1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-22 13:33:56 +03:00

cryptsetup-util: disable pbkdf benchmark in cryptsetup_set_minimal_pbkdf.

No need to benchmark pbkdf when asking for minimal values
anyway.

1000 iterations count is minimum for both LUKS1 and LUKS2
pbkdf2 keyslot parameters according to NIST SP 800-132, ch. 5.2.

Iterations count can not be lower than recommended minimum
when benchmark is disabled. The time_ms member is ignored with
benchmark disabled.
This commit is contained in:
Ondrej Kozina 2021-05-27 08:43:18 +02:00 committed by Lennart Poettering
parent 7dba77a67e
commit 358b1f68b0

View File

@ -123,11 +123,15 @@ void cryptsetup_enable_logging(struct crypt_device *cd) {
int cryptsetup_set_minimal_pbkdf(struct crypt_device *cd) {
/* With CRYPT_PBKDF_NO_BENCHMARK flag set .time_ms member is ignored
* while .iterations must be set at least to recommended minimum value. */
static const struct crypt_pbkdf_type minimal_pbkdf = {
.hash = "sha512",
.type = CRYPT_KDF_PBKDF2,
.iterations = 1,
.time_ms = 1,
.iterations = 1000, /* recommended minimum count for pbkdf2
* according to NIST SP 800-132, ch. 5.2 */
.flags = CRYPT_PBKDF_NO_BENCHMARK
};
int r;