PBKDF2 updates to conform to SP800-132 #8868
Conversation
|
Updated commit message and rebased. |
|
Would you mind using present tense in the commit message of 1827b7119195? See #8763 (comment) for an explanation. |
|
Updated the commit message and rebased. (This present tense stuff hurts my brain.) |
Sorry that it hit you so often. I did not mean to stalk you ;-) |
|
Looks like you've picked up @t8m's commit in this PR (I guess you rebased on top of github master in the window while 6acf605 was there, before it got force pushed away - see the discussion in #9015 (comment)). Can you rebase this? |
|
Ahh that would explain the merge commit I had earlier in the day.. sigh. |
There was a problem hiding this comment.
My suspicion is that this is going to break stuff. It will probably have an impact on "enc" command line usage - e.g. for files that have previously been encrypted with bad iteration counts it might no longer be possible to decrypt them. Probably the breaking aspects of this need wider discussion. At the very least we would need a CHANGES entry. Probably some changes to "enc".
doc/man7/EVP_KDF_PBKDF2.pod
Outdated
| A minimum iteration count of 1000 and length of the salt being at least | ||
| 128 bits. | ||
|
|
||
| The default value is 0. Use 1 to disable the checks. |
There was a problem hiding this comment.
So, this sounds like having the default like this is a breaking change?
There was a problem hiding this comment.
enc uses the PKCS5_PBKDF2_HMAC() method which sets this control to be 1, as does scrypt.
crypto/kdf/pbkdf2.c
Outdated
|
|
||
| /* Check that 112 bits <= keylen < (2^32 - 1) * mdlen */ | ||
| if (((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) | ||
| || ((keylen / mdlen) >= KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO)) |
There was a problem hiding this comment.
Should we be also checking the value of range_checks here?
There was a problem hiding this comment.
I did ponder it - But I think not..
If it goes above that range the counter overflows which is very bad.
There was a problem hiding this comment.
If it goes above that range the counter overflows which is very bad.
Perhaps a comment stating that would be helpful
Is that also true for the KDF_PBKDF2_MIN_KEY_LEN_BITS check?
There was a problem hiding this comment.
Not sure - I assume that is similar to the salt check so maybe that one goes in the check - in that case I might rename the range_checks variable :)
There was a problem hiding this comment.
Comment added and the lower bound check has been moved.
slontis
changed the title
|
ping @mattcaswell |
|
This looks ok, but since this is a breaking change I'd like a wider viewpoint from @openssl/omc. |
|
Note that the minimum iteration count is only recommended (it is not a SHALL) so that particular test could be relaxed (but it is probably a better idea to still force it to at least the recommended value) |
|
Whether this is a breaking change or not depends on your point of view. EVP_KDF is an unreleased API, so there's nothing that can be called a breaking change there. However, for KDFs implemented via EVP_PKEY, this is effectively a breaking change. To resolve that issue, the use via EVP_PKEY could be relaxed so as not to pose a problem. |
|
I think we should support reading old data from before this change. |
Ok so that would be a fairly ugly check. The best solution would probably be to have it default to how it used to work, but in FIPS_MODE it does the extra checks by default. The flag can still be enabled or disabled in either provider. |
|
Updated the default value to disable the checks by default in the default provider. |
Sounds like a reasonable approach. |
|
I agree with @mattcaswell. Good thinking! |
|
ping @mattcaswell or @levitte : Code was updated to set default check for FIPS_MODE only. |
mattcaswell
added
the
approval: done
|
rebased to fix CHANGES conflict. |
The existing code used PKCS5 specifications. SP800-132 adds the following additional constraints for: - the range of the key length. - the minimum iteration count (1000 recommended). - salt length (at least 128 bits). These additional constraints may cause errors (in scrypt, and some PKCS5 related test vectors). To disable the new constraints use the new ctrl string "pkcs5". For backwards compatability, the checks are only enabled by default for fips mode.
The existing code used PKCS5 specifications. SP800-132 adds the following additional constraints for: - the range of the key length. - the minimum iteration count (1000 recommended). - salt length (at least 128 bits). These additional constraints may cause errors (in scrypt, and some PKCS5 related test vectors). To disable the new constraints use the new ctrl string "pkcs5". For backwards compatability, the checks are only enabled by default for fips mode. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #8868)
Checklist