master

分支 (16)

标签 (15)

管理

管理

master

openEuler-22.03-LTS

openEuler-23.03

openEuler-20.03-LTS-SP3

openEuler-22.03-LTS-Next

openEuler-22.03-LTS-SP1

openEuler-20.03-LTS-SP1

openEuler-20.03-LTS-SP2

openEuler-20.03-LTS

openEuler-22.09

openEuler-20.03-LTS-Next

openEuler-21.09

openEuler-21.03

openEuler-20.09

openEuler1.0

openEuler1.0-base

openEuler-22.03-LTS-SP1-release

openEuler-22.09-release

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

cryptsetup
/
huawei-check-whether-the-forced-itera...

From 3592f3da11ba6d830d700c2c987165ddc86345d8 Mon Sep 17 00:00:00 2001
From: wangzhiqiang <wangzhiqiang95@huawei.com>
Date: Mon, 30 Jan 2023 16:36:29 +0800
Subject: [PATCH] check whether the forced iteration count is out of range

struct crypt_pbkdf_type has a uint32_t variable iterations, but
PKCS5_PBKDF2_HMAC interface of openssl accept int variable, so
return fail when it greater than INT_MAX.

Signed-off-by: wangzhiqiang <wangzhiqiang95@huawei.com>
---
 lib/crypto_backend/crypto_openssl.c | 2 +-
 lib/luks2/luks2_keyslot_luks2.c     | 1 +
 man/cryptsetup.8                    | 3 ++-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c
index 0dbcb75..db400e4 100644
--- a/lib/crypto_backend/crypto_openssl.c
+++ b/lib/crypto_backend/crypto_openssl.c
@@ -541,7 +541,7 @@ int crypt_pbkdf(const char *kdf, const char *hash,
 		uint32_t iterations, uint32_t memory, uint32_t parallel)

 {
-	if (!kdf)
+	if (!kdf || iterations > INT_MAX)
 		return -EINVAL;

 	if (!strcmp(kdf, "pbkdf2")) {
diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c
index ea58112..509a391 100644
--- a/lib/luks2/luks2_keyslot_luks2.c
+++ b/lib/luks2/luks2_keyslot_luks2.c
@@ -254,6 +254,7 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
 			pbkdf.iterations, pbkdf.max_memory_kb,
 			pbkdf.parallel_threads);
 	if (r < 0) {
+		log_err(cd, "Invalid parameter.");
 		crypt_free_volume_key(derived_key);
 		return r;
 	}
diff --git a/man/cryptsetup.8 b/man/cryptsetup.8
index c54480a..70d1f23 100644
--- a/man/cryptsetup.8
+++ b/man/cryptsetup.8
@@ -1132,7 +1132,8 @@ be used on some small embedded system.

 \fBMINIMAL AND MAXIMAL PBKDF COSTS:\fR
 For \fBPBKDF2\fR, the minimum iteration count is 1000 and
-maximum is 4294967295 (maximum for 32bit unsigned integer).
+maximum is 4294967295 (maximum for 32bit unsigned integer),
+except openssl, which supports only 2147483647 (maximum for 32bit integer).
 Memory and parallel costs are unused for PBKDF2.
 For \fBArgon2i\fR and \fBArgon2id\fR, minimum iteration count (CPU cost) is 4 and
 maximum is 4294967295 (maximum for 32bit unsigned integer).
--
2.33.0