Allow to configure PBKDF (#163)

* Allow to configure PBKDF.

* Also add PBKDF options to key add operation.

* Simplify code.

* Update plugins/modules/luks_device.py

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>

* Fix indent.

* Use more of the options.

* Bump iteration count.

* Increase memory limit.

* Fall back to default PBKDF.

* Apply suggestions from code review

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>

tests/integration/targets/luks_device/tasks/tests/create-destroy.yml

@@ -4,6 +4,8 @@
     device: "{{ cryptfile_device }}"
     state: present
     keyfile: "{{ role_path }}/files/keyfile1"
+    pbkdf:
+      iteration_time: 0.1
   check_mode: yes
   become: yes
   register: create_check
@@ -12,6 +14,8 @@
     device: "{{ cryptfile_device }}"
     state: present
     keyfile: "{{ role_path }}/files/keyfile1"
+    pbkdf:
+      iteration_time: 0.1
   become: yes
   register: create
 - name: Create (idempotent)
@@ -19,6 +23,8 @@
     device: "{{ cryptfile_device }}"
     state: present
     keyfile: "{{ role_path }}/files/keyfile1"
+    pbkdf:
+      iteration_time: 0.1
   become: yes
   register: create_idem
 - name: Create (idempotent, check)
@@ -26,6 +32,8 @@
     device: "{{ cryptfile_device }}"
     state: present
     keyfile: "{{ role_path }}/files/keyfile1"
+    pbkdf:
+      iteration_time: 0.1
   check_mode: yes
   become: yes
   register: create_idem_check

tests/integration/targets/luks_device/tasks/tests/device-check.yml

@@ -4,6 +4,8 @@
     device: /dev/asdfasdfasdf
     state: present
     keyfile: "{{ role_path }}/files/keyfile1"
+    pbkdf:
+      iteration_time: 0.1
   check_mode: yes
   ignore_errors: yes
   become: yes
@@ -13,6 +15,8 @@
     device: /dev/asdfasdfasdf
     state: present
     keyfile: "{{ role_path }}/files/keyfile1"
+    pbkdf:
+      iteration_time: 0.1
   ignore_errors: yes
   become: yes
   register: create
@@ -28,6 +32,8 @@
     device: /tmp/
     state: present
     keyfile: "{{ role_path }}/files/keyfile1"
+    pbkdf:
+      iteration_time: 0.1
   check_mode: yes
   ignore_errors: yes
   become: yes
@@ -37,6 +43,8 @@
     device: /tmp/
     state: present
     keyfile: "{{ role_path }}/files/keyfile1"
+    pbkdf:
+      iteration_time: 0.1
   ignore_errors: yes
   become: yes
   register: create

tests/integration/targets/luks_device/tasks/tests/key-management.yml

@@ -4,6 +4,8 @@
     device: "{{ cryptfile_device }}"
     state: closed
     keyfile: "{{ role_path }}/files/keyfile1"
+    pbkdf:
+      iteration_time: 0.1
   become: yes
 
 # Access: keyfile1
@@ -43,6 +45,8 @@
     state: closed
     keyfile: "{{ role_path }}/files/keyfile1"
     new_keyfile: "{{ role_path }}/files/keyfile2"
+    pbkdf:
+      iteration_time: 0.1
   become: yes
   register: result_1
 

tests/integration/targets/luks_device/tasks/tests/options.yml

@@ -5,6 +5,8 @@
     state: present
     keyfile: "{{ role_path }}/files/keyfile1"
     keysize: 256
+    pbkdf:
+      iteration_count: 1000
   become: yes
   register: create_with_keysize
 - name: Create with keysize (idempotent)
@@ -13,6 +15,8 @@
     state: present
     keyfile: "{{ role_path }}/files/keyfile1"
     keysize: 256
+    pbkdf:
+      iteration_count: 1000
   become: yes
   register: create_idem_with_keysize
 - name: Create with different keysize (idempotent since we do not update keysize)
@@ -21,6 +25,8 @@
     state: present
     keyfile: "{{ role_path }}/files/keyfile1"
     keysize: 512
+    pbkdf:
+      iteration_count: 1000
   become: yes
   register: create_idem_with_diff_keysize
 - name: Create with ambiguous arguments
@@ -29,6 +35,8 @@
     state: present
     keyfile: "{{ role_path }}/files/keyfile1"
     passphrase: "{{ cryptfile_passphrase1 }}"
+    pbkdf:
+      iteration_count: 1000
   ignore_errors: yes
   become: yes
   register: create_with_ambiguous

tests/integration/targets/luks_device/tasks/tests/passphrase.yml

@@ -4,7 +4,29 @@
     device: "{{ cryptfile_device }}"
     state: closed
     passphrase: "{{ cryptfile_passphrase1 }}"
+    pbkdf:
+      iteration_time: 0.1
+      algorithm: argon2i
+      memory: 1000
+      parallel: 1
   become: yes
+  ignore_errors: yes
+  register: create_passphrase_1
+
+- name: Make sure that the previous task only fails because the LUKS version used cannot handle the PBKDF parameters
+  assert:
+    that:
+      - create_passphrase_1 is not failed or 'Failed to set pbkdf parameters' in create_passphrase_1.msg
+
+- name: Create with passphrase1 (without argon2i)
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: closed
+    passphrase: "{{ cryptfile_passphrase1 }}"
+    pbkdf:
+      iteration_time: 0.1
+  become: yes
+  when: create_passphrase_1 is failed and 'Failed to set pbkdf parameters' in create_passphrase_1.msg
 
 - name: Open with passphrase1
   luks_device:
@@ -30,6 +52,8 @@
     passphrase: "{{ cryptfile_passphrase1 }}"
     new_passphrase: "{{ cryptfile_passphrase2 }}"
     new_keyfile: "{{ role_path }}/files/keyfile1"
+    pbkdf:
+      iteration_time: 0.1
   become: yes
   ignore_errors: yes
   register: new_try
@@ -55,6 +79,8 @@
     state: closed
     passphrase: "{{ cryptfile_passphrase1 }}"
     new_passphrase: "{{ cryptfile_passphrase2 }}"
+    pbkdf:
+      iteration_time: 0.1
   become: yes
   register: result_1
 
@@ -107,6 +133,8 @@
     state: closed
     passphrase: "{{ cryptfile_passphrase1 }}"
     new_keyfile: "{{ role_path }}/files/keyfile1"
+    pbkdf:
+      iteration_time: 0.1
   become: yes
 
 - name: Remove access with ambiguous remove_ arguments
@@ -190,6 +218,8 @@
     state: closed
     keyfile: "{{ role_path }}/files/keyfile1"
     new_passphrase: "{{ cryptfile_passphrase3 }}"
+    pbkdf:
+      iteration_time: 0.1
   become: yes
 
 - name: Open with passphrase3