Commit 1e146c39 authored by Stephan Müller's avatar Stephan Müller Committed by Herbert Xu
Browse files

crypto: dh - limit key size to 2048 in FIPS mode 



FIPS disallows DH with keys < 2048 bits. Thus, the kernel should
consider the enforcement of this limit.

Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent 1ce1bacc

crypto/dh.c

+4 −0
Original line number Diff line number Diff line
@@ -5,6 +5,7 @@ 
 * Authors: Salvatore Benedetto <salvatore.benedetto@intel.com>

 */



#include <linux/fips.h>

#include <linux/module.h>

#include <crypto/internal/kpp.h>

#include <crypto/kpp.h>
@@ -47,6 +48,9 @@ static inline struct dh_ctx *dh_get_ctx(struct crypto_kpp *tfm) 


static int dh_check_params_length(unsigned int p_len)

{

	if (fips_enabled)

		return (p_len < 2048) ? -EINVAL : 0;



	return (p_len < 1536) ? -EINVAL : 0;

}