|
|
0a8476 |
diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c
|
|
|
0a8476 |
index 45e5bee1f..db1ac5303 100644
|
|
|
0a8476 |
--- a/programs/pluto/connections.c
|
|
|
0a8476 |
+++ b/programs/pluto/connections.c
|
|
|
0a8476 |
@@ -846,9 +846,10 @@ static void load_end_nss_certificate(const char *which, CERTCertificate *cert,
|
|
|
0a8476 |
if (libreswan_fipsmode()) {
|
|
|
0a8476 |
SECKEYPublicKey *pk = CERT_ExtractPublicKey(cert);
|
|
|
0a8476 |
passert(pk != NULL);
|
|
|
0a8476 |
- if (pk->u.rsa.modulus.len < FIPS_MIN_RSA_KEY_SIZE) {
|
|
|
0a8476 |
+ if (pk->u.rsa.modulus.len * BITS_PER_BYTE < FIPS_MIN_RSA_KEY_SIZE) {
|
|
|
0a8476 |
whack_log(RC_FATAL,
|
|
|
0a8476 |
- "FIPS: Rejecting cert with key size under %d",
|
|
|
0a8476 |
+ "FIPS: Rejecting cert with key size %d which is under %d",
|
|
|
0a8476 |
+ pk->u.rsa.modulus.len * BITS_PER_BYTE,
|
|
|
0a8476 |
FIPS_MIN_RSA_KEY_SIZE);
|
|
|
0a8476 |
SECKEY_DestroyPublicKey(pk);
|
|
|
0a8476 |
return;
|
|
|
0a8476 |
diff --git a/programs/pluto/nss_cert_verify.c b/programs/pluto/nss_cert_verify.c
|
|
|
0a8476 |
index b4de167bb..9b031354b 100644
|
|
|
0a8476 |
--- a/programs/pluto/nss_cert_verify.c
|
|
|
0a8476 |
+++ b/programs/pluto/nss_cert_verify.c
|
|
|
0a8476 |
@@ -460,9 +460,10 @@ static bool import_der_cert(CERTCertDBHandle *handle,
|
|
|
0a8476 |
if (libreswan_fipsmode()) {
|
|
|
0a8476 |
SECKEYPublicKey *pk = CERT_ExtractPublicKey(cert);
|
|
|
0a8476 |
passert(pk != NULL);
|
|
|
0a8476 |
- if (pk->u.rsa.modulus.len < FIPS_MIN_RSA_KEY_SIZE) {
|
|
|
0a8476 |
- libreswan_log("FIPS: Rejecting cert with key size under %d",
|
|
|
0a8476 |
- FIPS_MIN_RSA_KEY_SIZE);
|
|
|
0a8476 |
+ if ((pk->u.rsa.modulus.len * BITS_PER_BYTE) < FIPS_MIN_RSA_KEY_SIZE) {
|
|
|
0a8476 |
+ libreswan_log("FIPS: Rejecting peer cert with key size %d under %d",
|
|
|
0a8476 |
+ pk->u.rsa.modulus.len * BITS_PER_BYTE,
|
|
|
0a8476 |
+ FIPS_MIN_RSA_KEY_SIZE);
|
|
|
0a8476 |
SECKEY_DestroyPublicKey(pk);
|
|
|
0a8476 |
/*
|
|
|
0a8476 |
* XXX: Since the certificate isn't added to
|