From: Fam Zheng <famz@redhat.com>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>,
qemu-devel@nongnu.org, qemu-block@nongnu.org
Subject: Re: [Qemu-devel] [PATCH v2 03/17] crypto: add support for PBKDF2 algorithm
Date: Thu, 21 Jan 2016 14:59:24 +0800 [thread overview]
Message-ID: <20160121065924.GE31960@ad.usersys.redhat.com> (raw)
In-Reply-To: <1453311539-1193-4-git-send-email-berrange@redhat.com>
On Wed, 01/20 17:38, Daniel P. Berrange wrote:
> The LUKS data format includes use of PBKDF2 (Password-Based
> Key Derivation Function). The Nettle library can provide
> an implementation of this, but we don't want code directly
> depending on a specific crypto library backend. Introduce
> a include/crypto/pbkdf.h header which defines a QEMU
> API for invoking PBKDK2. The initial implementations are
> backed by nettle & gcrypt, which are commonly available
> with distros shipping GNUTLS.
>
> The test suite data is taken from the cryptsetup codebase
> under the LGPLv2.1+ license. This merely aims to verify
> that whatever backend we provide for this function in QEMU
> will comply with the spec.
>
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---
> crypto/Makefile.objs | 6 +-
> crypto/pbkdf-gcrypt.c | 65 ++++++++
> crypto/pbkdf-nettle.c | 64 ++++++++
> crypto/pbkdf-stub.c | 41 +++++
> crypto/pbkdf.c | 68 +++++++++
> include/crypto/pbkdf.h | 152 +++++++++++++++++++
> tests/.gitignore | 1 +
> tests/Makefile | 2 +
> tests/test-crypto-pbkdf.c | 378 ++++++++++++++++++++++++++++++++++++++++++++++
> 9 files changed, 776 insertions(+), 1 deletion(-)
> create mode 100644 crypto/pbkdf-gcrypt.c
> create mode 100644 crypto/pbkdf-nettle.c
> create mode 100644 crypto/pbkdf-stub.c
> create mode 100644 crypto/pbkdf.c
> create mode 100644 include/crypto/pbkdf.h
> create mode 100644 tests/test-crypto-pbkdf.c
>
> diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
> index 1802ff5..4d2cd3e 100644
> --- a/crypto/Makefile.objs
> +++ b/crypto/Makefile.objs
> @@ -10,8 +10,12 @@ crypto-obj-y += tlssession.o
> crypto-obj-y += secret.o
> crypto-obj-$(if $(CONFIG_GNUTLS),n,$(CONFIG_GCRYPT)) += random-gcrypt.o
> crypto-obj-$(CONFIG_GNUTLS) += random-gnutls.o
> +crypto-obj-y += pbkdf.o
> +crypto-obj-$(CONFIG_NETTLE) += pbkdf-nettle.o
> +crypto-obj-$(if $(CONFIG_NETTLE),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o
>
> # Let the userspace emulators avoid linking gnutls/etc
> crypto-aes-obj-y = aes.o
>
> -stub-obj-y += random-stub.o
> \ No newline at end of file
> +stub-obj-y += random-stub.o
> +stub-obj-y += pbkdf-stub.o
> diff --git a/crypto/pbkdf-gcrypt.c b/crypto/pbkdf-gcrypt.c
> new file mode 100644
> index 0000000..94abcf8
> --- /dev/null
> +++ b/crypto/pbkdf-gcrypt.c
> @@ -0,0 +1,65 @@
> +/*
> + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
> + *
> + * Copyright (c) 2015-2016 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#include "crypto/pbkdf.h"
> +#include "gcrypt.h"
> +
> +bool qcrypto_pbkdf2_supports(QCryptoHashAlgorithm hash)
> +{
> + switch (hash) {
> + case QCRYPTO_HASH_ALG_SHA1:
> + case QCRYPTO_HASH_ALG_SHA256:
> + return true;
> + default:
> + return false;
> + }
> +}
> +
> +int qcrypto_pbkdf2(QCryptoHashAlgorithm hash,
> + const uint8_t *key, size_t nkey,
> + const uint8_t *salt, size_t nsalt,
> + unsigned int iterations,
> + uint8_t *out, size_t nout,
> + Error **errp)
> +{
> + static const int hash_map[QCRYPTO_HASH_ALG__MAX] = {
> + [QCRYPTO_HASH_ALG_MD5] = GCRY_MD_MD5,
> + [QCRYPTO_HASH_ALG_SHA1] = GCRY_MD_SHA1,
> + [QCRYPTO_HASH_ALG_SHA256] = GCRY_MD_SHA256,
> + };
> + int ret;
> +
> + if (hash > G_N_ELEMENTS(hash_map)) {
Do you want ">="?
> + error_setg(errp, "Unexpected hash algorithm %d", hash);
> + return -1;
> + }
> +
> + ret = gcry_kdf_derive(key, nkey, GCRY_KDF_PBKDF2,
> + hash_map[hash],
> + salt, nsalt, iterations,
> + nout, out);
We go ahead with QCRYPTO_HASH_ALG_MD5 here, but we didn't accept it in
qcrypto_pbkdf2_supports, is that a mistake?
> + if (ret != 0) {
> + error_setg(errp, "Cannot derive password: %s",
> + gcry_strerror(ret));
> + return -1;
> + }
> +
> + return 0;
> +}
> diff --git a/crypto/pbkdf-nettle.c b/crypto/pbkdf-nettle.c
> new file mode 100644
> index 0000000..b0f2d8e
> --- /dev/null
> +++ b/crypto/pbkdf-nettle.c
> @@ -0,0 +1,64 @@
> +/*
> + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
> + *
> + * Copyright (c) 2015-2016 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#include "crypto/pbkdf.h"
> +#include "nettle/pbkdf2.h"
> +
> +
> +bool qcrypto_pbkdf2_supports(QCryptoHashAlgorithm hash)
> +{
> + switch (hash) {
> + case QCRYPTO_HASH_ALG_SHA1:
> + case QCRYPTO_HASH_ALG_SHA256:
> + return true;
> + default:
> + return false;
> + }
> +}
> +
> +int qcrypto_pbkdf2(QCryptoHashAlgorithm hash,
> + const uint8_t *key, size_t nkey,
> + const uint8_t *salt, size_t nsalt,
> + unsigned int iterations,
> + uint8_t *out, size_t nout,
> + Error **errp)
> +{
> + switch (hash) {
> + case QCRYPTO_HASH_ALG_SHA1:
> + pbkdf2_hmac_sha1(nkey, key,
> + iterations,
> + nsalt, salt,
> + nout, out);
> + break;
> +
> + case QCRYPTO_HASH_ALG_SHA256:
> + pbkdf2_hmac_sha256(nkey, key,
> + iterations,
> + nsalt, salt,
> + nout, out);
> + break;
> +
> + default:
> + error_setg_errno(errp, ENOSYS,
> + "PBKDF does not support hash algorithm %d", hash);
> + return -1;
> + }
> + return 0;
> +}
> diff --git a/crypto/pbkdf-stub.c b/crypto/pbkdf-stub.c
> new file mode 100644
> index 0000000..73a08c3
> --- /dev/null
> +++ b/crypto/pbkdf-stub.c
> @@ -0,0 +1,41 @@
> +/*
> + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
> + *
> + * Copyright (c) 2015-2016 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#include "crypto/pbkdf.h"
> +
> +bool qcrypto_pbkdf2_supports(QCryptoHashAlgorithm hash)
Missing G_GNUC_UNUSED to be consistent with the rest of the file, doesn't
hurt though.
