summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/asn1/p5_pbe.c
diff options
context:
space:
mode:
authortb <>2025-05-24 02:57:14 +0000
committertb <>2025-05-24 02:57:14 +0000
commit1404a4a6a3c1b959b38b14aadfdf86ea0c2ca08b (patch)
treebf362018d769571c08d16919855dc94a90ebb9e1 /src/lib/libcrypto/asn1/p5_pbe.c
parentcac4da4f63bf231a2da12d7977d9c5050e13d2e2 (diff)
downloadopenbsd-1404a4a6a3c1b959b38b14aadfdf86ea0c2ca08b.tar.gz
openbsd-1404a4a6a3c1b959b38b14aadfdf86ea0c2ca08b.tar.bz2
openbsd-1404a4a6a3c1b959b38b14aadfdf86ea0c2ca08b.zip
Crank default salt length of PBE2 to 16 octets
FIPS is currently revising their PBKDF2 recommendations and apparently they want to require 16 octets. https://github.com/pyca/cryptography/issues/12949 https://github.com/libressl/portable/issues/1168 ok kenjiro joshua jsing
Diffstat (limited to 'src/lib/libcrypto/asn1/p5_pbe.c')
-rw-r--r--src/lib/libcrypto/asn1/p5_pbe.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/src/lib/libcrypto/asn1/p5_pbe.c b/src/lib/libcrypto/asn1/p5_pbe.c
index 815d6b82b6..668bf5d7c1 100644
--- a/src/lib/libcrypto/asn1/p5_pbe.c
+++ b/src/lib/libcrypto/asn1/p5_pbe.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p5_pbe.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */ 1/* $OpenBSD: p5_pbe.c,v 1.30 2025/05/24 02:57:14 tb Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -66,6 +66,9 @@
66#include "err_local.h" 66#include "err_local.h"
67#include "x509_local.h" 67#include "x509_local.h"
68 68
69/* RFC 8018, section 6.1 specifies an eight-octet salt for PBES1. */
70#define PKCS5_PBE1_SALT_LEN 8
71
69/* PKCS#5 password based encryption structure */ 72/* PKCS#5 password based encryption structure */
70 73
71static const ASN1_TEMPLATE PBEPARAM_seq_tt[] = { 74static const ASN1_TEMPLATE PBEPARAM_seq_tt[] = {
@@ -139,7 +142,7 @@ PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
139 goto err; 142 goto err;
140 } 143 }
141 if (!saltlen) 144 if (!saltlen)
142 saltlen = PKCS5_SALT_LEN; 145 saltlen = PKCS5_PBE1_SALT_LEN;
143 if (!ASN1_STRING_set(pbe->salt, NULL, saltlen)) { 146 if (!ASN1_STRING_set(pbe->salt, NULL, saltlen)) {
144 ASN1error(ERR_R_MALLOC_FAILURE); 147 ASN1error(ERR_R_MALLOC_FAILURE);
145 goto err; 148 goto err;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-21 06:07:54 +0000