Add support for specifying extra PBKDF options for LUKS format

data/org.freedesktop.UDisks2.xml

@@ -2099,7 +2099,7 @@
  <!--
  Format:
  @type: The type of file system, partition table or other content to format the device with.
- @options: Options - known options (in addition to <link linkend="udisks-std-options">standard options</link>) includes <parameter>label</parameter> (of type 's'), <parameter>uuid</parameter> (of type 's'), <parameter>take-ownership</parameter> (of type 'b'), <parameter>encrypt.passphrase</parameter> (of type 's' or 'ay'), <parameter>encrypt.type</parameter> (of type 's'), <parameter>erase</parameter> (of type 's'), <parameter>mkfs-args</parameter> (of type 'as'), <parameter>no-block</parameter> (of type 'b') and <parameter>update-partition-type</parameter> (of type 'b').
+ @options: Options - known options (in addition to <link linkend="udisks-std-options">standard options</link>) includes <parameter>label</parameter> (of type 's'), <parameter>uuid</parameter> (of type 's'), <parameter>take-ownership</parameter> (of type 'b'), <parameter>encrypt.passphrase</parameter> (of type 's' or 'ay'), <parameter>encrypt.type</parameter> (of type 's'), <parameter>encrypt.pbkdf</parameter> (of type 's'), <parameter>encrypt.memory</parameter> (of type 'u'), <parameter>encrypt.iterations</parameter> (of type 'u'), <parameter>encrypt.time</parameter> (of type 'u'), <parameter>encrypt.threads</parameter> (of type 'u'), <parameter>erase</parameter> (of type 's'), <parameter>mkfs-args</parameter> (of type 'as'), <parameter>no-block</parameter> (of type 'b') and <parameter>update-partition-type</parameter> (of type 'b').
 
  Formats the device with a file system, partition table or
  other well-known content.
@@ -2137,6 +2137,26 @@
  Option <parameter>encrypt.type</parameter> can be used to
  specify encryption "technology" that will be used. Currently
  only <quote>luks1</quote> and <quote>luks2</quote> are supported.
+ Following additional options for LUKS key derivation function can
+ be used:
+
+ <variablelist>
+ <varlistentry><term>encrypt.pbkdf</term>
+ <listitem><para>key derivation function, one of "pbkdf2", "argon2i", "argon2id"</para></listitem>
+ </varlistentry>
+ <varlistentry><term>encrypt.iterations</term>
+ <listitem><para>number of iterations for PBKDF</para></listitem>
+ </varlistentry>
+ <varlistentry><term>encrypt.memory</term>
+ <listitem><para>memory cost in KiB for Argon2</para></listitem>
+ </varlistentry>
+ <varlistentry><term>encrypt.time</term>
+ <listitem><para>time cost for PBKDF in ms</para></listitem>
+ </varlistentry>
+ <varlistentry><term>encrypt.threads</term>
+ <listitem><para>parallel cost for PBKDF (number of threads, up to 4)</para></listitem>
+ </varlistentry>
+ </variablelist>
 
  If the option <parameter>erase</parameter> is used then the
  underlying device will be erased. Valid values include

src/tests/dbus-tests/test_70_encrypted.py

@@ -797,6 +797,33 @@ def test_teardown_locked(self):
  fstab = self.read_file('/etc/fstab')
  self.assertNotIn(luks_uuid, fstab)
 
+ def test_create_pbkdf_extra(self):
+ disk_name = os.path.basename(self.vdevs[0])
+ disk = self.get_object('/block_devices/' + disk_name)
+
+ # create LUKS without specifying version
+ options = dbus.Dictionary(signature='sv')
+ options['encrypt.passphrase'] = self.PASSPHRASE
+ options['encrypt.pbkdf'] = 'pbkdf2'
+ options['encrypt.iterations'] = dbus.UInt32(10000)
+
+ disk.Format('ext4', options,
+ dbus_interface=self.iface_prefix + '.Block')
+
+ self.addCleanup(self._remove_luks, disk)
+ self.udev_settle()
+
+ _ret, out = self.run_command("cryptsetup luksDump %s" % self.vdevs[0])
+ m = re.search(r"PBKDF:\s*(\S+)\s*", out)
+ if not m or len(m.groups()) != 1:
+ self.fail("Failed to get pbkdf information from:\n%s" % out)
+ self.assertEqual(m.group(1), "pbkdf2")
+
+ m = re.search(r"Iterations:\s*(\S+)\s*", out)
+ if not m or len(m.groups()) != 1:
+ self.fail("Failed to get pbkdf information from:\n%s" % out)
+ self.assertEqual(m.group(1), "10000")
+
 
 class UdisksEncryptedTestBITLK(udiskstestcase.UdisksTestCase):
 

src/udiskslinuxblock.c

@@ -3139,6 +3139,11 @@ format_create_luks (UDisksDaemon *daemon,
  uid_t caller_uid,
  GString *encrypt_passphrase,
  const gchar *encrypt_type,
+ const gchar *encrypt_pbkdf,
+ guint32 encrypt_memory,
+ guint32 encrypt_iterations,
+ guint32 encrypt_time,
+ guint32 encrypt_threads,
  UDisksBlock **block_to_mkfs,
  UDisksObject **object_to_mkfs,
  GError **error)
@@ -3162,6 +3167,11 @@ format_create_luks (UDisksDaemon *daemon,
  crypto_job_data.type = encrypt_type;
  else
  crypto_job_data.type = udisks_config_manager_get_encryption (config_manager);
+ crypto_job_data.pbkdf = encrypt_pbkdf;
+ crypto_job_data.memory = encrypt_memory;
+ crypto_job_data.iterations = encrypt_iterations;
+ crypto_job_data.time = encrypt_time;
+ crypto_job_data.threads = encrypt_threads;
 
  /* Create it */
  udisks_linux_block_encrypted_lock (block);
@@ -3396,6 +3406,11 @@ udisks_linux_block_handle_format (UDisksBlock *block,
  gboolean take_ownership = FALSE;
  GString *encrypt_passphrase = NULL;
  const gchar *encrypt_type = NULL;
+ const gchar *encrypt_pbkdf = NULL;
+ guint32 encrypt_memory = 0;
+ guint32 encrypt_iterations = 0;
+ guint32 encrypt_time = 0;
+ guint32 encrypt_threads = 0;
  const gchar *erase_type = NULL;
  gboolean no_block = FALSE;
  gboolean update_partition_type = FALSE;
@@ -3409,7 +3424,6 @@ udisks_linux_block_handle_format (UDisksBlock *block,
  gchar **mkfs_args = NULL;
  BDExtraArg **extra_args = NULL;
 
-
  object = udisks_daemon_util_dup_object (block, &error);
  if (object == NULL)
  {
@@ -3426,6 +3440,11 @@ udisks_linux_block_handle_format (UDisksBlock *block,
  g_variant_lookup (options, "take-ownership", "b", &take_ownership);
  udisks_variant_lookup_binary (options, "encrypt.passphrase", &encrypt_passphrase);
  g_variant_lookup (options, "encrypt.type", "&s", &encrypt_type);
+ g_variant_lookup (options, "encrypt.pbkdf", "&s", &encrypt_pbkdf);
+ g_variant_lookup (options, "encrypt.memory", "u", &encrypt_memory);
+ g_variant_lookup (options, "encrypt.iterations", "u", &encrypt_iterations);
+ g_variant_lookup (options, "encrypt.time", "u", &encrypt_time);
+ g_variant_lookup (options, "encrypt.threads", "u", &encrypt_threads);
  g_variant_lookup (options, "erase", "&s", &erase_type);
  g_variant_lookup (options, "no-block", "b", &no_block);
  g_variant_lookup (options, "update-partition-type", "b", &update_partition_type);
@@ -3564,6 +3583,11 @@ udisks_linux_block_handle_format (UDisksBlock *block,
  caller_uid,
  encrypt_passphrase,
  encrypt_type,
+ encrypt_pbkdf,
+ encrypt_memory,
+ encrypt_iterations,
+ encrypt_time,
+ encrypt_threads,
  &block_to_mkfs,
  &object_to_mkfs,
  &error))

src/udiskslinuxencryptedhelpers.c

@@ -35,6 +35,7 @@ gboolean luks_format_job_func (UDisksThreadedJob *job,
  CryptoJobData *data = (CryptoJobData*) user_data;
  BDCryptoKeyslotContext *context = NULL;
  gboolean ret = FALSE;
+ BDCryptoLUKSExtra *extra = NULL;
 
  if (g_strcmp0 (data->type, "luks1") == 0)
  luks_version = BD_CRYPTO_LUKS_VERSION_LUKS1;
@@ -55,9 +56,17 @@ gboolean luks_format_job_func (UDisksThreadedJob *job,
  if (!context)
  return FALSE;
 
+ if (data->pbkdf || data->memory || data->iterations || data->time || data->threads)
+ {
+ extra = g_new0 (BDCryptoLUKSExtra, 1);
+ extra->pbkdf = bd_crypto_luks_pbkdf_new (data->pbkdf, NULL, data->memory, data->iterations,
+ data->time, data->threads);
+ }
+
  /* device, cipher, key_size, context, min_entropy, luks_version, extra, error */
- ret = bd_crypto_luks_format (data->device, NULL, 0, context, 0, luks_version, NULL, error);
+ ret = bd_crypto_luks_format (data->device, NULL, 0, context, 0, luks_version, extra, error);
  bd_crypto_keyslot_context_free (context);
+ bd_crypto_luks_extra_free (extra);
  return ret;
 }
 

src/udiskslinuxencryptedhelpers.h

@@ -42,6 +42,11 @@ typedef struct {
  gboolean system;
  gboolean read_only;
  const gchar *type;
+ const gchar *pbkdf;
+ guint32 memory;
+ guint32 iterations;
+ guint32 time;
+ guint32 threads;
 } CryptoJobData;
 
 gboolean luks_format_job_func (UDisksThreadedJob *job,