Merge pull request #19768 from poettering/homectl-fido2-lock-with

[thirdparty/systemd.git] / src / shared / cryptsetup-util.c

diff --git a/src/shared/cryptsetup-util.c b/src/shared/cryptsetup-util.c
index 7ffa41f5d3979eacbb202122980cfd99a068c5e4..f747966bab7ad790aab264a6c2f075cbc23ccf6d 100644 (file)
--- a/src/shared/cryptsetup-util.c
+++ b/src/shared/cryptsetup-util.c
@@ -164,11 +164,15 @@ void cryptsetup_enable_logging(struct crypt_device *cd) {
 
 int cryptsetup_set_minimal_pbkdf(struct crypt_device *cd) {
 
+        /* With CRYPT_PBKDF_NO_BENCHMARK flag set .time_ms member is ignored
+         * while .iterations must be set at least to recommended minimum value. */
+
         static const struct crypt_pbkdf_type minimal_pbkdf = {
                 .hash = "sha512",
                 .type = CRYPT_KDF_PBKDF2,
-                .iterations = 1,
-                .time_ms = 1,
+                .iterations = 1000, /* recommended minimum count for pbkdf2
+                                     * according to NIST SP 800-132, ch. 5.2 */
+                .flags = CRYPT_PBKDF_NO_BENCHMARK
         };
 
         int r;