| Message ID | 2564099.lGaqSPkdTl@positron.chronox.de (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Herbert Xu |
| Headers | show |
| Series | crypto: DH - limit key size to 2048 in FIPS mode | expand |
On Sun, Nov 21, 2021 at 03:51:44PM +0100, Stephan Müller wrote: > FIPS disallows DH with keys < 2048 bits. Thus, the kernel should > consider the enforcement of this limit. > > Signed-off-by: Stephan Mueller <smueller@chronox.de> > --- > crypto/dh.c | 4 ++++ > 1 file changed, 4 insertions(+) Patch applied. Thanks.
diff --git a/crypto/dh.c b/crypto/dh.c index cd4f32092e5c..38557e64b4b3 100644 --- a/crypto/dh.c +++ b/crypto/dh.c @@ -5,6 +5,7 @@ * Authors: Salvatore Benedetto <salvatore.benedetto@intel.com> */ +#include <linux/fips.h> #include <linux/module.h> #include <crypto/internal/kpp.h> #include <crypto/kpp.h> @@ -47,6 +48,9 @@ static inline struct dh_ctx *dh_get_ctx(struct crypto_kpp *tfm) static int dh_check_params_length(unsigned int p_len) { + if (fips_enabled) + return (p_len < 2048) ? -EINVAL : 0; + return (p_len < 1536) ? -EINVAL : 0; }
FIPS disallows DH with keys < 2048 bits. Thus, the kernel should consider the enforcement of this limit. Signed-off-by: Stephan Mueller <smueller@chronox.de> --- crypto/dh.c | 4 ++++ 1 file changed, 4 insertions(+)