[openssl/openssl] 451cb2: fips: Use salt >= 16 bytes in PBKDF2 selftest

Clemens Lang noreply at github.com
Tue Mar 7 17:31:25 UTC 2023

  Branch: refs/heads/master
  Home:   https://github.com/openssl/openssl
  Commit: 451cb23c41c90d5a02902b3a77551aa9ee1c6956
  Author: Clemens Lang <cllang at redhat.com>
  Date:   2023-03-07 (Tue, 07 Mar 2023)

  Changed paths:
    M providers/fips/self_test_data.inc

  Log Message:
  fips: Use salt >= 16 bytes in PBKDF2 selftest

NIST SP 800-132 [1] section 5.1 says "[t]he length of the
randomly-generated portion of the salt shall be at least
128 bits", which implies that the salt for PBKDF2 must be at least 16
bytes long (see also Appendix A.2.1).

The FIPS 140-3 IG [2] section 10.3.A requires that "the lengths and the
properties of the Password and Salt parameters, as well as the desired
length of the Master Key used in a CAST shall be among those supported
by the module in the approved mode."

As a consequence, the salt length in the self test must be at least 16
bytes long for FIPS 140-3 compliance. Switch the self test to use the
only test vector from RFC 6070 that uses salt that is long enough to
fulfil this requirement. Since RFC 6070 does not provide expected
results for PBKDF2 with HMAC-SHA256, use the output from [3], which was
generated with python cryptography, which was tested against the RFC
6070 vectors with HMAC-SHA1.

 [1]: https://doi.org/10.6028/NIST.SP.800-132
 [2]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf
 [3]: https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md

Signed-off-by: Clemens Lang <cllang at redhat.com>

Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20429)

More information about the openssl-commits mailing list