rpms / libreswan

Clone
Source Code
GIT

Blame SOURCES/libreswan-3.25-1664521-fips-keysize.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c7
  2.   SOURCES
  3.   libreswan-3.25-1664521-fips-keysize.patch
Blob History Raw
5b9a3d 
diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c
5b9a3d 
index 45e5bee1f..db1ac5303 100644
5b9a3d 
--- a/programs/pluto/connections.c
5b9a3d 
+++ b/programs/pluto/connections.c
5b9a3d 
@@ -846,9 +846,10 @@ static void load_end_nss_certificate(const char *which, CERTCertificate *cert,
5b9a3d 
 	if (libreswan_fipsmode()) {
5b9a3d 
 		SECKEYPublicKey *pk = CERT_ExtractPublicKey(cert);
5b9a3d 
 		passert(pk != NULL);
5b9a3d 
-		if (pk->u.rsa.modulus.len < FIPS_MIN_RSA_KEY_SIZE) {
5b9a3d 
+		if (pk->u.rsa.modulus.len * BITS_PER_BYTE < FIPS_MIN_RSA_KEY_SIZE) {
5b9a3d 
 			whack_log(RC_FATAL,
5b9a3d 
-				"FIPS: Rejecting cert with key size under %d",
5b9a3d 
+				"FIPS: Rejecting cert with key size %d which is under %d",
5b9a3d 
+				pk->u.rsa.modulus.len * BITS_PER_BYTE,
5b9a3d 
 				FIPS_MIN_RSA_KEY_SIZE);
5b9a3d 
 			SECKEY_DestroyPublicKey(pk);
5b9a3d 
 			return;
5b9a3d 
diff --git a/programs/pluto/nss_cert_verify.c b/programs/pluto/nss_cert_verify.c
5b9a3d 
index b4de167bb..9b031354b 100644
5b9a3d 
--- a/programs/pluto/nss_cert_verify.c
5b9a3d 
+++ b/programs/pluto/nss_cert_verify.c
5b9a3d 
@@ -460,9 +460,10 @@ static bool import_der_cert(CERTCertDBHandle *handle,
5b9a3d 
 	if (libreswan_fipsmode()) {
5b9a3d 
 		SECKEYPublicKey *pk = CERT_ExtractPublicKey(cert);
5b9a3d 
 		passert(pk != NULL);
5b9a3d 
-		if (pk->u.rsa.modulus.len < FIPS_MIN_RSA_KEY_SIZE) {
5b9a3d 
-			libreswan_log("FIPS: Rejecting cert with key size under %d",
5b9a3d 
-				      FIPS_MIN_RSA_KEY_SIZE);
5b9a3d 
+		if ((pk->u.rsa.modulus.len * BITS_PER_BYTE) < FIPS_MIN_RSA_KEY_SIZE) {
5b9a3d 
+			libreswan_log("FIPS: Rejecting peer cert with key size %d under %d",
5b9a3d 
+					pk->u.rsa.modulus.len * BITS_PER_BYTE,
5b9a3d 
+					FIPS_MIN_RSA_KEY_SIZE);
5b9a3d 
 			SECKEY_DestroyPublicKey(pk);
5b9a3d 
 			/*
5b9a3d 
 			 * XXX: Since the certificate isn't added to

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation