Blame SOURCES/libreswan-3.25-1664521-fips-keysize.patch

0a8476
diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c
0a8476
index 45e5bee1f..db1ac5303 100644
0a8476
--- a/programs/pluto/connections.c
0a8476
+++ b/programs/pluto/connections.c
0a8476
@@ -846,9 +846,10 @@ static void load_end_nss_certificate(const char *which, CERTCertificate *cert,
0a8476
 	if (libreswan_fipsmode()) {
0a8476
 		SECKEYPublicKey *pk = CERT_ExtractPublicKey(cert);
0a8476
 		passert(pk != NULL);
0a8476
-		if (pk->u.rsa.modulus.len < FIPS_MIN_RSA_KEY_SIZE) {
0a8476
+		if (pk->u.rsa.modulus.len * BITS_PER_BYTE < FIPS_MIN_RSA_KEY_SIZE) {
0a8476
 			whack_log(RC_FATAL,
0a8476
-				"FIPS: Rejecting cert with key size under %d",
0a8476
+				"FIPS: Rejecting cert with key size %d which is under %d",
0a8476
+				pk->u.rsa.modulus.len * BITS_PER_BYTE,
0a8476
 				FIPS_MIN_RSA_KEY_SIZE);
0a8476
 			SECKEY_DestroyPublicKey(pk);
0a8476
 			return;
0a8476
diff --git a/programs/pluto/nss_cert_verify.c b/programs/pluto/nss_cert_verify.c
0a8476
index b4de167bb..9b031354b 100644
0a8476
--- a/programs/pluto/nss_cert_verify.c
0a8476
+++ b/programs/pluto/nss_cert_verify.c
0a8476
@@ -460,9 +460,10 @@ static bool import_der_cert(CERTCertDBHandle *handle,
0a8476
 	if (libreswan_fipsmode()) {
0a8476
 		SECKEYPublicKey *pk = CERT_ExtractPublicKey(cert);
0a8476
 		passert(pk != NULL);
0a8476
-		if (pk->u.rsa.modulus.len < FIPS_MIN_RSA_KEY_SIZE) {
0a8476
-			libreswan_log("FIPS: Rejecting cert with key size under %d",
0a8476
-				      FIPS_MIN_RSA_KEY_SIZE);
0a8476
+		if ((pk->u.rsa.modulus.len * BITS_PER_BYTE) < FIPS_MIN_RSA_KEY_SIZE) {
0a8476
+			libreswan_log("FIPS: Rejecting peer cert with key size %d under %d",
0a8476
+					pk->u.rsa.modulus.len * BITS_PER_BYTE,
0a8476
+					FIPS_MIN_RSA_KEY_SIZE);
0a8476
 			SECKEY_DestroyPublicKey(pk);
0a8476
 			/*
0a8476
 			 * XXX: Since the certificate isn't added to