Re: [PATCH] crypto: rsa - restrict plaintext/ciphertext values more in FIPS mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Herbert,

On 1/25/24 23:58, Herbert Xu wrote:
On Sun, Jan 21, 2024 at 01:49:00PM -0600, Joachim Vandersmissen wrote:
  static int _rsa_enc(const struct rsa_mpi_key *key, MPI c, MPI m)
  {
+	/* For FIPS, SP 800-56Br2, Section 7.1.1 requires 1 < m < n - 1 */
+	if (fips_enabled && rsa_check_payload_fips(m, key->n))
+		return -EINVAL;
+
  	/* (1) Validate 0 <= m < n */
  	if (mpi_cmp_ui(m, 0) < 0 || mpi_cmp(m, key->n) >= 0)
  		return -EINVAL;
I think this check makes sense in general, so why not simply
replace the second check above with the new check?

Yes, mathematically speaking the values 1 and n - 1 aren't suitable for RSA (they will always be fixed points). I simply didn't want to introduce a breaking change. If you think a breaking change is acceptable, I can update the patch to replace the RFC3447 check with the stricter check.


Thanks,




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux