From 1e146c393b152a31771b49af5d104d9ed846da9b Mon Sep 17 00:00:00 2001 From: Stephan Müller Date: Sun, 21 Nov 2021 15:51:44 +0100 Subject: crypto: dh - limit key size to 2048 in FIPS mode FIPS disallows DH with keys < 2048 bits. Thus, the kernel should consider the enforcement of this limit. Signed-off-by: Stephan Mueller Signed-off-by: Herbert Xu --- crypto/dh.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'crypto') diff --git a/crypto/dh.c b/crypto/dh.c index cd4f32092e5c..38557e64b4b3 100644 --- a/crypto/dh.c +++ b/crypto/dh.c @@ -5,6 +5,7 @@ * Authors: Salvatore Benedetto */ +#include #include #include #include @@ -47,6 +48,9 @@ static inline struct dh_ctx *dh_get_ctx(struct crypto_kpp *tfm) static int dh_check_params_length(unsigned int p_len) { + if (fips_enabled) + return (p_len < 2048) ? -EINVAL : 0; + return (p_len < 1536) ? -EINVAL : 0; } -- cgit v1.2.3