|
 |
1ac26c |
From 754862899058cfb5f2341c81f9e04dd2f7b37056 Mon Sep 17 00:00:00 2001
|
|
|
1ac26c |
From: Clemens Lang <cllang@redhat.com>
|
|
|
1ac26c |
Date: Thu, 17 Nov 2022 18:37:17 +0100
|
|
|
1ac26c |
Subject: [PATCH] pbkdf2: Set minimum password length of 8 bytes
|
|
|
1ac26c |
MIME-Version: 1.0
|
|
|
1ac26c |
Content-Type: text/plain; charset=UTF-8
|
|
|
1ac26c |
Content-Transfer-Encoding: 8bit
|
|
|
1ac26c |
|
|
|
1ac26c |
The Implementation Guidance for FIPS 140-3 says in section D.N
|
|
|
1ac26c |
"Password-Based Key Derivation for Storage Applications" that "the
|
|
|
1ac26c |
vendor shall document in the module’s Security Policy the length of
|
|
|
1ac26c |
a password/passphrase used in key derivation and establish an upper
|
|
|
1ac26c |
bound for the probability of having this parameter guessed at random.
|
|
|
1ac26c |
This probability shall take into account not only the length of the
|
|
|
1ac26c |
password/passphrase, but also the difficulty of guessing it. The
|
|
|
1ac26c |
decision on the minimum length of a password used for key derivation is
|
|
|
1ac26c |
the vendor’s, but the vendor shall at a minimum informally justify the
|
|
|
1ac26c |
decision."
|
|
|
1ac26c |
|
|
|
1ac26c |
We are choosing a minimum password length of 8 bytes, because NIST's
|
|
|
1ac26c |
ACVP testing uses passwords as short as 8 bytes, and requiring longer
|
|
|
1ac26c |
passwords combined with an implicit indicator (i.e., returning an error)
|
|
|
1ac26c |
would cause the module to fail ACVP testing.
|
|
|
1ac26c |
|
|
|
1ac26c |
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
|
1ac26c |
---
|
|
|
1ac26c |
providers/implementations/kdfs/pbkdf2.c | 27 ++++++++++++++++++++++++-
|
|
|
1ac26c |
1 file changed, 26 insertions(+), 1 deletion(-)
|
|
|
1ac26c |
|
|
|
1ac26c |
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
|
|
|
1ac26c |
index 2a0ae63acc..aa0adce5e6 100644
|
|
|
1ac26c |
--- a/providers/implementations/kdfs/pbkdf2.c
|
|
|
1ac26c |
+++ b/providers/implementations/kdfs/pbkdf2.c
|
|
|
1ac26c |
@@ -35,6 +35,21 @@
|
|
|
1ac26c |
#define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
|
|
|
1ac26c |
#define KDF_PBKDF2_MIN_ITERATIONS 1000
|
|
|
1ac26c |
#define KDF_PBKDF2_MIN_SALT_LEN (128 / 8)
|
|
|
1ac26c |
+/* The Implementation Guidance for FIPS 140-3 says in section D.N
|
|
|
1ac26c |
+ * "Password-Based Key Derivation for Storage Applications" that "the vendor
|
|
|
1ac26c |
+ * shall document in the module’s Security Policy the length of
|
|
|
1ac26c |
+ * a password/passphrase used in key derivation and establish an upper bound
|
|
|
1ac26c |
+ * for the probability of having this parameter guessed at random. This
|
|
|
1ac26c |
+ * probability shall take into account not only the length of the
|
|
|
1ac26c |
+ * password/passphrase, but also the difficulty of guessing it. The decision on
|
|
|
1ac26c |
+ * the minimum length of a password used for key derivation is the vendor’s,
|
|
|
1ac26c |
+ * but the vendor shall at a minimum informally justify the decision."
|
|
|
1ac26c |
+ *
|
|
|
1ac26c |
+ * We are choosing a minimum password length of 8 bytes, because NIST's ACVP
|
|
|
1ac26c |
+ * testing uses passwords as short as 8 bytes, and requiring longer passwords
|
|
|
1ac26c |
+ * combined with an implicit indicator (i.e., returning an error) would cause
|
|
|
1ac26c |
+ * the module to fail ACVP testing. */
|
|
|
1ac26c |
+#define KDF_PBKDF2_MIN_PASSWORD_LEN (8)
|
|
|
1ac26c |
|
|
|
1ac26c |
static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new;
|
|
|
1ac26c |
static OSSL_FUNC_kdf_freectx_fn kdf_pbkdf2_free;
|
|
|
1ac26c |
@@ -186,9 +201,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
|
|
|
1ac26c |
ctx->lower_bound_checks = pkcs5 == 0;
|
|
|
1ac26c |
}
|
|
|
1ac26c |
|
|
|
1ac26c |
- if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
|
|
|
1ac26c |
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) {
|
|
|
1ac26c |
+ if (ctx->lower_bound_checks != 0
|
|
|
1ac26c |
+ && p->data_size < KDF_PBKDF2_MIN_PASSWORD_LEN) {
|
|
|
1ac26c |
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
|
|
1ac26c |
+ return 0;
|
|
|
1ac26c |
+ }
|
|
|
1ac26c |
if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p))
|
|
|
1ac26c |
return 0;
|
|
|
1ac26c |
+ }
|
|
|
1ac26c |
|
|
|
1ac26c |
if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) {
|
|
|
1ac26c |
if (ctx->lower_bound_checks != 0
|
|
|
1ac26c |
@@ -297,6 +318,10 @@ static int pbkdf2_derive(const char *pass, size_t passlen,
|
|
|
1ac26c |
}
|
|
|
1ac26c |
|
|
|
1ac26c |
if (lower_bound_checks) {
|
|
|
1ac26c |
+ if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) {
|
|
|
1ac26c |
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
|
|
1ac26c |
+ return 0;
|
|
|
1ac26c |
+ }
|
|
|
1ac26c |
if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) {
|
|
|
1ac26c |
ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
|
|
|
1ac26c |
return 0;
|
|
|
1ac26c |
--
|
|
|
1ac26c |
2.38.1
|
|
|
1ac26c |
|