crypto: hmac - disallow keys < 112 bits in FIPS mode

[linux-2.6-block.git] / crypto / hmac.c

diff --git a/crypto/hmac.c b/crypto/hmac.c
index 25856aa7ccbf9af9eac3204727081a6f56d07559..3610ff0b67392281db30103e42a889c09b03cc2e 100644 (file)
--- a/crypto/hmac.c
+++ b/crypto/hmac.c
@@ -15,6 +15,7 @@
 #include <crypto/internal/hash.h>
 #include <crypto/scatterwalk.h>
 #include <linux/err.h>
+#include <linux/fips.h>
 #include <linux/init.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
@@ -51,6 +52,9 @@ static int hmac_setkey(struct crypto_shash *parent,
        SHASH_DESC_ON_STACK(shash, hash);
        unsigned int i;
 
+       if (fips_enabled && (keylen < 112 / 8))
+               return -EINVAL;
+
        shash->tfm = hash;
 
        if (keylen > bs) {