> +{
> + return false;
> +}
> +
> +int qcrypto_pbkdf2(QCryptoHashAlgorithm hash G_GNUC_UNUSED,
> + const uint8_t *key G_GNUC_UNUSED,
> + size_t nkey G_GNUC_UNUSED,
> + const uint8_t *salt G_GNUC_UNUSED,
> + size_t nsalt G_GNUC_UNUSED,
> + unsigned int iterations G_GNUC_UNUSED,
> + uint8_t *out G_GNUC_UNUSED,
> + size_t nout G_GNUC_UNUSED,
> + Error **errp)
> +{
> + error_setg_errno(errp, ENOSYS,
> + "No crypto library supporting PBKDF in this build");
> + return -1;
> +}
> diff --git a/crypto/pbkdf.c b/crypto/pbkdf.c
> new file mode 100644
> index 0000000..71f96cd
> --- /dev/null
> +++ b/crypto/pbkdf.c
> @@ -0,0 +1,68 @@
> +/*
> + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
> + *
> + * Copyright (c) 2015-2016 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#include "crypto/pbkdf.h"
> +#include <sys/resource.h>
> +
> +
> +int qcrypto_pbkdf2_count_iters(QCryptoHashAlgorithm hash,
> + const uint8_t *key, size_t nkey,
> + const uint8_t *salt, size_t nsalt,
> + Error **errp)
> +{
> + uint8_t out[32];
> + int iterations = (1 << 15);
To be safe from overflow, I'd use at least 64 bits to do the math, just in case
that some machine is too good at computing this stuff. :)
> + struct rusage start, end;
> + unsigned long long delta;
> +
> + while (1) {
> + if (getrusage(RUSAGE_THREAD, &start) < 0) {
> + error_setg_errno(errp, errno, "Unable to get thread CPU usage");
> + return -1;
> + }
> + if (qcrypto_pbkdf2(hash,
> + key, nkey,
> + salt, nsalt,
> + iterations,
> + out, sizeof(out),
> + errp) < 0) {
> + return -1;
> + }
> + if (getrusage(RUSAGE_THREAD, &end) < 0) {
> + error_setg_errno(errp, errno, "Unable to get thread CPU usage");
> + return -1;
> + }
> +
> + delta = (((end.ru_utime.tv_sec * 1000ll) +
> + (end.ru_utime.tv_usec / 1000)) -
> + ((start.ru_utime.tv_sec * 1000ll) +
> + (start.ru_utime.tv_usec / 1000)));
> +
> + if (delta > 500) {
> + break;
> + } else if (delta < 100) {
> + iterations = iterations * 10;
> + } else {
> + iterations = (iterations * 1000 / delta);
> + }
> + }
> +
> + return iterations * 1000 / delta;
> +}
> diff --git a/include/crypto/pbkdf.h b/include/crypto/pbkdf.h
> new file mode 100644
> index 0000000..a5e8267
> --- /dev/null
> +++ b/include/crypto/pbkdf.h
> @@ -0,0 +1,152 @@
> +/*
> + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
> + *
> + * Copyright (c) 2015-2016 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#ifndef QCRYPTO_PBKDF_H__
> +#define QCRYPTO_PBKDF_H__
> +
> +#include "crypto/hash.h"
> +
> +/**
> + * This module provides an interface to the PBKDF2 algorithm
> + *
> + * https://en.wikipedia.org/wiki/PBKDF2
> + *
> + * <example>
> + * <title>Generating a AES encryption key from a user password</title>
s/a AES/an AES/ ?
