Re: [Qemu-devel] [PATCH v2 03/17] crypto: add support for PBKDF2 algorithm

From: Fam Zheng <famz@redhat.com>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>,
	qemu-devel@nongnu.org, qemu-block@nongnu.org
Subject: Re: [Qemu-devel] [PATCH v2 03/17] crypto: add support for PBKDF2 algorithm
Date: Thu, 21 Jan 2016 14:59:24 +0800	[thread overview]
Message-ID: <20160121065924.GE31960@ad.usersys.redhat.com> (raw)
In-Reply-To: <1453311539-1193-4-git-send-email-berrange@redhat.com>

On Wed, 01/20 17:38, Daniel P. Berrange wrote:
> The LUKS data format includes use of PBKDF2 (Password-Based
> Key Derivation Function). The Nettle library can provide
> an implementation of this, but we don't want code directly
> depending on a specific crypto library backend. Introduce
> a include/crypto/pbkdf.h header which defines a QEMU
> API for invoking PBKDK2. The initial implementations are
> backed by nettle & gcrypt, which are commonly available
> with distros shipping GNUTLS.
> 
> The test suite data is taken from the cryptsetup codebase
> under the LGPLv2.1+ license. This merely aims to verify
> that whatever backend we provide for this function in QEMU
> will comply with the spec.
> 
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---
>  crypto/Makefile.objs      |   6 +-
>  crypto/pbkdf-gcrypt.c     |  65 ++++++++
>  crypto/pbkdf-nettle.c     |  64 ++++++++
>  crypto/pbkdf-stub.c       |  41 +++++
>  crypto/pbkdf.c            |  68 +++++++++
>  include/crypto/pbkdf.h    | 152 +++++++++++++++++++
>  tests/.gitignore          |   1 +
>  tests/Makefile            |   2 +
>  tests/test-crypto-pbkdf.c | 378 ++++++++++++++++++++++++++++++++++++++++++++++
>  9 files changed, 776 insertions(+), 1 deletion(-)
>  create mode 100644 crypto/pbkdf-gcrypt.c
>  create mode 100644 crypto/pbkdf-nettle.c
>  create mode 100644 crypto/pbkdf-stub.c
>  create mode 100644 crypto/pbkdf.c
>  create mode 100644 include/crypto/pbkdf.h
>  create mode 100644 tests/test-crypto-pbkdf.c
> 
> diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
> index 1802ff5..4d2cd3e 100644
> --- a/crypto/Makefile.objs
> +++ b/crypto/Makefile.objs
> @@ -10,8 +10,12 @@ crypto-obj-y += tlssession.o
>  crypto-obj-y += secret.o
>  crypto-obj-$(if $(CONFIG_GNUTLS),n,$(CONFIG_GCRYPT)) += random-gcrypt.o
>  crypto-obj-$(CONFIG_GNUTLS) += random-gnutls.o
> +crypto-obj-y += pbkdf.o
> +crypto-obj-$(CONFIG_NETTLE) += pbkdf-nettle.o
> +crypto-obj-$(if $(CONFIG_NETTLE),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o
>  
>  # Let the userspace emulators avoid linking gnutls/etc
>  crypto-aes-obj-y = aes.o
>  
> -stub-obj-y += random-stub.o
> \ No newline at end of file
> +stub-obj-y += random-stub.o
> +stub-obj-y += pbkdf-stub.o
> diff --git a/crypto/pbkdf-gcrypt.c b/crypto/pbkdf-gcrypt.c
> new file mode 100644
> index 0000000..94abcf8
> --- /dev/null
> +++ b/crypto/pbkdf-gcrypt.c
> @@ -0,0 +1,65 @@
> +/*
> + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
> + *
> + * Copyright (c) 2015-2016 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#include "crypto/pbkdf.h"
> +#include "gcrypt.h"
> +
> +bool qcrypto_pbkdf2_supports(QCryptoHashAlgorithm hash)
> +{
> +    switch (hash) {
> +    case QCRYPTO_HASH_ALG_SHA1:
> +    case QCRYPTO_HASH_ALG_SHA256:
> +        return true;
> +    default:
> +        return false;
> +    }
> +}
> +
> +int qcrypto_pbkdf2(QCryptoHashAlgorithm hash,
> +                   const uint8_t *key, size_t nkey,
> +                   const uint8_t *salt, size_t nsalt,
> +                   unsigned int iterations,
> +                   uint8_t *out, size_t nout,
> +                   Error **errp)
> +{
> +    static const int hash_map[QCRYPTO_HASH_ALG__MAX] = {
> +        [QCRYPTO_HASH_ALG_MD5] = GCRY_MD_MD5,
> +        [QCRYPTO_HASH_ALG_SHA1] = GCRY_MD_SHA1,
> +        [QCRYPTO_HASH_ALG_SHA256] = GCRY_MD_SHA256,
> +    };
> +    int ret;
> +
> +    if (hash > G_N_ELEMENTS(hash_map)) {

