summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStephan Müller <smueller@chronox.de>2021-11-21 15:31:27 +0100
committerHerbert Xu <herbert@gondor.apana.org.au>2021-11-26 16:25:18 +1100
commit1ce1bacc480965fab4420e561916ce45d2e90c05 (patch)
treeecae3be9723e37d0ceb746c88f63a86df5ba75cb
parent552d03a223eda3df84526ab2c1f4d82e15eaee7a (diff)
downloadlinux-1ce1bacc480965fab4420e561916ce45d2e90c05.tar.gz
linux-1ce1bacc480965fab4420e561916ce45d2e90c05.tar.bz2
linux-1ce1bacc480965fab4420e561916ce45d2e90c05.zip
crypto: rsa - limit key size to 2048 in FIPS mode
FIPS disallows RSA with keys < 2048 bits. Thus, the kernel should consider the enforcement of this limit. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-rw-r--r--crypto/rsa.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/crypto/rsa.c b/crypto/rsa.c
index 4cdbec95d077..39e04176b04b 100644
--- a/crypto/rsa.c
+++ b/crypto/rsa.c
@@ -5,6 +5,7 @@
* Authors: Tadeusz Struk <tadeusz.struk@intel.com>
*/
+#include <linux/fips.h>
#include <linux/module.h>
#include <linux/mpi.h>
#include <crypto/internal/rsa.h>
@@ -144,6 +145,9 @@ static int rsa_check_key_length(unsigned int len)
case 512:
case 1024:
case 1536:
+ if (fips_enabled)
+ return -EINVAL;
+ fallthrough;
case 2048:
case 3072:
case 4096: