crypto: increase default pbkdf2 time for luks to 2 seconds

cryptsetup recently increased the default pbkdf2 time to 2 seconds to partially mitigate improvements in hardware performance wrt brute-forcing the pbkdf algorithm. This updates QEMU defaults to match. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-09-07 12:48:32 +01:00 · 2016-09-07 12:48:32 +01:00 · 2ab66cd577
commit 2ab66cd577
parent acd0dfd0c2
2 changed files with 2 additions and 2 deletions
--- a/crypto/block-luks.c
+++ b/crypto/block-luks.c
@ -921,7 +921,7 @@ qcrypto_block_luks_create(QCryptoBlock *block,

    memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts));
    if (!luks_opts.has_iter_time) {
-        luks_opts.iter_time = 1000;
+        luks_opts.iter_time = 2000;
    }
    if (!luks_opts.has_cipher_alg) {
        luks_opts.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256;
--- a/qapi/crypto.json
+++ b/qapi/crypto.json
@ -187,7 +187,7 @@
 #            Currently defaults to 'sha256'
 # @iter-time: #optional number of milliseconds to spend in
 #             PBKDF passphrase processing. Currently defaults
-#             to 1000. (since 2.8)
+#             to 2000. (since 2.8)
 # Since: 2.6
 ##
 { 'struct': 'QCryptoBlockCreateOptionsLUKS',