Hi Herbert,
On 1/25/24 23:58, Herbert Xu wrote:
On Sun, Jan 21, 2024 at 01:49:00PM -0600, Joachim Vandersmissen wrote:
static int _rsa_enc(const struct rsa_mpi_key *key, MPI c, MPI m)
{
+ /* For FIPS, SP 800-56Br2, Section 7.1.1 requires 1 < m < n - 1 */
+ if (fips_enabled && rsa_check_payload_fips(m, key->n))
+ return -EINVAL;
+
/* (1) Validate 0 <= m < n */
if (mpi_cmp_ui(m, 0) < 0 || mpi_cmp(m, key->n) >= 0)
return -EINVAL;
I think this check makes sense in general, so why not simply
replace the second check above with the new check?
Yes, mathematically speaking the values 1 and n - 1 aren't suitable for
RSA (they will always be fixed points). I simply didn't want to
introduce a breaking change. If you think a breaking change is
acceptable, I can update the patch to replace the RFC3447 check with the
stricter check.
Thanks,