On Wed, 01/20 17:38, Daniel P. Berrange wrote: > The LUKS data format includes use of PBKDF2 (Password-Based > Key Derivation Function). The Nettle library can provide > an implementation of this, but we don't want code directly > depending on a specific crypto library backend. Introduce > a include/crypto/pbkdf.h header which defines a QEMU > API for invoking PBKDK2. The initial implementations are > backed by nettle & gcrypt, which are commonly available > with distros shipping GNUTLS. > > The test suite data is taken from the cryptsetup codebase > under the LGPLv2.1+ license. This merely aims to verify > that whatever backend we provide for this function in QEMU > will comply with the spec. > > Signed-off-by: Daniel P. Berrange <berra...@redhat.com> > --- > crypto/Makefile.objs | 6 +- > crypto/pbkdf-gcrypt.c | 65 ++++++++ > crypto/pbkdf-nettle.c | 64 ++++++++ > crypto/pbkdf-stub.c | 41 +++++ > crypto/pbkdf.c | 68 +++++++++ > include/crypto/pbkdf.h | 152 +++++++++++++++++++ > tests/.gitignore | 1 + > tests/Makefile | 2 + > tests/test-crypto-pbkdf.c | 378 > ++++++++++++++++++++++++++++++++++++++++++++++ > 9 files changed, 776 insertions(+), 1 deletion(-) > create mode 100644 crypto/pbkdf-gcrypt.c > create mode 100644 crypto/pbkdf-nettle.c > create mode 100644 crypto/pbkdf-stub.c > create mode 100644 crypto/pbkdf.c > create mode 100644 include/crypto/pbkdf.h > create mode 100644 tests/test-crypto-pbkdf.c > > diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs > index 1802ff5..4d2cd3e 100644 > --- a/crypto/Makefile.objs > +++ b/crypto/Makefile.objs > @@ -10,8 +10,12 @@ crypto-obj-y += tlssession.o > crypto-obj-y += secret.o > crypto-obj-$(if $(CONFIG_GNUTLS),n,$(CONFIG_GCRYPT)) += random-gcrypt.o > crypto-obj-$(CONFIG_GNUTLS) += random-gnutls.o > +crypto-obj-y += pbkdf.o > +crypto-obj-$(CONFIG_NETTLE) += pbkdf-nettle.o > +crypto-obj-$(if $(CONFIG_NETTLE),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o > > # Let the userspace emulators avoid linking gnutls/etc > crypto-aes-obj-y = aes.o > > -stub-obj-y += random-stub.o > \ No newline at end of file > +stub-obj-y += random-stub.o > +stub-obj-y += pbkdf-stub.o > diff --git a/crypto/pbkdf-gcrypt.c b/crypto/pbkdf-gcrypt.c > new file mode 100644 > index 0000000..94abcf8 > --- /dev/null > +++ b/crypto/pbkdf-gcrypt.c > @@ -0,0 +1,65 @@ > +/* > + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function) > + * > + * Copyright (c) 2015-2016 Red Hat, Inc. > + * > + * This library is free software; you can redistribute it and/or > + * modify it under the terms of the GNU Lesser General Public > + * License as published by the Free Software Foundation; either > + * version 2 of the License, or (at your option) any later version. > + * > + * This library is distributed in the hope that it will be useful, > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + * Lesser General Public License for more details. > + * > + * You should have received a copy of the GNU Lesser General Public > + * License along with this library; if not, see > <http://www.gnu.org/licenses/>. > + * > + */ > + > +#include "crypto/pbkdf.h" > +#include "gcrypt.h" > + > +bool qcrypto_pbkdf2_supports(QCryptoHashAlgorithm hash) > +{ > + switch (hash) { > + case QCRYPTO_HASH_ALG_SHA1: > + case QCRYPTO_HASH_ALG_SHA256: > + return true; > + default: > + return false; > + } > +} > + > +int qcrypto_pbkdf2(QCryptoHashAlgorithm hash, > + const uint8_t *key, size_t nkey, > + const uint8_t *salt, size_t nsalt, > + unsigned int iterations, > + uint8_t *out, size_t nout, > + Error **errp) > +{ > + static const int hash_map[QCRYPTO_HASH_ALG__MAX] = { > + [QCRYPTO_HASH_ALG_MD5] = GCRY_MD_MD5, > + [QCRYPTO_HASH_ALG_SHA1] = GCRY_MD_SHA1, > + [QCRYPTO_HASH_ALG_SHA256] = GCRY_MD_SHA256, > + }; > + int ret; > + > + if (hash > G_N_ELEMENTS(hash_map)) {
