38 lines
1.2 KiB
Diff
38 lines
1.2 KiB
Diff
From f903ddcf447474fda1a036584b550d12dd620a73 Mon Sep 17 00:00:00 2001
|
|
From: Ondrej Kozina <okozina@redhat.com>
|
|
Date: Thu, 29 Aug 2024 15:31:08 +0200
|
|
Subject: [PATCH 10/10] Warn if Argon2 keyslot is unlocked in FIPS mode.
|
|
|
|
---
|
|
lib/luks2/luks2_keyslot.c | 7 ++++++-
|
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/lib/luks2/luks2_keyslot.c b/lib/luks2/luks2_keyslot.c
|
|
index bb9d4537..2f979d81 100644
|
|
--- a/lib/luks2/luks2_keyslot.c
|
|
+++ b/lib/luks2/luks2_keyslot.c
|
|
@@ -573,6 +573,7 @@ int LUKS2_keyslot_open(struct crypt_device *cd,
|
|
{
|
|
struct luks2_hdr *hdr;
|
|
int r_prio, r = -EINVAL;
|
|
+ struct crypt_pbkdf_type pbkdf;
|
|
|
|
hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
|
|
if (!hdr)
|
|
@@ -599,7 +600,11 @@ int LUKS2_keyslot_open(struct crypt_device *cd,
|
|
log_err(cd, _("Not enough available memory to open a keyslot."));
|
|
else if (r != -EPERM && r != -ENOENT)
|
|
log_err(cd, _("Keyslot open failed."));
|
|
- }
|
|
+ } else if (crypt_fips_mode() && !LUKS2_keyslot_pbkdf(hdr, r, &pbkdf) &&
|
|
+ !strncmp(pbkdf.type, "argon2", 6))
|
|
+ log_err(cd, "The %s KDF used in keyslot %d is not FIPS compliant.\n"
|
|
+ "Please refer to cryptsetup-luksConvertKey(8) man page to switch it to pbkdf2.",
|
|
+ pbkdf.type, r);
|
|
|
|
return r;
|
|
}
|
|
--
|
|
2.46.0
|
|
|