openssl-1_1/openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch

---
 crypto/fips/fips_sli.c            |   21 +++++++++++++++++++
 crypto/kdf/pbkdf2.c               |    6 +++++
 include/internal/fips_sli_local.h |    3 ++
 test/fips_slitest.c               |   41 ++++++++++++++++++++++----------------
 4 files changed, 54 insertions(+), 17 deletions(-)

--- a/crypto/fips/fips_sli.c
+++ b/crypto/fips/fips_sli.c
@@ -231,6 +231,27 @@ FIPS_STATUS fips_sli_get_kdf_keylen_stat
         return FIPS_NONAPPROVED;
 }
 
+FIPS_STATUS fips_sli_get_kdf_saltlen_status(size_t saltlen_bytes) {
+    if (saltlen_bytes >= 128/8)
+        return FIPS_APPROVED;
+    else
+        return FIPS_NONAPPROVED;
+}
+
+FIPS_STATUS fips_sli_get_kdf_iteration_status(size_t iter) {
+    if (iter >= 1000)
+        return FIPS_APPROVED;
+    else
+        return FIPS_NONAPPROVED;
+}
+
+FIPS_STATUS fips_sli_get_kdf_passlen_status(size_t passlen_bytes) {
+    if (passlen_bytes >= 20)
+        return FIPS_APPROVED;
+    else
+        return FIPS_NONAPPROVED;
+}
+
 void fips_sli_check_key_rsa_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) {
     fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(ctx, rsa);
 }
--- a/crypto/kdf/pbkdf2.c
+++ b/crypto/kdf/pbkdf2.c
@@ -187,6 +187,12 @@ static int kdf_pbkdf2_derive(EVP_KDF_IMP
     fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl);
     fips_sli_fsm_struct_evp_kdf_impl_st(impl,
                                         fips_sli_get_kdf_keylen_status(keylen));
+    fips_sli_fsm_struct_evp_kdf_impl_st(impl,
+                                        fips_sli_get_kdf_saltlen_status(impl->salt_len));
+    fips_sli_fsm_struct_evp_kdf_impl_st(impl,
+                                        fips_sli_get_kdf_iteration_status(impl->iter));
+    fips_sli_fsm_struct_evp_kdf_impl_st(impl,
+                                        fips_sli_get_kdf_passlen_status(impl->pass_len));
     return pkcs5_pbkdf2_alg((char *)impl->pass, impl->pass_len,
                             impl->salt, impl->salt_len, impl->iter,
                             impl->md, key, keylen);
--- a/include/internal/fips_sli_local.h
+++ b/include/internal/fips_sli_local.h
@@ -70,6 +70,9 @@ FIPS_STATUS fips_sli_get_hash_status_ssh
 FIPS_STATUS fips_sli_get_hash_status_pbkdf2(const EVP_MD * md);
 FIPS_STATUS fips_sli_get_hash_status_kdf_tls1_prf(const EVP_MD * md);
 FIPS_STATUS fips_sli_get_kdf_keylen_status(size_t keylen_bytes);
+FIPS_STATUS fips_sli_get_kdf_saltlen_status(size_t saltlen_bytes);
+FIPS_STATUS fips_sli_get_kdf_iteration_status(size_t iter);
+FIPS_STATUS fips_sli_get_kdf_passlen_status(size_t passlen_bytes);
 
