Increase default PKCS12_SALT_LEN from 8 to 16 bytes

Currently PKCS12_setup_mac() function uses salt length of 8 bytes / 64 bits when no salt length is specified. Increase this fallback default to 16 bytes / 128 bits, as recommended by NIST SP 800-132. Note this is for interoperability purposes. Some FIPS implementations enforce minimum salt length of 16 bytes. Examples of such FIPS implemenations are Bouncycastle FIPS Java API and Chainguard FIPS Provider for OpenSSL. Also future v3.6 release of OpenSSL will also increase the default salt length to 16 bytes. From Dimitri John Ledkov, thanks
author: tb <> 2025-05-10 19:01:16 +0000
committer: tb <> 2025-05-10 19:01:16 +0000
commit: 5747076436203e94cc042d06e2a8ae46b0ea5a47 (patch)
tree: 8f28a79ed8e3c3edb243f185a3159fdda9a7a4b7 /src
parent: 3f94dea64529a66651703e561bb0b3408ddf39c1 (diff)
download: openbsd-5747076436203e94cc042d06e2a8ae46b0ea5a47.tar.gz
openbsd-5747076436203e94cc042d06e2a8ae46b0ea5a47.tar.bz2
openbsd-5747076436203e94cc042d06e2a8ae46b0ea5a47.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/libcrypto/pkcs12/pkcs12.h b/src/lib/libcrypto/pkcs12/pkcs12.h
index 200712039b..aec0362806 100644
--- a/src/lib/libcrypto/pkcs12/pkcs12.h
+++ b/src/lib/libcrypto/pkcs12/pkcs12.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs12.h,v 1.29 2025/03/09 15:45:52 tb Exp $ */
+/* $OpenBSD: pkcs12.h,v 1.30 2025/05/10 19:01:16 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -77,7 +77,7 @@ extern "C" {
 #define PKCS12_MAC_KEY_LENGTH 20
-#define PKCS12_SALT_LEN 8
+#define PKCS12_SALT_LEN 16
 /* Uncomment out next line for unicode password and names, otherwise ASCII */
author	tb <>	2025-05-10 19:01:16 +0000
committer	tb <>	2025-05-10 19:01:16 +0000
commit	5747076436203e94cc042d06e2a8ae46b0ea5a47 (patch)
tree	8f28a79ed8e3c3edb243f185a3159fdda9a7a4b7 /src
parent	3f94dea64529a66651703e561bb0b3408ddf39c1 (diff)
download	openbsd-5747076436203e94cc042d06e2a8ae46b0ea5a47.tar.gz openbsd-5747076436203e94cc042d06e2a8ae46b0ea5a47.tar.bz2 openbsd-5747076436203e94cc042d06e2a8ae46b0ea5a47.zip

diff --git a/src/lib/libcrypto/pkcs12/pkcs12.h b/src/lib/libcrypto/pkcs12/pkcs12.h index 200712039b..aec0362806 100644 --- a/src/lib/libcrypto/pkcs12/pkcs12.h +++ b/src/lib/libcrypto/pkcs12/pkcs12.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: pkcs12.h,v 1.29 2025/03/09 15:45:52 tb Exp $ */	1	/* $OpenBSD: pkcs12.h,v 1.30 2025/05/10 19:01:16 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 1999.	3	* project 1999.
4	*/	4	*/
@@ -77,7 +77,7 @@ extern "C" {
77		77
78	#define PKCS12_MAC_KEY_LENGTH 20	78	#define PKCS12_MAC_KEY_LENGTH 20
79		79
80	#define PKCS12_SALT_LEN 8	80	#define PKCS12_SALT_LEN 16
81		81
82	/* Uncomment out next line for unicode password and names, otherwise ASCII */	82	/* Uncomment out next line for unicode password and names, otherwise ASCII */
83		83