From 915990e450e769e370fcacbfd8ed58ab6afaf2bf Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 21 Aug 2023 15:47:55 +0200 Subject: [PATCH 39/48] 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch Patch-name: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch Patch-id: 84 --- providers/implementations/kdfs/pbkdf2.c | 27 ++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c index 349c3dd657..11820d1e69 100644 --- a/providers/implementations/kdfs/pbkdf2.c +++ b/providers/implementations/kdfs/pbkdf2.c @@ -35,6 +35,21 @@ #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF #define KDF_PBKDF2_MIN_ITERATIONS 1000 #define KDF_PBKDF2_MIN_SALT_LEN (128 / 8) +/* The Implementation Guidance for FIPS 140-3 says in section D.N + * "Password-Based Key Derivation for Storage Applications" that "the vendor + * shall document in the module’s Security Policy the length of + * a password/passphrase used in key derivation and establish an upper bound + * for the probability of having this parameter guessed at random. This + * probability shall take into account not only the length of the + * password/passphrase, but also the difficulty of guessing it. The decision on + * the minimum length of a password used for key derivation is the vendor’s, + * but the vendor shall at a minimum informally justify the decision." + * + * We are choosing a minimum password length of 8 bytes, because NIST's ACVP + * testing uses passwords as short as 8 bytes, and requiring longer passwords + * combined with an implicit indicator (i.e., returning an error) would cause + * the module to fail ACVP testing. */ +#define KDF_PBKDF2_MIN_PASSWORD_LEN (20) static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new; static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup; @@ -219,9 +234,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[]) ctx->lower_bound_checks = pkcs5 == 0; } - if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) { + if (ctx->lower_bound_checks != 0 + && p->data_size < KDF_PBKDF2_MIN_PASSWORD_LEN) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); + return 0; + } if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p)) return 0; + } if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) { if (ctx->lower_bound_checks != 0 @@ -331,6 +352,10 @@ static int pbkdf2_derive(const char *pass, size_t passlen, } if (lower_bound_checks) { + if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); + return 0; + } if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) { ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); return 0; -- 2.41.0