Change PBES2 KDF default salt length to 16 bytes.

The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and recommends a minimum of 64 bits for PBES2. For FIPS compliance PBKDF2 requires a salt length of 128 bits. This affects OpenSSL command line applications such as "genrsa" and "pkcs8" and API's such as PEM_write_bio_PrivateKey() that are reliant on the default salt length. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21858)
author: slontis <shane.lontis@oracle.com> 2023-08-28 12:47:51 +1000
committer: Pauli <pauli@openssl.org> 2023-09-04 14:15:34 +1000
commit: 3859a027259b5b571eaf5e8cf4c0704611950c2c (patch)
tree: 4abfb601d0be8a7ca2bf0b4032693f01865a3774 /include
parent: 61cfc22b60e33bc77b1e1944759af48c8e58f0d2 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
index 566b7889db..9605c9daa5 100644
--- a/include/crypto/evp.h
+++ b/include/crypto/evp.h
@@ -17,6 +17,15 @@
 # include "crypto/ecx.h"
 
 /*
+ * Default PKCS5 PBE KDF salt lengths
+ * In RFC 8018, PBE1 uses 8 bytes (64 bits) for its salt length.
+ * It also specifies to use at least 8 bytes for PBES2.
+ * The NIST requirement for PBKDF2 is 128 bits so we use this as the
+ * default for PBE2 (scrypt and HKDF2)
+ */
+# define PKCS5_DEFAULT_PBE1_SALT_LEN     PKCS5_SALT_LEN
+# define PKCS5_DEFAULT_PBE2_SALT_LEN     16
+/*
  * Don't free up md_ctx->pctx in EVP_MD_CTX_reset, use the reserved flag
  * values in evp.h
  */
author	slontis <shane.lontis@oracle.com>	2023-08-28 12:47:51 +1000
committer	Pauli <pauli@openssl.org>	2023-09-04 14:15:34 +1000
commit	3859a027259b5b571eaf5e8cf4c0704611950c2c (patch)
tree	4abfb601d0be8a7ca2bf0b4032693f01865a3774 /include
parent	61cfc22b60e33bc77b1e1944759af48c8e58f0d2 (diff)