crypto: rsa - fix invalid check for keylen in fips mode

Message ID	20150721001826.24499.51560.stgit@tstruk-mobl1 (mailing list archive)
State	Accepted
Delegated to:	Herbert Xu
Headers	show Return-Path: <linux-crypto-owner@kernel.org> Subject: [PATCH] crypto: rsa - fix invalid check for keylen in fips mode From: Tadeusz Struk <tadeusz.struk@intel.com> To: herbert@gondor.apana.org.au Cc: linux-crypto@vger.kernel.org, dan.carpenter@oracle.com, tadeusz.struk@intel.com Date: Mon, 20 Jul 2015 17:18:26 -0700 Message-ID: <20150721001826.24499.51560.stgit@tstruk-mobl1> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk

Message ID

20150721001826.24499.51560.stgit@tstruk-mobl1 (mailing list archive)

State

Accepted

Delegated to:

Herbert Xu

Headers

Subject: [PATCH] crypto: rsa - fix invalid check for keylen in fips mode
From: Tadeusz Struk <tadeusz.struk@intel.com>
To: herbert@gondor.apana.org.au
Cc: linux-crypto@vger.kernel.org, dan.carpenter@oracle.com,
	tadeusz.struk@intel.com
Date: Mon, 20 Jul 2015 17:18:26 -0700
Message-ID: <20150721001826.24499.51560.stgit@tstruk-mobl1>
User-Agent: StGit/0.17.1-dirty
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk

Commit Message

Tadeusz Struk July 21, 2015, 12:18 a.m. UTC

The condition checking allowed key length was invalid.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
---
 crypto/rsa_helper.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Herbert Xu July 21, 2015, 12:25 p.m. UTC | #1

On Mon, Jul 20, 2015 at 05:18:26PM -0700, Tadeusz Struk wrote:
> The condition checking allowed key length was invalid.
> 
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>

Applied.

Tadeusz Struk July 22, 2015, 1:38 p.m. UTC | #2

On 07/21/2015 05:25 AM, Herbert Xu wrote:
> On Mon, Jul 20, 2015 at 05:18:26PM -0700, Tadeusz Struk wrote:
>> The condition checking allowed key length was invalid.
>>
>> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
>>
>> Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
> 
> Applied.
> 
Herbert, Shouldn't this one go to 4.2?
Thanks,
T
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Herbert Xu July 23, 2015, 1:54 a.m. UTC | #3

On Wed, Jul 22, 2015 at 06:38:45AM -0700, Tadeusz Struk wrote:
> On 07/21/2015 05:25 AM, Herbert Xu wrote:
> > On Mon, Jul 20, 2015 at 05:18:26PM -0700, Tadeusz Struk wrote:
> >> The condition checking allowed key length was invalid.
> >>
> >> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> >>
> >> Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
> > 
> > Applied.
> > 
> Herbert, Shouldn't this one go to 4.2?

No because we don't have any RSA users in 4.2.

Cheers,

diff --git a/crypto/rsa_helper.c b/crypto/rsa_helper.c
index 3e8e0a9..8d96ce9 100644
--- a/crypto/rsa_helper.c
+++ b/crypto/rsa_helper.c
@@ -28,7 +28,7 @@  int rsa_get_n(void *context, size_t hdrlen, unsigned char tag,
 		return -ENOMEM;
 
 	/* In FIPS mode only allow key size 2K & 3K */
-	if (fips_enabled && (mpi_get_size(key->n) != 256 ||
+	if (fips_enabled && (mpi_get_size(key->n) != 256 &&
 			     mpi_get_size(key->n) != 384)) {
 		pr_err("RSA: key size not allowed in FIPS mode\n");
 		mpi_free(key->n);
@@ -62,7 +62,7 @@  int rsa_get_d(void *context, size_t hdrlen, unsigned char tag,
 		return -ENOMEM;
 
 	/* In FIPS mode only allow key size 2K & 3K */
-	if (fips_enabled && (mpi_get_size(key->d) != 256 ||
+	if (fips_enabled && (mpi_get_size(key->d) != 256 &&
 			     mpi_get_size(key->d) != 384)) {
 		pr_err("RSA: key size not allowed in FIPS mode\n");
 		mpi_free(key->d);

crypto: rsa - fix invalid check for keylen in fips mode

Commit Message

Comments

Patch