Blame SOURCES/cryptsetup-argon2-fips.patch
|
 |
7cdc99 |
diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c
|
|
|
7cdc99 |
index 3716c26..540915b 100644
|
|
|
7cdc99 |
--- a/lib/luks2/luks2_keyslot_luks2.c
|
|
|
7cdc99 |
+++ b/lib/luks2/luks2_keyslot_luks2.c
|
|
|
7cdc99 |
@@ -350,6 +350,13 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
|
|
|
7cdc99 |
crypt_free_volume_key(derived_key);
|
|
|
7cdc99 |
return -ENOMEM;
|
|
|
7cdc99 |
}
|
|
|
7cdc99 |
+
|
|
|
7cdc99 |
+ if (crypt_fips_mode() &&
|
|
|
7cdc99 |
+ (!strcmp(pbkdf.type, CRYPT_KDF_ARGON2I) ||
|
|
|
7cdc99 |
+ !strcmp(pbkdf.type, CRYPT_KDF_ARGON2ID)))
|
|
|
7cdc99 |
+ log_verbose(cd, _("%s key derivation function is not currently FIPS-compliant."),
|
|
|
7cdc99 |
+ pbkdf.type);
|
|
|
7cdc99 |
+
|
|
|
7cdc99 |
/*
|
|
|
7cdc99 |
* Calculate derived key, decrypt keyslot content and merge it.
|
|
|
7cdc99 |
*/
|
|
|
7cdc99 |
@@ -406,6 +413,14 @@ static int luks2_keyslot_update_json(struct crypt_device *cd,
|
|
|
7cdc99 |
if (!pbkdf)
|
|
|
7cdc99 |
return -EINVAL;
|
|
|
7cdc99 |
|
|
|
7cdc99 |
+ if (crypt_fips_mode() &&
|
|
|
7cdc99 |
+ (!strcmp(pbkdf->type, CRYPT_KDF_ARGON2I) ||
|
|
|
7cdc99 |
+ !strcmp(pbkdf->type, CRYPT_KDF_ARGON2ID))) {
|
|
|
7cdc99 |
+ log_err(cd, _("%s key derivation function is not allowed in FIPS mode."),
|
|
|
7cdc99 |
+ pbkdf->type);
|
|
|
7cdc99 |
+ return -EINVAL;
|
|
|
7cdc99 |
+ }
|
|
|
7cdc99 |
+
|
|
|
7cdc99 |
r = crypt_benchmark_pbkdf_internal(cd, CONST_CAST(struct crypt_pbkdf_type *)pbkdf, keyslot_key_len);
|
|
|
7cdc99 |
if (r < 0)
|
|
|
7cdc99 |
return r;
|