Do you want ">="?

> +        error_setg(errp, "Unexpected hash algorithm %d", hash);
> +        return -1;
> +    }
> +
> +    ret = gcry_kdf_derive(key, nkey, GCRY_KDF_PBKDF2,
> +                          hash_map[hash],
> +                          salt, nsalt, iterations,
> +                          nout, out);

We go ahead with QCRYPTO_HASH_ALG_MD5 here, but we didn't accept it in
qcrypto_pbkdf2_supports, is that a mistake?

> +    if (ret != 0) {
> +        error_setg(errp, "Cannot derive password: %s",
> +                   gcry_strerror(ret));
> +        return -1;
> +    }
> +
> +    return 0;
> +}
> diff --git a/crypto/pbkdf-nettle.c b/crypto/pbkdf-nettle.c
> new file mode 100644
> index 0000000..b0f2d8e
> --- /dev/null
> +++ b/crypto/pbkdf-nettle.c
> @@ -0,0 +1,64 @@
> +/*
> + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
> + *
> + * Copyright (c) 2015-2016 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#include "crypto/pbkdf.h"
> +#include "nettle/pbkdf2.h"
> +
> +
> +bool qcrypto_pbkdf2_supports(QCryptoHashAlgorithm hash)
> +{
> +    switch (hash) {
> +    case QCRYPTO_HASH_ALG_SHA1:
> +    case QCRYPTO_HASH_ALG_SHA256:
> +        return true;
> +    default:
> +        return false;
> +    }
> +}
> +
> +int qcrypto_pbkdf2(QCryptoHashAlgorithm hash,
> +                   const uint8_t *key, size_t nkey,
> +                   const uint8_t *salt, size_t nsalt,
> +                   unsigned int iterations,
> +                   uint8_t *out, size_t nout,
> +                   Error **errp)
> +{
> +    switch (hash) {
> +    case QCRYPTO_HASH_ALG_SHA1:
> +        pbkdf2_hmac_sha1(nkey, key,
> +                         iterations,
> +                         nsalt, salt,
> +                         nout, out);
> +        break;
> +
> +    case QCRYPTO_HASH_ALG_SHA256:
> +        pbkdf2_hmac_sha256(nkey, key,
> +                           iterations,
> +                           nsalt, salt,
> +                           nout, out);
> +        break;
> +
> +    default:
> +        error_setg_errno(errp, ENOSYS,
> +                         "PBKDF does not support hash algorithm %d", hash);
> +        return -1;
> +    }
> +    return 0;
> +}
> diff --git a/crypto/pbkdf-stub.c b/crypto/pbkdf-stub.c
> new file mode 100644
> index 0000000..73a08c3
> --- /dev/null
> +++ b/crypto/pbkdf-stub.c
> @@ -0,0 +1,41 @@
> +/*
> + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
> + *
> + * Copyright (c) 2015-2016 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#include "crypto/pbkdf.h"
> +
> +bool qcrypto_pbkdf2_supports(QCryptoHashAlgorithm hash)

Missing G_GNUC_UNUSED to be consistent with the rest of the file, doesn't
hurt though.

