cryptsetup-util: add helper for setting minimal PBKDF

diff --git a/src/shared/cryptsetup-util.c b/src/shared/cryptsetup-util.c
index 850c79ed12349d6891f128ff2f23eeaedab6af4c..a793b9ac5b274152b002b95a0f43e940b794ea3d 100644 (file)
--- a/src/shared/cryptsetup-util.c
+++ b/src/shared/cryptsetup-util.c
@@ -27,6 +27,7 @@ int (*sym_crypt_resize)(struct crypt_device *cd, const char *name, uint64_t new_
 int (*sym_crypt_set_data_device)(struct crypt_device *cd, const char *device);
 void (*sym_crypt_set_debug_level)(int level);
 void (*sym_crypt_set_log_callback)(struct crypt_device *cd, void (*log)(int level, const char *msg, void *usrptr), void *usrptr);
+int (*sym_crypt_set_pbkdf_type)(struct crypt_device *cd, const struct crypt_pbkdf_type *pbkdf) = NULL;
 int (*sym_crypt_token_json_get)(struct crypt_device *cd, int token, const char **json) = NULL;
 int (*sym_crypt_token_json_set)(struct crypt_device *cd, int token, const char *json) = NULL;
 int (*sym_crypt_volume_key_get)(struct crypt_device *cd, int keyslot, char *volume_key, size_t *volume_key_size, const char *passphrase, size_t passphrase_size);
@@ -64,6 +65,7 @@ int dlopen_cryptsetup(void) {
                         DLSYM_ARG(crypt_set_data_device),
                         DLSYM_ARG(crypt_set_debug_level),
                         DLSYM_ARG(crypt_set_log_callback),
+                        DLSYM_ARG(crypt_set_pbkdf_type),
                         DLSYM_ARG(crypt_token_json_get),
                         DLSYM_ARG(crypt_token_json_set),
                         DLSYM_ARG(crypt_volume_key_get),
@@ -113,6 +115,30 @@ void cryptsetup_enable_logging(struct crypt_device *cd) {
         sym_crypt_set_debug_level(DEBUG_LOGGING ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE);
 }
 
+int cryptsetup_set_minimal_pbkdf(struct crypt_device *cd) {
+
+        static const struct crypt_pbkdf_type minimal_pbkdf = {
+                .hash = "sha512",
+                .type = CRYPT_KDF_PBKDF2,
+                .iterations = 1,
+                .time_ms = 1,
+        };
+
+        int r;
+
+        /* Sets a minimal PKBDF in case we already have a high entropy key. */
+
+        r = dlopen_cryptsetup();
+        if (r < 0)
+                return r;
+
+        r = sym_crypt_set_pbkdf_type(cd, &minimal_pbkdf);
+        if (r < 0)
+                return r;
+
+        return 0;
+}
+
 int cryptsetup_get_token_as_json(
                 struct crypt_device *cd,
                 int idx,

diff --git a/src/shared/cryptsetup-util.h b/src/shared/cryptsetup-util.h
index c6c56d680173ed7d5cccb0160c88cd7bd13986d0..26f5dd3c89a4a2328c23b464e8df0b7cc9f26872 100644 (file)
--- a/src/shared/cryptsetup-util.h
+++ b/src/shared/cryptsetup-util.h
@@ -25,6 +25,7 @@ extern int (*sym_crypt_resize)(struct crypt_device *cd, const char *name, uint64
 extern int (*sym_crypt_set_data_device)(struct crypt_device *cd, const char *device);
 extern void (*sym_crypt_set_debug_level)(int level);
 extern void (*sym_crypt_set_log_callback)(struct crypt_device *cd, void (*log)(int level, const char *msg, void *usrptr), void *usrptr);
+extern int (*sym_crypt_set_pbkdf_type)(struct crypt_device *cd, const struct crypt_pbkdf_type *pbkdf);
 extern int (*sym_crypt_token_json_get)(struct crypt_device *cd, int token, const char **json);
 extern int (*sym_crypt_token_json_set)(struct crypt_device *cd, int token, const char *json);
 extern int (*sym_crypt_volume_key_get)(struct crypt_device *cd, int keyslot, char *volume_key, size_t *volume_key_size, const char *passphrase, size_t passphrase_size);
@@ -36,6 +37,8 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(struct crypt_device *, sym_crypt_free);
 
 void cryptsetup_enable_logging(struct crypt_device *cd);
 
+int cryptsetup_set_minimal_pbkdf(struct crypt_device *cd);
+
 int cryptsetup_get_token_as_json(struct crypt_device *cd, int idx, const char *verify_type, JsonVariant **ret);
 int cryptsetup_get_keyslot_from_token(JsonVariant *v);
 int cryptsetup_add_token_json(struct crypt_device *cd, JsonVariant *v);