You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
33 lines
1.1 KiB
33 lines
1.1 KiB
diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c |
|
index 3716c26..540915b 100644 |
|
--- a/lib/luks2/luks2_keyslot_luks2.c |
|
+++ b/lib/luks2/luks2_keyslot_luks2.c |
|
@@ -350,6 +350,13 @@ static int luks2_keyslot_get_key(struct crypt_device *cd, |
|
crypt_free_volume_key(derived_key); |
|
return -ENOMEM; |
|
} |
|
+ |
|
+ if (crypt_fips_mode() && |
|
+ (!strcmp(pbkdf.type, CRYPT_KDF_ARGON2I) || |
|
+ !strcmp(pbkdf.type, CRYPT_KDF_ARGON2ID))) |
|
+ log_verbose(cd, _("%s key derivation function is not currently FIPS-compliant."), |
|
+ pbkdf.type); |
|
+ |
|
/* |
|
* Calculate derived key, decrypt keyslot content and merge it. |
|
*/ |
|
@@ -406,6 +413,14 @@ static int luks2_keyslot_update_json(struct crypt_device *cd, |
|
if (!pbkdf) |
|
return -EINVAL; |
|
|
|
+ if (crypt_fips_mode() && |
|
+ (!strcmp(pbkdf->type, CRYPT_KDF_ARGON2I) || |
|
+ !strcmp(pbkdf->type, CRYPT_KDF_ARGON2ID))) { |
|
+ log_err(cd, _("%s key derivation function is not allowed in FIPS mode."), |
|
+ pbkdf->type); |
|
+ return -EINVAL; |
|
+ } |
|
+ |
|
r = crypt_benchmark_pbkdf_internal(cd, CONST_CAST(struct crypt_pbkdf_type *)pbkdf, keyslot_key_len); |
|
if (r < 0) |
|
return r;
|
|
|