> +{
> +    return false;
> +}
> +
> +int qcrypto_pbkdf2(QCryptoHashAlgorithm hash G_GNUC_UNUSED,
> +                   const uint8_t *key G_GNUC_UNUSED,
> +                   size_t nkey G_GNUC_UNUSED,
> +                   const uint8_t *salt G_GNUC_UNUSED,
> +                   size_t nsalt G_GNUC_UNUSED,
> +                   unsigned int iterations G_GNUC_UNUSED,
> +                   uint8_t *out G_GNUC_UNUSED,
> +                   size_t nout G_GNUC_UNUSED,
> +                   Error **errp)
> +{
> +    error_setg_errno(errp, ENOSYS,
> +                     "No crypto library supporting PBKDF in this build");
> +    return -1;
> +}
> diff --git a/crypto/pbkdf.c b/crypto/pbkdf.c
> new file mode 100644
> index 0000000..71f96cd
> --- /dev/null
> +++ b/crypto/pbkdf.c
> @@ -0,0 +1,68 @@
> +/*
> + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
> + *
> + * Copyright (c) 2015-2016 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#include "crypto/pbkdf.h"
> +#include <sys/resource.h>
> +
> +
> +int qcrypto_pbkdf2_count_iters(QCryptoHashAlgorithm hash,
> +                               const uint8_t *key, size_t nkey,
> +                               const uint8_t *salt, size_t nsalt,
> +                               Error **errp)
> +{
> +    uint8_t out[32];
> +    int iterations = (1 << 15);

To be safe from overflow, I'd use at least 64 bits to do the math, just in case
that some machine is too good at computing this stuff. :)

> +    struct rusage start, end;
> +    unsigned long long delta;
> +
> +    while (1) {
> +        if (getrusage(RUSAGE_THREAD, &start) < 0) {
> +            error_setg_errno(errp, errno, "Unable to get thread CPU usage");
> +            return -1;
> +        }
> +        if (qcrypto_pbkdf2(hash,
> +                           key, nkey,
> +                           salt, nsalt,
> +                           iterations,
> +                           out, sizeof(out),
> +                           errp) < 0) {
> +            return -1;
> +        }
> +        if (getrusage(RUSAGE_THREAD, &end) < 0) {
> +            error_setg_errno(errp, errno, "Unable to get thread CPU usage");
> +            return -1;
> +        }
> +
> +        delta = (((end.ru_utime.tv_sec * 1000ll) +
> +                  (end.ru_utime.tv_usec / 1000)) -
> +                 ((start.ru_utime.tv_sec * 1000ll) +
> +                  (start.ru_utime.tv_usec / 1000)));
> +
> +        if (delta > 500) {
> +            break;
> +        } else if (delta < 100) {
> +            iterations = iterations * 10;
> +        } else {
> +            iterations = (iterations * 1000 / delta);
> +        }
> +    }
> +
> +    return iterations * 1000 / delta;
> +}
> diff --git a/include/crypto/pbkdf.h b/include/crypto/pbkdf.h
> new file mode 100644
> index 0000000..a5e8267
> --- /dev/null
> +++ b/include/crypto/pbkdf.h
> @@ -0,0 +1,152 @@
> +/*
> + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
> + *
> + * Copyright (c) 2015-2016 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#ifndef QCRYPTO_PBKDF_H__
> +#define QCRYPTO_PBKDF_H__
> +
> +#include "crypto/hash.h"
> +
> +/**
> + * This module provides an interface to the PBKDF2 algorithm
> + *
> + *   https://en.wikipedia.org/wiki/PBKDF2
> + *
> + * <example>
> + *   <title>Generating a AES encryption key from a user password</title>

s/a AES/an AES/ ?

> + *   <programlisting>