2021-11-21 14:51:49

by Stephan Müller

[permalink] [raw]
Subject: [PATCH] crypto: DH - limit key size to 2048 in FIPS mode

FIPS disallows DH with keys < 2048 bits. Thus, the kernel should
consider the enforcement of this limit.

Signed-off-by: Stephan Mueller <[email protected]>
---
crypto/dh.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/crypto/dh.c b/crypto/dh.c
index cd4f32092e5c..38557e64b4b3 100644
--- a/crypto/dh.c
+++ b/crypto/dh.c
@@ -5,6 +5,7 @@
* Authors: Salvatore Benedetto <[email protected]>
*/

+#include <linux/fips.h>
#include <linux/module.h>
#include <crypto/internal/kpp.h>
#include <crypto/kpp.h>
@@ -47,6 +48,9 @@ static inline struct dh_ctx *dh_get_ctx(struct crypto_kpp *tfm)

static int dh_check_params_length(unsigned int p_len)
{
+ if (fips_enabled)
+ return (p_len < 2048) ? -EINVAL : 0;
+
return (p_len < 1536) ? -EINVAL : 0;
}

--
2.33.1






2021-11-26 05:34:55

by Herbert Xu

[permalink] [raw]
Subject: Re: [PATCH] crypto: DH - limit key size to 2048 in FIPS mode

On Sun, Nov 21, 2021 at 03:51:44PM +0100, Stephan M?ller wrote:
> FIPS disallows DH with keys < 2048 bits. Thus, the kernel should
> consider the enforcement of this limit.
>
> Signed-off-by: Stephan Mueller <[email protected]>
> ---
> crypto/dh.c | 4 ++++
> 1 file changed, 4 insertions(+)

Patch applied. Thanks.
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt