packages/cryptsetup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
cryptsetup/0005-check-whether-the-forced-iteration-count-is-out-of-r.patch
volcanodragon fdc5d74f1a add patches 
(cherry picked from commit 81c0fc48b6a6bcc22f8d58b0f3a6e6766071327c)
2023-02-23 16:04:56 +08:00

59 lines
2.2 KiB
Diff
Raw Blame History

From 3592f3da11ba6d830d700c2c987165ddc86345d8 Mon Sep 17 00:00:00 2001
From: wangzhiqiang <wangzhiqiang95@huawei.com>
Date: Mon, 30 Jan 2023 16:36:29 +0800
Subject: [PATCH] check whether the forced iteration count is out of range
struct crypt_pbkdf_type has a uint32_t variable iterations, but
PKCS5_PBKDF2_HMAC interface of openssl accept int variable, so
return fail when it greater than INT_MAX.
Signed-off-by: wangzhiqiang <wangzhiqiang95@huawei.com>
---
lib/crypto_backend/crypto_openssl.c | 2 +-
lib/luks2/luks2_keyslot_luks2.c | 1 +
man/cryptsetup.8 | 3 ++-
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c
index 0dbcb75..db400e4 100644
--- a/lib/crypto_backend/crypto_openssl.c
+++ b/lib/crypto_backend/crypto_openssl.c
@@ -541,7 +541,7 @@ int crypt_pbkdf(const char *kdf, const char *hash,
uint32_t iterations, uint32_t memory, uint32_t parallel)
{
- if (!kdf)
+ if (!kdf || iterations > INT_MAX)
return -EINVAL;
if (!strcmp(kdf, "pbkdf2")) {
diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c
index ea58112..509a391 100644
--- a/lib/luks2/luks2_keyslot_luks2.c
+++ b/lib/luks2/luks2_keyslot_luks2.c
@@ -254,6 +254,7 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
pbkdf.iterations, pbkdf.max_memory_kb,
pbkdf.parallel_threads);
if (r < 0) {
+ log_err(cd, "Invalid parameter.");
crypt_free_volume_key(derived_key);
return r;
}
diff --git a/man/cryptsetup.8 b/man/cryptsetup.8
index c54480a..70d1f23 100644
--- a/man/cryptsetup.8
+++ b/man/cryptsetup.8
@@ -1132,7 +1132,8 @@ be used on some small embedded system.
\fBMINIMAL AND MAXIMAL PBKDF COSTS:\fR
For \fBPBKDF2\fR, the minimum iteration count is 1000 and
-maximum is 4294967295 (maximum for 32bit unsigned integer).
+maximum is 4294967295 (maximum for 32bit unsigned integer),
+except openssl, which supports only 2147483647 (maximum for 32bit integer).
Memory and parallel costs are unused for PBKDF2.
For \fBArgon2i\fR and \fBArgon2id\fR, minimum iteration count (CPU cost) is 4 and
maximum is 4294967295 (maximum for 32bit unsigned integer).
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink