On Thu, Feb 04, 2016 at 03:14:10PM -0700, Eric Blake wrote: > On 01/20/2016 10:38 AM, Daniel P. Berrange wrote: > > +int qcrypto_pbkdf2(QCryptoHashAlgorithm hash, > > + const uint8_t *key, size_t nkey, > > + const uint8_t *salt, size_t nsalt, > > + unsigned int iterations, > > + uint8_t *out, size_t nout, > > + Error **errp); > > + > > +/** > > + * qcrypto_pbkdf2_count_iters: > > + * @hash: the hash algorithm to use > > + * @key: the user password / key > > + * @nkey: the length of @key in bytes > > + * @salt: a random salt > > + * @nsalt: length of @salt in bytes > > + * @errp: pointer to a NULL-initialized error object > > + * > > + * Time the PBKDF2 algorithm to determine how many > > + * iterations are required to derive an encryption > > + * key from a user password provided in @key in 1 > > + * second of compute time. The result of this can > > + * be used as a the @iterations parameter of a later > > + * call to qcrypto_pbkdf2(). > > As machines get faster, will 2^31 still be enough, or do we want a > 64-bit iterations counter?
The luks format only has space to store a 32-bit int for interations, so 64-bit would require an on disk format change. On my current modern laptop we're getting iteration counts in the 400,000 range, so it will be a decent while before we hit 2^31, by which time LUKS maintainers will have to do a format change. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
