File openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch of Package openssl-3
From 915990e450e769e370fcacbfd8ed58ab6afaf2bf Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 15:47:55 +0200
Subject: [PATCH 39/48]
0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
Patch-name: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
Patch-id: 84
---
providers/implementations/kdfs/pbkdf2.c.in | 27 ++++++++++++++++++++++++-
1 file changed, 26 insertions(+), 1 deletion(-)
Index: openssl-3.6.0/providers/implementations/kdfs/pbkdf2.c.in
===================================================================
--- openssl-3.6.0.orig/providers/implementations/kdfs/pbkdf2.c.in
+++ openssl-3.6.0/providers/implementations/kdfs/pbkdf2.c.in
@@ -38,6 +38,21 @@ use OpenSSL::paramnames qw(produce_param
#define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
#define KDF_PBKDF2_MIN_ITERATIONS 1000
#define KDF_PBKDF2_MIN_SALT_LEN (128 / 8)
+/* The Implementation Guidance for FIPS 140-3 says in section D.N
+ * "Password-Based Key Derivation for Storage Applications" that "the vendor
+ * shall document in the module’s Security Policy the length of
+ * a password/passphrase used in key derivation and establish an upper bound
+ * for the probability of having this parameter guessed at random. This
+ * probability shall take into account not only the length of the
+ * password/passphrase, but also the difficulty of guessing it. The decision on
+ * the minimum length of a password used for key derivation is the vendor’s,
+ * but the vendor shall at a minimum informally justify the decision."
+ *
+ * We are choosing a minimum password length of 8 bytes, because NIST's ACVP
+ * testing uses passwords as short as 8 bytes, and requiring longer passwords
+ * combined with an implicit indicator (i.e., returning an error) would cause
+ * the module to fail ACVP testing. */
+#define KDF_PBKDF2_MIN_PASSWORD_LEN (8)
static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new;
static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup;
@@ -185,8 +200,8 @@ static int pbkdf2_set_membuf(unsigned ch
}
static int pbkdf2_lower_bound_check_passed(int saltlen, uint64_t iter,
- size_t keylen, int *error,
- const char **desc)
+ size_t keylen, size_t passlen,
+ int *error, const char **desc)
{
if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) {
*error = PROV_R_KEY_SIZE_TOO_SMALL;
@@ -194,6 +209,12 @@ static int pbkdf2_lower_bound_check_pass
*desc = "Key size";
return 0;
}
+ if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) {
+ *error = PROV_R_INVALID_INPUT_LENGTH;
+ if (desc != NULL)
+ *desc = "Password length";
+ return 0;
+ }
if (saltlen < KDF_PBKDF2_MIN_SALT_LEN) {
*error = PROV_R_INVALID_SALT_LENGTH;
if (desc != NULL)
@@ -212,12 +233,12 @@ static int pbkdf2_lower_bound_check_pass
#ifdef FIPS_MODULE
static int fips_lower_bound_check_passed(KDF_PBKDF2 *ctx, int saltlen,
- uint64_t iter, size_t keylen)
+ uint64_t iter, size_t keylen, size_t passlen)
{
OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
int error = 0;
const char *desc = NULL;
- int approved = pbkdf2_lower_bound_check_passed(saltlen, iter, keylen,
+ int approved = pbkdf2_lower_bound_check_passed(saltlen, iter, keylen, passlen,
&error, &desc);
if (!approved) {
@@ -233,15 +254,15 @@ static int fips_lower_bound_check_passed
#endif
static int lower_bound_check_passed(KDF_PBKDF2 *ctx, int saltlen, uint64_t iter,
- size_t keylen, int lower_bound_checks)
+ size_t keylen, size_t passlen, int lower_bound_checks)
{
#ifdef FIPS_MODULE
- if (!fips_lower_bound_check_passed(ctx, saltlen, iter, keylen))
+ if (!fips_lower_bound_check_passed(ctx, saltlen, iter, keylen, passlen))
return 0;
#else
if (lower_bound_checks) {
int error = 0;
- int passed = pbkdf2_lower_bound_check_passed(saltlen, iter, keylen,
+ int passed = pbkdf2_lower_bound_check_passed(saltlen, iter, keylen, passlen,
&error, NULL);
if (!passed) {
@@ -328,11 +349,16 @@ static int kdf_pbkdf2_set_ctx_params(voi
#endif
}
- if (p.pw != NULL && !pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p.pw))
+ if (p.pw != NULL) {
+ if (!lower_bound_check_passed(ctx, INT_MAX, UINT64_MAX, SIZE_MAX, p.pw->data_size,
+ ctx->lower_bound_checks))
+ return 0;
+ if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p.pw))
return 0;
+ }
if (p.salt != NULL) {
- if (!lower_bound_check_passed(ctx, (int)p.salt->data_size, UINT64_MAX, SIZE_MAX,
+ if (!lower_bound_check_passed(ctx, (int)p.salt->data_size, UINT64_MAX, SIZE_MAX, SIZE_MAX,
ctx->lower_bound_checks))
return 0;
if (!pbkdf2_set_membuf(&ctx->salt, &ctx->salt_len, p.salt))
@@ -342,7 +368,7 @@ static int kdf_pbkdf2_set_ctx_params(voi
if (p.iter != NULL) {
if (!OSSL_PARAM_get_uint64(p.iter, &iter))
return 0;
- if (!lower_bound_check_passed(ctx, INT_MAX, iter, SIZE_MAX,
+ if (!lower_bound_check_passed(ctx, INT_MAX, iter, SIZE_MAX, SIZE_MAX,
ctx->lower_bound_checks))
return 0;
ctx->iter = iter;
@@ -433,7 +459,7 @@ static int pbkdf2_derive(KDF_PBKDF2 *ctx
return 0;
}
- if (!lower_bound_check_passed(ctx, saltlen, iter, keylen, lower_bound_checks))
+ if (!lower_bound_check_passed(ctx, saltlen, iter, keylen, passlen, lower_bound_checks))
return 0;
hctx_tpl = HMAC_CTX_new();
