cryptsetup-util: disable pbkdf benchmark in cryptsetup_set_minimal_pbkdf.

No need to benchmark pbkdf when asking for minimal values
anyway.

1000 iterations count is minimum for both LUKS1 and LUKS2
pbkdf2 keyslot parameters according to NIST SP 800-132, ch. 5.2.

Iterations count can not be lower than recommended minimum
when benchmark is disabled. The time_ms member is ignored with
benchmark disabled.

diff --git a/src/shared/cryptsetup-util.c b/src/shared/cryptsetup-util.c
index c1ba9f6ab7c92d0e44093fddbdfd3aa2483e4945..e2b018c0ca77ee7915d4395e5373b33628dc3638 100644 (file)
--- a/src/shared/cryptsetup-util.c
+++ b/src/shared/cryptsetup-util.c
@@ -123,11 +123,15 @@ void cryptsetup_enable_logging(struct crypt_device *cd) {
 
 int cryptsetup_set_minimal_pbkdf(struct crypt_device *cd) {
 
+        /* With CRYPT_PBKDF_NO_BENCHMARK flag set .time_ms member is ignored
+         * while .iterations must be set at least to recommended minimum value. */
+
         static const struct crypt_pbkdf_type minimal_pbkdf = {
                 .hash = "sha512",
                 .type = CRYPT_KDF_PBKDF2,
-                .iterations = 1,
-                .time_ms = 1,
+                .iterations = 1000, /* recommended minimum count for pbkdf2
+                                     * according to NIST SP 800-132, ch. 5.2 */
+                .flags = CRYPT_PBKDF_NO_BENCHMARK
         };
 
         int r;