--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--0DOP8SNOUX0alcHsQ5ewK1k8qlV1XHC5M
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJWs80yAAoJEKeha0olJ0Nqv0cH/2PwDVQqIdcOLPKmaJAxicWn
NYkbNdIb4i8GKP3+kKkP8B4LQwWJ7sRcX75AQx9OxXaFIGUhrbQ22V069h4tvlqk
CYCyPL+iUBSvKSLjJrn+4SL1WAhhA7TRDb6p6YLMzRidq6zbdoQ83Vken1NLvUOy
TvFHBkEyktcDEpI7ks7lF4nwt/+wblqSDC43MbtXWnYVYBJW2YV+bWdxojEGwxDS
7yxKm7ACCapGjUl1BVt8Y3HdZDF3YRIJhDf35PmpM4xdX0qfRcapK5J53d2JylGl
FAD46X8gosUc9HzJz5eYBLlzAXSCBKZiX/JNryl8uEpEddF/3kjuxAiG0brLdZM=
=A0es
-----END PGP SIGNATURE-----

--0DOP8SNOUX0alcHsQ5ewK1k8qlV1XHC5M--