Do you want ">="? > + error_setg(errp, "Unexpected hash algorithm %d", hash); > + return -1; > + } > + > + ret = gcry_kdf_derive(key, nkey, GCRY_KDF_PBKDF2, > + hash_map[hash], > + salt, nsalt, iterations, > + nout, out); We go ahead with QCRYPTO_HASH_ALG_MD5 here, but we didn't accept it in qcrypto_pbkdf2_supports, is that a mistake? > + if (ret != 0) { > + error_setg(errp, "Cannot derive password: %s", > + gcry_strerror(ret)); > + return -1; > + } > + > + return 0; > +} > diff --git a/crypto/pbkdf-nettle.c b/crypto/pbkdf-nettle.c > new file mode 100644 > index 0000000..b0f2d8e > --- /dev/null > +++ b/crypto/pbkdf-nettle.c > @@ -0,0 +1,64 @@ > +/* > + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function) > + * > + * Copyright (c) 2015-2016 Red Hat, Inc. > + * > + * This library is free software; you can redistribute it and/or > + * modify it under the terms of the GNU Lesser General Public > + * License as published by the Free Software Foundation; either > + * version 2 of the License, or (at your option) any later version. > + * > + * This library is distributed in the hope that it will be useful, > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + * Lesser General Public License for more details. > + * > + * You should have received a copy of the GNU Lesser General Public > + * License along with this library; if not, see > <http://www.gnu.org/licenses/>. > + * > + */ > + > +#include "crypto/pbkdf.h" > +#include "nettle/pbkdf2.h" > + > + > +bool qcrypto_pbkdf2_supports(QCryptoHashAlgorithm hash) > +{ > + switch (hash) { > + case QCRYPTO_HASH_ALG_SHA1: > + case QCRYPTO_HASH_ALG_SHA256: > + return true; > + default: > + return false; > + } > +} > + > +int qcrypto_pbkdf2(QCryptoHashAlgorithm hash, > + const uint8_t *key, size_t nkey, > + const uint8_t *salt, size_t nsalt, > + unsigned int iterations, > + uint8_t *out, size_t nout, > + Error **errp) > +{ > + switch (hash) { > + case QCRYPTO_HASH_ALG_SHA1: > + pbkdf2_hmac_sha1(nkey, key, > + iterations, > + nsalt, salt, > + nout, out); > + break; > + > + case QCRYPTO_HASH_ALG_SHA256: > + pbkdf2_hmac_sha256(nkey, key, > + iterations, > + nsalt, salt, > + nout, out); > + break; > + > + default: > + error_setg_errno(errp, ENOSYS, > + "PBKDF does not support hash algorithm %d", hash); > + return -1; > + } > + return 0; > +} > diff --git a/crypto/pbkdf-stub.c b/crypto/pbkdf-stub.c > new file mode 100644 > index 0000000..73a08c3 > --- /dev/null > +++ b/crypto/pbkdf-stub.c > @@ -0,0 +1,41 @@ > +/* > + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function) > + * > + * Copyright (c) 2015-2016 Red Hat, Inc. > + * > + * This library is free software; you can redistribute it and/or > + * modify it under the terms of the GNU Lesser General Public > + * License as published by the Free Software Foundation; either > + * version 2 of the License, or (at your option) any later version. > + * > + * This library is distributed in the hope that it will be useful, > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + * Lesser General Public License for more details. > + * > + * You should have received a copy of the GNU Lesser General Public > + * License along with this library; if not, see > <http://www.gnu.org/licenses/>. > + * > + */ > + > +#include "crypto/pbkdf.h" > + > +bool qcrypto_pbkdf2_supports(QCryptoHashAlgorithm hash) Missing G_GNUC_UNUSED to be consistent with the rest of the file, doesn't hurt though. > +{ > + return false; > +} > + > +int qcrypto_pbkdf2(QCryptoHashAlgorithm hash G_GNUC_UNUSED, > + const uint8_t *key G_GNUC_UNUSED, > + size_t nkey G_GNUC_UNUSED, > + const uint8_t *salt G_GNUC_UNUSED, > + size_t nsalt G_GNUC_UNUSED, > + unsigned