2 * utils_pbkdf - PBKDF settings for libcryptsetup
4 * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
5 * Copyright (C) 2009-2023 Milan Broz
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 2
10 * of the License, or (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
27 const struct crypt_pbkdf_type default_pbkdf2 = {
28 .type = CRYPT_KDF_PBKDF2,
29 .hash = DEFAULT_LUKS1_HASH,
30 .time_ms = DEFAULT_LUKS1_ITER_TIME
33 const struct crypt_pbkdf_type default_argon2i = {
34 .type = CRYPT_KDF_ARGON2I,
35 .hash = DEFAULT_LUKS1_HASH,
36 .time_ms = DEFAULT_LUKS2_ITER_TIME,
37 .max_memory_kb = DEFAULT_LUKS2_MEMORY_KB,
38 .parallel_threads = DEFAULT_LUKS2_PARALLEL_THREADS
41 const struct crypt_pbkdf_type default_argon2id = {
42 .type = CRYPT_KDF_ARGON2ID,
43 .hash = DEFAULT_LUKS1_HASH,
44 .time_ms = DEFAULT_LUKS2_ITER_TIME,
45 .max_memory_kb = DEFAULT_LUKS2_MEMORY_KB,
46 .parallel_threads = DEFAULT_LUKS2_PARALLEL_THREADS
49 const struct crypt_pbkdf_type *crypt_get_pbkdf_type_params(const char *pbkdf_type)
54 if (!strcmp(pbkdf_type, CRYPT_KDF_PBKDF2))
55 return &default_pbkdf2;
56 else if (!strcmp(pbkdf_type, CRYPT_KDF_ARGON2I))
57 return &default_argon2i;
58 else if (!strcmp(pbkdf_type, CRYPT_KDF_ARGON2ID))
59 return &default_argon2id;
64 static uint32_t adjusted_phys_memory(void)
66 uint64_t memory_kb = crypt_getphysmemory_kb();
68 /* Ignore bogus value */
69 if (memory_kb < (128 * 1024) || memory_kb > UINT32_MAX)
70 return DEFAULT_LUKS2_MEMORY_KB;
73 * Never use more than half of physical memory.
74 * OOM killer is too clever...
82 * PBKDF configuration interface
84 int verify_pbkdf_params(struct crypt_device *cd,
85 const struct crypt_pbkdf_type *pbkdf)
87 struct crypt_pbkdf_limits pbkdf_limits;
88 const char *pbkdf_type;
95 if (!pbkdf || !pbkdf->type ||
96 (!pbkdf->hash && !strcmp(pbkdf->type, "pbkdf2")))
99 if (!pbkdf->time_ms && !(pbkdf->flags & CRYPT_PBKDF_NO_BENCHMARK)) {
100 log_err(cd, _("Requested PBKDF target time cannot be zero."));
104 r = crypt_parse_pbkdf(pbkdf->type, &pbkdf_type);
106 log_err(cd, _("Unknown PBKDF type %s."), pbkdf->type);
110 if (pbkdf->hash && crypt_hash_size(pbkdf->hash) < 0) {
111 log_err(cd, _("Requested hash %s is not supported."), pbkdf->hash);
115 r = crypt_pbkdf_get_limits(pbkdf->type, &pbkdf_limits);
119 if (crypt_get_type(cd) &&
120 !strcmp(crypt_get_type(cd), CRYPT_LUKS1) &&
121 strcmp(pbkdf_type, CRYPT_KDF_PBKDF2)) {
122 log_err(cd, _("Requested PBKDF type is not supported for LUKS1."));
126 if (!strcmp(pbkdf_type, CRYPT_KDF_PBKDF2)) {
127 if (pbkdf->max_memory_kb || pbkdf->parallel_threads) {
128 log_err(cd, _("PBKDF max memory or parallel threads must not be set with pbkdf2."));
