From: Ondrej Kozina <okozina@redhat.com>
Date: Wed, 31 Jan 2024 15:12:58 +0000 (+0100)
Subject: homework: Use minimal pbkdf2 parameters without benchmark.
X-Git-Tag: v256-rc1~995
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7a87d01f28c2a86b4d3db67eb1c07666380bf5f9;p=thirdparty%2Fsystemd.git

homework: Use minimal pbkdf2 parameters without benchmark.
---

diff --git a/src/home/homework-luks.c b/src/home/homework-luks.c
index e9c1933dfe9..d901841eae4 100644
--- a/src/home/homework-luks.c
+++ b/src/home/homework-luks.c
@@ -1699,12 +1699,13 @@ static struct crypt_pbkdf_type* build_minimal_pbkdf(struct crypt_pbkdf_type *buf
         assert(hr);
 
         /* For PKCS#11 derived keys (which are generated randomly and are of high quality already) we use a
-         * minimal PBKDF */
+         * minimal PBKDF and CRYPT_PBKDF_NO_BENCHMARK flag to skip benchmark. */
         *buffer = (struct crypt_pbkdf_type) {
                 .hash = user_record_luks_pbkdf_hash_algorithm(hr),
                 .type = CRYPT_KDF_PBKDF2,
-                .iterations = 1,
-                .time_ms = 1,
+                .iterations = 1000, /* recommended minimum count for pbkdf2
+                                     * according to NIST SP 800-132, ch. 5.2 */
+                .flags = CRYPT_PBKDF_NO_BENCHMARK
         };
 
         return buffer;