1. 22 Aug, 2017 5 commits
  2. 16 Aug, 2017 1 commit
    • Fix Argon2 benchmark. · 497fb0b3
      1) If the calculated costs were the same, it run forever.
      
      2) If the calculation returned final values in the first step,
      out costs were not updated and benchmark returned too low values.
      Milan Broz committed
  3. 15 Aug, 2017 5 commits
  4. 12 Aug, 2017 2 commits
    • Move PBKDF internal benchmark to one place. · 5fc79f56
      Also cache its value in active context, so we run benchmark
      only once.
      
      The patch also changes calculated value for LUKS1 key digest
      to 125 miliseconds (it means that for full 8 used slots
      the additional slow-down is circa 1 second).
      
      Note that there is no need to have too high iteration count
      for key digest; if it is too computationally expensive, attacker
      will better decrypt of one sector with candidate key anyway.
      (Check for a known signature.)
      
      The reason to have some delay for key digest check was
      to complicate brute-force search for volume key with LUKS header
      only (and if RNG used to generate volumekey was flawed
      allowing such a search i reasonable time).
      Milan Broz committed
  5. 11 Aug, 2017 3 commits
  6. 10 Aug, 2017 8 commits
  7. 07 Aug, 2017 2 commits
  8. 06 Aug, 2017 5 commits
    • Use only crypt_get_integrity_info in API. · 3435f9cb
      Some other functions remain internal only.
      
      Signed-off-by: Milan Broz <gmazyland@gmail.com>
      Milan Broz committed
    • Add kernel keyring functions for volume key. · d891e00f
      Code is written by Ondrej Kozina.
      
      This patch adds ability to store volume key in kernel keyring
      (feature available in recent kernels) and avoid setting
      key through dm-ioctl and avoiding key in table mapping.
      
      Will be used in LUKS2.
      
      Signed-off-by: Milan Broz <gmazyland@gmail.com>
      Milan Broz committed
    • Add Argon2 benchmark code. · 8a859391
      Code based on patch by Ondrej Mosnacek
      
      The new benchmark works as follows:
      
      Phase 1:
      It searches for smallest parameters, such that the duration is 250 ms
      (this part is quite fast).
      Then it uses that data point to estimate the paramters that will have
      the desired duration (and fulfill the basic constraints).
      
      Phase 2:
      The candidate parameters are then measured and if their duration falls
      within +-5% of the target duration, they are accepted.
      Otherwise, new candidate parameters are estimated based on the last
      measurement and phase 2 is repeated.
      
      When measuring the duration for given parameters, the measurement
      is repeated 3 or 4 times and a minimum of the measured durations
      is used as the final duration (to reduce variance in measurements).
      A minimum is taken instead of mean, because the measurements definitely
      have a certain lower bound, but no upper bound (therefore mean value
      would tend to be higher than the value with highest probability density).
      The actual "most likely" duration is going to be somewhere just above
      the minimum measurable value, so minimum over the observations is
      a better estimate than mean.
      
      Signed-off-by: Milan Broz <gmazyland@gmail.com>
      Milan Broz committed
    • Change PBKDF interface API. · 0abf57be
      Prepare API for PBKDF that can set three costs
        - time (similar to iterations in PBKDF2)
        - memory (required memory for memory-hard function)
        - threads (required number of threads/CPUs).
      
      This patch also removes wrongly designed API call
      crypt_benchmark_kdf and replaces it with the new call
      crypt_benchmark_pbkdf.
      
      Two functions for PBKDF per context setting
      are introduced: crypt_set_pbkdf_type and crypt_get_pbkdf_type.
      
      The patch should be backward compatible when using
      crypt_set_iteration_time function (works only for PBKDF2).
      
      Signed-off-by: Milan Broz <gmazyland@gmail.com>
      Milan Broz committed
    • Add Argon2 bundled library to crypto backend. · 09d14a0b
      The Argon2i/id is a password hashing function that
      won Password Hashing Competiton.
      
      It will be (optionally) used in LUKS2 for passworrd-based
      key derivation.
      
      We have to bundle code for now (similar PBKDF2 years ago)
      because there is yet no usable implementation in common
      crypto libraries.
      (Once there is native implementation, cryptsetup
      will switch to the crypto library version.)
      
      For now, we use reference (not optimized but portable) implementation.
      
      This patch contains bundled Argon2 algorithm library copied from
        https://github.com/P-H-C/phc-winner-argon2
      
      For more info see Password Hashing Competition site:
        https://password-hashing.net/
      and draft of RFC document
        https://datatracker.ietf.org/doc/draft-irtf-cfrg-argon2/
      
      Signed-off-by: Milan Broz <gmazyland@gmail.com>
      Milan Broz committed
  9. 31 Jul, 2017 3 commits
  10. 27 Jul, 2017 3 commits
  11. 26 Jul, 2017 3 commits