summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephan Müller <smueller@chronox.de>2021-11-21 15:51:44 +0100
committerHerbert Xu <herbert@gondor.apana.org.au>2021-11-26 16:25:18 +1100
commit1e146c393b152a31771b49af5d104d9ed846da9b (patch)
tree7abdac941c769c4d47bfbd3af4de0b57ce0af07a
parent1ce1bacc480965fab4420e561916ce45d2e90c05 (diff)
crypto: dh - limit key size to 2048 in FIPS mode
FIPS disallows DH with keys < 2048 bits. Thus, the kernel should consider the enforcement of this limit. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-rw-r--r--crypto/dh.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/crypto/dh.c b/crypto/dh.c
index cd4f32092e5c..38557e64b4b3 100644
--- a/crypto/dh.c
+++ b/crypto/dh.c
@@ -5,6 +5,7 @@
* Authors: Salvatore Benedetto <salvatore.benedetto@intel.com>
*/
+#include <linux/fips.h>
#include <linux/module.h>
#include <crypto/internal/kpp.h>
#include <crypto/kpp.h>
@@ -47,6 +48,9 @@ static inline struct dh_ctx *dh_get_ctx(struct crypto_kpp *tfm)
static int dh_check_params_length(unsigned int p_len)
{
+ if (fips_enabled)
+ return (p_len < 2048) ? -EINVAL : 0;
+
return (p_len < 1536) ? -EINVAL : 0;
}