41 lines
		
	
	
		
			1.7 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			41 lines
		
	
	
		
			1.7 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| From 293abb5435e2b4bec7f8333fb11c88d5c1f45800 Mon Sep 17 00:00:00 2001
 | |
| From: Ondrej Kozina <okozina@redhat.com>
 | |
| Date: Mon, 5 Dec 2022 13:35:24 +0100
 | |
| Subject: [PATCH 3/3] Add FIPS related error message in keyslot add code.
 | |
| 
 | |
| Add hints on what went wrong when creating new LUKS
 | |
| keyslots. The hint is printed only in FIPS mode and
 | |
| when pbkdf2 failed with passphrase shorter than 8
 | |
| bytes.
 | |
| ---
 | |
|  lib/luks1/keymanage.c           | 5 ++++-
 | |
|  lib/luks2/luks2_keyslot_luks2.c | 2 ++
 | |
|  2 files changed, 6 insertions(+), 1 deletion(-)
 | |
| 
 | |
| Index: cryptsetup-2.7.2/lib/luks1/keymanage.c
 | |
| ===================================================================
 | |
| --- cryptsetup-2.7.2.orig/lib/luks1/keymanage.c
 | |
| +++ cryptsetup-2.7.2/lib/luks1/keymanage.c
 | |
| @@ -926,6 +926,8 @@ int LUKS_set_key(unsigned int keyIndex,
 | |
|  			derived_key->key, hdr->keyBytes,
 | |
|  			hdr->keyblock[keyIndex].passwordIterations, 0, 0);
 | |
|  	if (r < 0) {
 | |
| +		if (crypt_fips_mode() && passwordLen < 8)
 | |
| +			log_err(ctx, _("Invalid passphrase for PBKDF2 in FIPS mode."));
 | |
|  		if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) &&
 | |
|  		     hdr->keyblock[keyIndex].passwordIterations > INT_MAX)
 | |
|  			log_err(ctx, _("PBKDF2 iteration value overflow."));
 | |
| Index: cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c
 | |
| ===================================================================
 | |
| --- cryptsetup-2.7.2.orig/lib/luks2/luks2_keyslot_luks2.c
 | |
| +++ cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c
 | |
| @@ -269,6 +269,8 @@ static int luks2_keyslot_set_key(struct
 | |
|  		     pbkdf.iterations > INT_MAX)
 | |
|  			log_err(cd, _("PBKDF2 iteration value overflow."));
 | |
|  		crypt_free_volume_key(derived_key);
 | |
| +		if (crypt_fips_mode() && passwordLen < 8 && !strcmp(pbkdf.type, "pbkdf2"))
 | |
| +			log_err(cd, _("Invalid passphrase for PBKDF2 in FIPS mode."));
 | |
|  		return r;
 | |
|  	}
 | |
|  
 |