Change PBES2 PBKDF2 default salt length to 16 bytes. #21858
Closed
+220
−22
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Replaces PR #20783 |
slontis
added
branch: master
|
Backport to 3.0 and 3.1? |
t8m
approved these changes
Aug 28, 2023
t8m
added
triaged: bug
slontis
force-pushed
the
pbe_pbkdf2_saltlen
branch
from
e620419
to
7ce1cb9
Compare
github-actions
bot
added
the
severity: fips change
paulidale
reviewed
Aug 31, 2023
|
Rather than have merge issues, I moved the code from the PR that dealt with app options into this PR. These have been added as new commits.. They should address all the requirements requested by the OTC. |
|
Hmm... interesting. So with enc we are no longer compatible by default with older releases if |
paulidale
reviewed
Aug 31, 2023
The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and recommends a minimum of 64 bits for PBES2. For FIPS compliance PBKDF2 requires a salt length of 128 bits. This affects OpenSSL command line applications such as "genrsa" and "pkcs8" and API's such as PEM_write_bio_PrivateKey() that are reliant on the default salt length.
This allows PBKDF2 to change the saltlen to something other than the new default value of 16. Previously this app hardwired the salt length to a maximum of 8 bytes. Non PBKDF2 mode uses EVP_BytesToKey() internally, which is documented to only allow 8 bytes.
slontis
force-pushed
the
pbe_pbkdf2_saltlen
branch
from
21d4ca1
to
4d8be74
Compare
|
Had to rebase, nothing changed other than CHANGES.md |
paulidale
approved these changes
Aug 31, 2023
paulidale
removed
the
approval: otc review pending
t8m
approved these changes
Sep 1, 2023
t8m
added
approval: done
openssl-machine
removed
the
approval: done
openssl-machine
added
the
approval: ready to merge
|
This pull request is ready to merge |
|
Merged to master. Thanks. |
openssl-machine
pushed a commit
that referenced
this pull request
Sep 4, 2023
The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and recommends a minimum of 64 bits for PBES2. For FIPS compliance PBKDF2 requires a salt length of 128 bits. This affects OpenSSL command line applications such as "genrsa" and "pkcs8" and API's such as PEM_write_bio_PrivateKey() that are reliant on the default salt length. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #21858)
openssl-machine
pushed a commit
that referenced
this pull request
Sep 4, 2023
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #21858)
openssl-machine
pushed a commit
that referenced
this pull request
Sep 4, 2023
This allows PBKDF2 to change the saltlen to something other than the new default value of 16. Previously this app hardwired the salt length to a maximum of 8 bytes. Non PBKDF2 mode uses EVP_BytesToKey() internally, which is documented to only allow 8 bytes. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #21858)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and recommends a minimum of 64 bits for PBES2. For FIPS compliance PBKDF2 requires a salt length of 128 bits.
This affects OpenSSL command line applications such as "genrsa" and "pkcs8" and API's such as PEM_write_bio_PrivateKey() that are reliant on the default value.
The "pkcs8" and "enc" applications now have an extra "saltlen" option which allows the user to set the lenght of the salt.
Note that "genrsa" can only use defaults since it has no way of passing the saltlen down thru the API's.. If you wanted to change the saltlen you could always use "genrsa" followed by a "pkcs8" (with the salt length set to non default).
Checklist