From f903ddcf447474fda1a036584b550d12dd620a73 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Thu, 29 Aug 2024 15:31:08 +0200
Subject: [PATCH 10/10] Warn if Argon2 keyslot is unlocked in FIPS mode.

---
 lib/luks2/luks2_keyslot.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/luks2/luks2_keyslot.c b/lib/luks2/luks2_keyslot.c
index bb9d4537..2f979d81 100644
--- a/lib/luks2/luks2_keyslot.c
+++ b/lib/luks2/luks2_keyslot.c
@@ -573,6 +573,7 @@ int LUKS2_keyslot_open(struct crypt_device *cd,
 {
 	struct luks2_hdr *hdr;
 	int r_prio, r = -EINVAL;
+	struct crypt_pbkdf_type pbkdf;
 
 	hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
 	if (!hdr)
@@ -599,7 +600,11 @@ int LUKS2_keyslot_open(struct crypt_device *cd,
 			log_err(cd, _("Not enough available memory to open a keyslot."));
 		else if (r != -EPERM && r != -ENOENT)
 			log_err(cd, _("Keyslot open failed."));
-	}
+	} else if (crypt_fips_mode() && !LUKS2_keyslot_pbkdf(hdr, r, &pbkdf) &&
+		   !strncmp(pbkdf.type, "argon2", 6))
+		log_err(cd, "The %s KDF used in keyslot %d is not FIPS compliant.\n"
+			    "Please refer to cryptsetup-luksConvertKey(8) man page to switch it to pbkdf2.",
+			    pbkdf.type, r);
 
 	return r;
 }
-- 
2.46.0