int iterations G_GNUC_UNUSED, > + uint8_t *out G_GNUC_UNUSED, > + size_t nout G_GNUC_UNUSED, > + Error **errp) > +{ > + error_setg_errno(errp, ENOSYS, > + "No crypto library supporting PBKDF in this build"); > + return -1; > +} > diff --git a/crypto/pbkdf.c b/crypto/pbkdf.c > new file mode 100644 > index 0000000..71f96cd > --- /dev/null > +++ b/crypto/pbkdf.c > @@ -0,0 +1,68 @@ > +/* > + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function) > + * > + * Copyright (c) 2015-2016 Red Hat, Inc. > + * > + * This library is free software; you can redistribute it and/or > + * modify it under the terms of the GNU Lesser General Public > + * License as published by the Free Software Foundation; either > + * version 2 of the License, or (at your option) any later version. > + * > + * This library is distributed in the hope that it will be useful, > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + * Lesser General Public License for more details. > + * > + * You should have received a copy of the GNU Lesser General Public > + * License along with this library; if not, see > <http://www.gnu.org/licenses/>. > + * > + */ > + > +#include "crypto/pbkdf.h" > +#include <sys/resource.h> > + > + > +int qcrypto_pbkdf2_count_iters(QCryptoHashAlgorithm hash, > + const uint8_t *key, size_t nkey, > + const uint8_t *salt, size_t nsalt, > + Error **errp) > +{ > + uint8_t out[32]; > + int iterations = (1 << 15); To be safe from overflow, I'd use at least 64 bits to do the math, just in case that some machine is too good at computing this stuff. :) > + struct rusage start, end; > + unsigned long long delta; > + > + while (1) { > + if (getrusage(RUSAGE_THREAD, &start) < 0) { > + error_setg_errno(errp, errno, "Unable to get thread CPU usage"); > + return -1; > + } > + if (qcrypto_pbkdf2(hash, > + key, nkey, > + salt, nsalt, > + iterations, > + out, sizeof(out), > + errp) < 0) { > + return -1; > + } > + if (getrusage(RUSAGE_THREAD, &end) < 0) { > + error_setg_errno(errp, errno, "Unable to get thread CPU usage"); > + return -1; > + } > + > + delta = (((end.ru_utime.tv_sec * 1000ll) + > + (end.ru_utime.tv_usec / 1000)) - > + ((start.ru_utime.tv_sec * 1000ll) + > + (start.ru_utime.tv_usec / 1000))); > + > + if (delta > 500) { > + break; > + } else if (delta < 100) { > + iterations = iterations * 10; > + } else { > + iterations = (iterations * 1000 / delta); > + } > + } > + > + return iterations * 1000 / delta; > +} > diff --git a/include/crypto/pbkdf.h b/include/crypto/pbkdf.h > new file mode 100644 > index 0000000..a5e8267 > --- /dev/null > +++ b/include/crypto/pbkdf.h > @@ -0,0 +1,152 @@ > +/* > + * QEMU Crypto PBKDF support (Password-Based Key Derivation Function) > + * > + * Copyright (c) 2015-2016 Red Hat, Inc. > + * > + * This library is free software; you can redistribute it and/or > + * modify it under the terms of the GNU Lesser General Public > + * License as published by the Free Software Foundation; either > + * version 2 of the License, or (at your option) any later version. > + * > + * This library is distributed in the hope that it will be useful, > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + * Lesser General Public License for more details. > + * > + * You should have received a copy of the GNU Lesser General Public > + * License along with this library; if not, see > <http://www.gnu.org/licenses/>. > + * > + */ > + > +#ifndef QCRYPTO_PBKDF_H__ > +#define QCRYPTO_PBKDF_H__ > + > +#include "crypto/hash.h" > + > +/** > + * This module provides an interface to the PBKDF2 algorithm > + * > + * https://en.wikipedia.org/wiki/PBKDF2 > + * > + * <example> > + * <title>Generating a AES encryption key from a user password</title> s/a AES/an AES/ ? > + * <programlisting>