> + * <programlisting>
next prev parent reply other threads:[~2016-01-21 6:59 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-20 17:38 [Qemu-devel] [PATCH v2 00/17] Support LUKS encryption in block devices Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 01/17] crypto: ensure qcrypto_hash_digest_len is always defined Daniel P. Berrange
2016-01-21 6:12 ` Fam Zheng
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 02/17] crypto: add cryptographic random byte source Daniel P. Berrange
2016-01-21 6:12 ` Fam Zheng
2016-01-21 8:59 ` Daniel P. Berrange
2016-02-04 17:44 ` Eric Blake
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 03/17] crypto: add support for PBKDF2 algorithm Daniel P. Berrange
2016-01-21 6:59 ` Fam Zheng [this message]
2016-01-21 10:59 ` Daniel P. Berrange
2016-02-04 22:14 ` Eric Blake
2016-02-05 9:23 ` Daniel P. Berrange
2016-02-05 10:13 ` Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 04/17] crypto: add support for generating initialization vectors Daniel P. Berrange
2016-01-21 7:51 ` Fam Zheng
2016-01-21 11:00 ` Daniel P. Berrange
2016-02-04 22:57 ` Eric Blake
2016-02-05 10:23 ` Daniel P. Berrange
2016-02-05 13:23 ` Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 05/17] crypto: add support for anti-forensic split algorithm Daniel P. Berrange
2016-01-21 8:37 ` Fam Zheng
2016-01-21 11:01 ` Daniel P. Berrange
2016-02-04 23:26 ` Eric Blake
2016-02-05 12:37 ` Daniel P. Berrange
2016-02-05 12:39 ` Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 06/17] crypto: add block encryption framework Daniel P. Berrange
2016-02-05 0:23 ` Eric Blake
2016-02-05 12:43 ` Daniel P. Berrange
2016-02-05 18:48 ` Eric Blake
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 07/17] crypto: implement the LUKS block encryption format Daniel P. Berrange
2016-02-05 17:38 ` Eric Blake
2016-02-08 16:03 ` Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 08/17] block: add flag to indicate that no I/O will be performed Daniel P. Berrange
2016-02-05 19:08 ` Eric Blake
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 09/17] qemu-img/qemu-io: don't prompt for passwords if not required Daniel P. Berrange
2016-02-05 19:52 ` Eric Blake
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 10/17] block: add generic full disk encryption driver Daniel P. Berrange
2016-01-21 9:12 ` Fam Zheng
2016-01-21 11:02 ` Daniel P. Berrange
2016-01-21 13:01 ` Fam Zheng
2016-01-21 13:12 ` Daniel P. Berrange
2016-02-05 22:20 ` Eric Blake
2016-02-08 16:28 ` Daniel P. Berrange
2016-02-08 20:23 ` Eric Blake
2016-02-09 9:55 ` Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 11/17] qcow2: make qcow2_encrypt_sectors encrypt in place Daniel P. Berrange
2016-01-21 9:13 ` Fam Zheng
2016-02-05 23:22 ` Eric Blake
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 12/17] qcow2: convert QCow2 to use QCryptoBlock for encryption Daniel P. Berrange
2016-01-21 9:54 ` Fam Zheng
2016-01-21 10:50 ` Daniel P. Berrange
2016-01-21 13:56 ` Fam Zheng
2016-01-21 14:03 ` Daniel P. Berrange
2016-02-08 18:12 ` Eric Blake
2016-02-09 12:32 ` Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 13/17] qcow: make encrypt_sectors encrypt in place Daniel P. Berrange
2016-02-08 20:30 ` Eric Blake
2016-02-09 12:33 ` Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 14/17] qcow: convert QCow to use QCryptoBlock for encryption Daniel P. Berrange
2016-02-08 20:57 ` Eric Blake
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 15/17] block: rip out all traces of password prompting Daniel P. Berrange
2016-01-21 13:02 ` Fam Zheng
2016-01-21 13:11 ` Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 16/17] block: remove all encryption handling APIs Daniel P. Berrange
2016-02-08 21:23 ` Eric Blake
2016-02-09 12:34 ` Daniel P. Berrange
2016-01-20 17:38 ` [Qemu-devel] [PATCH v2 17/17] block: remove support for legecy AES qcow/qcow2 encryption Daniel P. Berrange
2016-02-08 21:26 ` Eric Blake
2016-02-09 12:35 ` Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160121065924.GE31960@ad.usersys.redhat.com \
--to=famz@redhat.com \
--cc=berrange@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).