Skip to content

Commit

Permalink
crypto: dh - limit key size to 2048 in FIPS mode
Browse files Browse the repository at this point in the history 
FIPS disallows DH with keys < 2048 bits. Thus, the kernel should
consider the enforcement of this limit.

Signed-off-by: Stephan Mueller <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
  • Loading branch information
@smuellerDD @herbertx
smuellerDD authored and herbertx committed Nov 26, 2021
1 parent 1ce1bac commit 1e146c3
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions crypto/dh.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
* Authors: Salvatore Benedetto <[email protected]>
*/

#include <linux/fips.h>
#include <linux/module.h>
#include <crypto/internal/kpp.h>
#include <crypto/kpp.h>
Expand Down Expand Up @@ -47,6 +48,9 @@ static inline struct dh_ctx *dh_get_ctx(struct crypto_kpp *tfm)

static int dh_check_params_length(unsigned int p_len)
{
if (fips_enabled)
return (p_len < 2048) ? -EINVAL : 0;

return (p_len < 1536) ? -EINVAL : 0;
}

Expand Down

0 comments on commit 1e146c3

Please sign in to comment.