131 if (pbkdf->flags & CRYPT_PBKDF_NO_BENCHMARK &&
132 pbkdf->iterations < pbkdf_limits.min_iterations) {
133 log_err(cd, _("Forced iteration count is too low for %s (minimum is %u)."),
134 pbkdf_type, pbkdf_limits.min_iterations);
140 /* TODO: properly define minimal iterations and also minimal memory values */
141 if (pbkdf->flags & CRYPT_PBKDF_NO_BENCHMARK) {
142 if (pbkdf->iterations < pbkdf_limits.min_iterations) {
143 log_err(cd, _("Forced iteration count is too low for %s (minimum is %u)."),
144 pbkdf_type, pbkdf_limits.min_iterations);
147 if (pbkdf->max_memory_kb < pbkdf_limits.min_memory) {
148 log_err(cd, _("Forced memory cost is too low for %s (minimum is %u kilobytes)."),
149 pbkdf_type, pbkdf_limits.min_memory);
154 if (pbkdf->max_memory_kb > pbkdf_limits.max_memory) {
155 log_err(cd, _("Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)."),
156 pbkdf_limits.max_memory);
159 if (!pbkdf->max_memory_kb) {
160 log_err(cd, _("Requested maximum PBKDF memory cannot be zero."));
163 if (!pbkdf->parallel_threads) {
164 log_err(cd, _("Requested PBKDF parallel threads cannot be zero."));
171 int init_pbkdf_type(struct crypt_device *cd,
172 const struct crypt_pbkdf_type *pbkdf,
173 const char *dev_type)
175 struct crypt_pbkdf_type *cd_pbkdf = crypt_get_pbkdf(cd);
176 struct crypt_pbkdf_limits pbkdf_limits;
177 const char *hash, *type;
179 uint32_t old_flags, memory_kb;
182 if (crypt_fips_mode()) {
183 if (pbkdf && strcmp(pbkdf->type, CRYPT_KDF_PBKDF2)) {
184 log_err(cd, _("Only PBKDF2 is supported in FIPS mode."));
188 pbkdf = crypt_get_pbkdf_type_params(CRYPT_KDF_PBKDF2);
191 if (!pbkdf && dev_type && !strcmp(dev_type, CRYPT_LUKS2))
192 pbkdf = crypt_get_pbkdf_type_params(DEFAULT_LUKS2_PBKDF);
194 pbkdf = crypt_get_pbkdf_type_params(CRYPT_KDF_PBKDF2);
196 r = verify_pbkdf_params(cd, pbkdf);
200 r = crypt_pbkdf_get_limits(pbkdf->type, &pbkdf_limits);
204 type = strdup(pbkdf->type);
205 hash = pbkdf->hash ? strdup(pbkdf->hash) : NULL;
207 if (!type || (!hash && pbkdf->hash)) {
208 free(CONST_CAST(void*)type);
209 free(CONST_CAST(void*)hash);
213 free(CONST_CAST(void*)cd_pbkdf->type);
214 free(CONST_CAST(void*)cd_pbkdf->hash);
215 cd_pbkdf->type = type;
216 cd_pbkdf->hash = hash;
218 old_flags = cd_pbkdf->flags;
219 cd_pbkdf->flags = pbkdf->flags;
221 /* Reset iteration count so benchmark must run again. */
222 if (cd_pbkdf->flags & CRYPT_PBKDF_NO_BENCHMARK)
223 cd_pbkdf->iterations = pbkdf->iterations;
225 cd_pbkdf->iterations = 0;
227 if (old_flags & CRYPT_PBKDF_ITER_TIME_SET)
228 cd_pbkdf->flags |= CRYPT_PBKDF_ITER_TIME_SET;
230 cd_pbkdf->time_ms = pbkdf->time_ms;
232 cd_pbkdf->max_memory_kb = pbkdf->max_memory_kb;
233 cd_pbkdf->parallel_threads = pbkdf->parallel_threads;
235 if (cd_pbkdf->parallel_threads > pbkdf_limits.max_parallel) {
236 log_dbg(cd, "Maximum PBKDF threads is %d (requested %d).",
237 pbkdf_limits.max_parallel, cd_pbkdf->parallel_threads);
238 cd_pbkdf->parallel_threads = pbkdf_limits.max_parallel;
241 if (cd_pbkdf->parallel_threads) {
242 cpus = crypt_cpusonline();
243 if (cd_pbkdf->parallel_threads > cpus) {
244 log_dbg(cd, "Only %u active CPUs detected, "
245 "PBKDF threads decreased from %d to %d.",
246 cpus, cd_pbkdf->parallel_threads, cpus);
247 cd_pbkdf->parallel_threads = cpus;
251 if (cd_pbkdf->max_memory_kb) {
252 memory_kb = adjusted_phys_memory();
253 if (cd_pbkdf->max_memory_kb > memory_kb) {
254 log_dbg(cd, "Not enough physical memory detected, "
255 "PBKDF max memory decreased from %dkB to %dkB.",
256 cd_pbkdf->max_memory_kb, memory_kb);
257 cd_pbkdf->max_memory_kb = memory_kb;
261 if (!strcmp(pbkdf->type, CRYPT_KDF_PBKDF2))
262 log_dbg(cd, "PBKDF %s-%s, time_ms %u (iterations %u).",
263 cd_pbkdf->type, cd_pbkdf->hash, cd_pbkdf->time_ms, cd_pbkdf->iterations);
265 log_dbg(cd, "PBKDF %s, time_ms %u (iterations %u), max_memory_kb %u, parallel_threads %u.",
266 cd_pbkdf->type, cd_pbkdf->time_ms, cd_pbkdf->iterations,
267 cd_pbkdf->max_memory_kb, cd_pbkdf->parallel_threads);
272 /* Libcryptsetup API */
274 int crypt_set_pbkdf_type(struct crypt_device *cd, const struct crypt_pbkdf_type *pbkdf)
280 log_dbg(cd, "Resetting pbkdf type to default");
282 crypt_get_pbkdf(cd)->flags = 0;
284 return init_pbkdf_type(cd, pbkdf, crypt_get_type(cd));
287 const struct crypt_pbkdf_type *crypt_get_pbkdf_type(struct crypt_device *cd)
292 return crypt_get_pbkdf(cd)->type ? crypt_get_pbkdf(cd) : NULL;
295 const struct crypt_pbkdf_type *crypt_get_pbkdf_default(const char *type)
300 if (!strcmp(type, CRYPT_LUKS1) || crypt_fips_mode())
301 return crypt_get_pbkdf_type_params(CRYPT_KDF_PBKDF2);
302 else if (!strcmp(type, CRYPT_LUKS2))
303 return crypt_get_pbkdf_type_params(DEFAULT_LUKS2_PBKDF);
308 void crypt_set_iteration_time(struct crypt_device *cd, uint64_t iteration_time_ms)
310 struct crypt_pbkdf_type *pbkdf;
311 uint32_t old_time_ms;
313 if (!cd || iteration_time_ms > UINT32_MAX)
316 pbkdf = crypt_get_pbkdf(cd);
317 old_time_ms = pbkdf->time_ms;
318 pbkdf->time_ms = (uint32_t)iteration_time_ms;
320 if (pbkdf->type && verify_pbkdf_params(cd, pbkdf)) {
321 pbkdf->time_ms = old_time_ms;
322 log_dbg(cd, "Invalid iteration time.");
326 pbkdf->flags |= CRYPT_PBKDF_ITER_TIME_SET;
328 /* iterations must be benchmarked now */
329 pbkdf->flags &= ~(CRYPT_PBKDF_NO_BENCHMARK);
330 pbkdf->iterations = 0;
332 log_dbg(cd, "Iteration time set to %" PRIu64 " milliseconds.", iteration_time_ms);