tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

crypto: rsa - allow only odd e and restrict value in FIPS mode

check if rsa public exponent is odd and check its value is between
2^16 < e < 2^256.

FIPS 186-5 DSS (page 35)[1] specify that:
1. The public exponent e shall be selected with the following constraints:
(a) The public verification exponent e shall be selected prior to
generating the primes, p and q, and the private signature exponent
d.
(b) The exponent e shall be an odd positive integer such that:
2^16 < e < 2^256.

[1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf

Signed-off-by: Mahmoud Adam <mngyadam@amazon.com>
Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

authored by

Mahmoud Adam and committed by
Herbert Xu 6637e11e ba51738f

+36
+36
crypto/rsa.c
··· 205 205 return -EINVAL; 206 206 } 207 207 208 + static int rsa_check_exponent_fips(MPI e) 209 + { 210 + MPI e_max = NULL; 211 + 212 + /* check if odd */ 213 + if (!mpi_test_bit(e, 0)) { 214 + return -EINVAL; 215 + } 216 + 217 + /* check if 2^16 < e < 2^256. */ 218 + if (mpi_cmp_ui(e, 65536) <= 0) { 219 + return -EINVAL; 220 + } 221 + 222 + e_max = mpi_alloc(0); 223 + mpi_set_bit(e_max, 256); 224 + 225 + if (mpi_cmp(e, e_max) >= 0) { 226 + mpi_free(e_max); 227 + return -EINVAL; 228 + } 229 + 230 + mpi_free(e_max); 231 + return 0; 232 + } 233 + 208 234 static int rsa_set_pub_key(struct crypto_akcipher *tfm, const void *key, 209 235 unsigned int keylen) 210 236 { ··· 254 228 goto err; 255 229 256 230 if (rsa_check_key_length(mpi_get_size(mpi_key->n) << 3)) { 231 + rsa_free_mpi_key(mpi_key); 232 + return -EINVAL; 233 + } 234 + 235 + if (fips_enabled && rsa_check_exponent_fips(mpi_key->e)) { 257 236 rsa_free_mpi_key(mpi_key); 258 237 return -EINVAL; 259 238 } ··· 317 286 goto err; 318 287 319 288 if (rsa_check_key_length(mpi_get_size(mpi_key->n) << 3)) { 289 + rsa_free_mpi_key(mpi_key); 290 + return -EINVAL; 291 + } 292 + 293 + if (fips_enabled && rsa_check_exponent_fips(mpi_key->e)) { 320 294 rsa_free_mpi_key(mpi_key); 321 295 return -EINVAL; 322 296 }