Change PBES2 KDF default salt length to 16 bytes.

The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and recommends a minimum of 64 bits for PBES2. For FIPS compliance PBKDF2 requires a salt length of 128 bits. This affects OpenSSL command line applications such as "genrsa" and "pkcs8" and API's such as PEM_write_bio_PrivateKey() that are reliant on the default salt length. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21858)
author: slontis <shane.lontis@oracle.com> 2023-08-28 12:47:51 +1000
committer: Pauli <pauli@openssl.org> 2023-09-04 14:15:34 +1000
commit: 3859a027259b5b571eaf5e8cf4c0704611950c2c (patch)
tree: 4abfb601d0be8a7ca2bf0b4032693f01865a3774 /test
parent: 61cfc22b60e33bc77b1e1944759af48c8e58f0d2 (diff)
2 files changed, 60 insertions, 2 deletions
diff --git a/test/recipes/15-test_genrsa.t b/test/recipes/15-test_genrsa.t
index fe99f33694..5632efe5fc 100644
--- a/test/recipes/15-test_genrsa.t
+++ b/test/recipes/15-test_genrsa.t
@@ -25,7 +25,7 @@ my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
 
 plan tests =>
     ($no_fips ? 0 : 5)          # Extra FIPS related tests
-    + 15;
+    + 16;
 
 # We want to know that an absurdly small number of bits isn't support
 is(run(app([ 'openssl', 'genpkey', '-out', 'genrsatest.pem',
@@ -106,6 +106,13 @@ ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])),
 ok(run(app([ 'openssl', 'rsa', '-in', 'genrsatest.pem', '-out', 'genrsatest-enc.pem',
    '-aes256', '-passout', 'pass:x' ])),
    "rsa encrypt");
+# Check the default salt length for PBKDF2 is 16 bytes
+# We expect the output to be of the form "0:d=0  hl=2 l=  16 prim: OCTET STRING      [HEX DUMP]:FAC7F37508E6B7A805BF4B13861B3687"
+# i.e. 2 byte header + 16 byte salt.
+ok(run(app(([ 'openssl', 'asn1parse',
+              '-in', 'genrsatest-enc.pem',
+              '-offset', '34', '-length', '18']))),
+   "Check the default size of the PBKDF2 PARAM 'salt length' is 16");
 ok(run(app([ 'openssl', 'rsa', '-in', 'genrsatest-enc.pem', '-passin', 'pass:x' ])),
    "rsa decrypt");
 
diff --git a/test/recipes/25-test_pkcs8.t b/test/recipes/25-test_pkcs8.t
index 299a56b852..7a06be19e4 100644
--- a/test/recipes/25-test_pkcs8.t
+++ b/test/recipes/25-test_pkcs8.t
@@ -15,7 +15,58 @@ use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips is_nofips/;
 
 setup("test_pkcs8");
 
-plan tests => 3;
+plan tests => 9;
+
+ok(run(app(([ 'openssl', 'pkcs8', '-topk8',
+              '-in', srctop_file('test', 'certs', 'pc5-key.pem'),
+              '-out', 'pbkdf2_default_saltlen.pem',
+              '-passout', 'pass:password']))),
+   "Convert a private key to PKCS5 v2.0 format using PBKDF2 with the default saltlen");
+
+# We expect the output to be of the form "0:d=0  hl=2 l=  16 prim: OCTET STRING      [HEX DUMP]:FAC7F37508E6B7A805BF4B13861B3687"
+# i.e. 2 byte header + 16 byte salt.
+ok(run(app(([ 'openssl', 'asn1parse',
+              '-in', 'pbkdf2_default_saltlen.pem',
+              '-offset', '34', '-length', '18']))),
+   "Check the default size of the PBKDF2 PARAM 'salt length' is 16");
+
+SKIP: {
+    skip "scrypt is not supported by this OpenSSL build", 2
+        if disabled("scrypt");
+
+    ok(run(app(([ 'openssl', 'pkcs8', '-topk8',
+                  '-in', srctop_file('test', 'certs', 'pc5-key.pem'),
+                  '-scrypt',
+                  '-out', 'scrypt_default_saltlen.pem',
+                  '-passout', 'pass:password']))),
+       "Convert a private key to PKCS5 v2.0 format using scrypt with the default saltlen");
+
+# We expect the output to be of the form "0:d=0  hl=2 l=  8 prim: OCTET STRING      [HEX DUMP]:FAC7F37508E6B7A805BF4B13861B3687"
+# i.e. 2 byte header + 16 byte salt.
+    ok(run(app(([ 'openssl', 'asn1parse',
+                  '-in', 'scrypt_default_saltlen.pem',
+                  '-offset', '34', '-length', '18']))),
+       "Check the default size of the SCRYPT PARAM 'salt length' = 16");
+}
+
+SKIP: {
+    skip "legacy provider is not supported by this OpenSSL build", 2
+        if disabled('legacy') || disabled("des");
+
+    ok(run(app(([ 'openssl', 'pkcs8', '-topk8',
+                  '-in', srctop_file('test', 'certs', 'pc5-key.pem'),
+                  '-v1', "PBE-MD5-DES",
+                  '-provider', 'legacy',
+                  '-provider', 'default',
+                  '-out', 'pbe1.pem',
+                  '-passout', 'pass:password']))),
+       "Convert a private key to PKCS5 v1.5 format using pbeWithMD5AndDES-CBC with the default saltlen");
+
+    ok(run(app(([ 'openssl', 'asn1parse',
+                  '-in', 'pbe1.pem',
+                  '-offset', '19', '-length', '10']))),
+       "Check the default size of the PBE PARAM 'salt length' = 8");
+};
 
 SKIP: {
     skip "SM2, SM3 or SM4 is not supported by this OpenSSL build", 3
author	slontis <shane.lontis@oracle.com>	2023-08-28 12:47:51 +1000
committer	Pauli <pauli@openssl.org>	2023-09-04 14:15:34 +1000
commit	3859a027259b5b571eaf5e8cf4c0704611950c2c (patch)
tree	4abfb601d0be8a7ca2bf0b4032693f01865a3774 /test
parent	61cfc22b60e33bc77b1e1944759af48c8e58f0d2 (diff)