 /* Check if used curve is okay for and in this context */
 void fips_sli_check_curve_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_GROUP *group);
--- a/test/fips_slitest.c
+++ b/test/fips_slitest.c
@@ -490,36 +490,41 @@ typedef struct {
     int nid_digest;
     const uint8_t key_expected[32]; // length has to be 32
 } SLI_PBKDF2_TEST;
-
 static const SLI_PBKDF2_TEST pbkdf2_tests[] = {
     {
-        1, 4200, NID_sha256, {
-            0xE7, 0xBE, 0x37, 0x75, 0x9D, 0x53, 0x3E, 0x5A, 0x06, 0x20, 0xC9, 0xA5, 0x3A, 0x8D, 0xA2, 0x9E,
-            0x9C, 0x27, 0xDF, 0x26, 0x24, 0xAB, 0xD8, 0x8E, 0x56, 0xE5, 0xB9, 0xF5, 0xA0, 0xD6, 0xD5, 0xEE
+        1, 4096, NID_sha1, {
+            0x3D, 0x2E, 0xEC, 0x4F, 0xE4, 0x1C, 0x84, 0x9B, 0x80, 0xC8, 0xD8, 0x36, 0x62, 0xC0, 0xE4, 0x4A,
+            0x8B, 0x29, 0x1A, 0x96, 0x4C, 0xF2, 0xF0, 0x70, 0x38, 0xB6, 0xB8, 0x9A, 0x48, 0x61, 0x2C, 0x5A
+        }
+    },
+    {
+        1, 4096, NID_sha256, {
+            0x34, 0x8C, 0x89, 0xDB, 0xCB, 0xD3, 0x2B, 0x2F, 0x32, 0xD8, 0x14, 0xB8, 0x11, 0x6E, 0x84, 0xCF,
+            0x2B, 0x17, 0x34, 0x7E, 0xBC, 0x18, 0x00, 0x18, 0x1C, 0x4E, 0x2A, 0x1F, 0xB8, 0xDD, 0x53, 0xE1
         }
     },
     {
         1, 1347, NID_sha256, {
-            0xFB, 0xBB, 0xEC, 0x28, 0x5B, 0x48, 0xE7, 0xC2, 0x54, 0x4E, 0x65, 0x0F, 0x1E, 0xC8, 0xB5, 0x1C,
-            0xF5, 0xAD, 0xAE, 0x2A, 0x21, 0x56, 0x94, 0xD2, 0xE1, 0xB7, 0xC8, 0x7D, 0x7A, 0x0D, 0x63, 0x86
+            0xD5, 0x99, 0x16, 0xFF, 0x8A, 0xBC, 0x26, 0x37, 0xAF, 0x4B, 0x26, 0xF1, 0x7E, 0x56, 0x8B, 0x7A,
+            0x00, 0x16, 0xA9, 0xF2, 0x7D, 0x96, 0xDB, 0x33, 0x0A, 0xD0, 0x5F, 0xC3, 0x0C, 0x22, 0xA2, 0xD0
         }
     },
     {
-        1, 4200, NID_sha1, {
-            0x45, 0x96, 0x78, 0xF3, 0x92, 0x74, 0xAC, 0x5B, 0x1F, 0x2B, 0xD3, 0x75, 0x1A, 0xBA, 0x5D, 0xBE,
-            0xF2, 0xDE, 0xE9, 0x88, 0x16, 0x4B, 0x0B, 0x84, 0x94, 0xD9, 0xC2, 0x2D, 0xC1, 0xB9, 0xB0, 0x8A
+        1, 4096, NID_sha512, {
+            0x8C, 0x05, 0x11, 0xF4, 0xC6, 0xE5, 0x97, 0xC6, 0xAC, 0x63, 0x15, 0xD8, 0xF0, 0x36, 0x2E, 0x22,
+            0x5F, 0x3C, 0x50, 0x14, 0x95, 0xBA, 0x23, 0xB8, 0x68, 0xC0, 0x05, 0x17, 0x4D, 0xC4, 0xEE, 0x71
         }
     },
     {
-        1, 4200, NID_sha3_512, {
-            0x1E, 0x77, 0xC8, 0x28, 0x9A, 0x79, 0x2E, 0x25, 0x85, 0x8D, 0x73, 0xB3, 0x0D, 0xA1, 0x26, 0x65,
-            0xC0, 0x04, 0x7D, 0x91, 0xB6, 0x5F, 0x89, 0x5E, 0x01, 0x82, 0x23, 0x35, 0x19, 0x2E, 0x5C, 0x09
+        1, 4096, NID_sha3_512, {
+            0xD6, 0x07, 0x91, 0xA4, 0xED, 0x27, 0x19, 0x5D, 0x81, 0x3F, 0x35, 0x51, 0x03, 0x51, 0xB9, 0xD1,
+            0xFF, 0x9A, 0xD4, 0x26, 0x21, 0x53, 0x94, 0x46, 0x09, 0x50, 0xA4, 0xFE, 0x03, 0xDD, 0x9F, 0x54
         }
     },
     {
-        0, 1347, NID_md5, {
-            0xC2, 0x78, 0x16, 0xDC, 0xD1, 0xC5, 0x71, 0xBD, 0x4A, 0x06, 0x2B, 0x38, 0x50, 0xE7, 0x4E, 0xC2,
-            0x0E, 0x74, 0x9D, 0xB1, 0x59, 0xA8, 0xFF, 0x11, 0x24, 0x68, 0xD0, 0xCF, 0x69, 0xE5, 0x30, 0x36
+        0, 4096, NID_md5, {
+            0x8D, 0x5D, 0x0A, 0xAD, 0x94, 0xD1, 0x44, 0x20, 0x42, 0x9F, 0xBC, 0x7E, 0x5B, 0x08, 0x7D, 0x7A,
+            0x55, 0x27, 0xE6, 0x5D, 0xFD, 0x0D, 0x48, 0x6A, 0x31, 0x0E, 0x8A, 0x7B, 0x6F, 0xF5, 0xA2, 0x1B
         }
     }
 };
@@ -527,8 +532,10 @@ static const size_t pbkdf2_tests_len = s
 
 static int test_PKCS5_PBKDF2_HMAC(int pbkdf2_tests_idx) {
     int success = 0;
-    const char password[] = "password";
-    const unsigned char salt[] = {'s', 'a', 'l', 't'};
+    const char password[] = "passwordPASSWORDpassword";
+    const unsigned char salt[] = {'s', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', 'S', 'A', 'L', 'T',
+                                  's', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', 'S', 'A', 'L', 'T',
+                                  's', 'a', 'l', 't'};
     const size_t password_len = sizeof(password) / sizeof(password[0]);
     const size_t salt_len = sizeof(salt) / sizeof(salt[0]);