From: Ondrej Kozina <okozina@redhat.com>
Date: Thu, 27 May 2021 06:43:18 +0000 (+0200)
Subject: cryptsetup-util: disable pbkdf benchmark in cryptsetup_set_minimal_pbkdf.
X-Git-Tag: v249-rc1~122
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=358b1f68b078d58a16deac1982da48c4d90a89a2;p=thirdparty%2Fsystemd.git

cryptsetup-util: disable pbkdf benchmark in cryptsetup_set_minimal_pbkdf.

No need to benchmark pbkdf when asking for minimal values
anyway.

1000 iterations count is minimum for both LUKS1 and LUKS2
pbkdf2 keyslot parameters according to NIST SP 800-132, ch. 5.2.

Iterations count can not be lower than recommended minimum
when benchmark is disabled. The time_ms member is ignored with
benchmark disabled.
---

diff --git a/src/shared/cryptsetup-util.c b/src/shared/cryptsetup-util.c
index c1ba9f6ab7c..e2b018c0ca7 100644
--- a/src/shared/cryptsetup-util.c
+++ b/src/shared/cryptsetup-util.c
@@ -123,11 +123,15 @@ void cryptsetup_enable_logging(struct crypt_device *cd) {
 
 int cryptsetup_set_minimal_pbkdf(struct crypt_device *cd) {
 
+        /* With CRYPT_PBKDF_NO_BENCHMARK flag set .time_ms member is ignored
+         * while .iterations must be set at least to recommended minimum value. */
+
         static const struct crypt_pbkdf_type minimal_pbkdf = {
                 .hash = "sha512",
                 .type = CRYPT_KDF_PBKDF2,
-                .iterations = 1,
-                .time_ms = 1,
+                .iterations = 1000, /* recommended minimum count for pbkdf2
+                                     * according to NIST SP 800-132, ch. 5.2 */
+                .flags = CRYPT_PBKDF_NO_BENCHMARK
         };
 
         int r;