Commit ca0ebe300c for openssl.org
commit ca0ebe300ca331aa1de94c7e5c1c9322ecc9bc75
Author: Simo Sorce <simo@redhat.com>
Date: Mon Dec 8 12:44:56 2025 -0500
Relax PBKDF2 iteration check for FIPS self-test
FIPS 140-3 IG 10.3.A.8 requires known-answer tests for KDFs. Some of these
tests for PBKDF2 use a low iteration count (e.g., 2) which is below the normal
security threshold and would otherwise fail.
This change checks if a PBKDF2 self-test is in progress and, if so, lowers the
minimum accepted iteration count to 2. This allows the required self-tests to
pass while maintaining the security check for normal operations.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
index 4a300ac022..10f6c7e169 100644
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -57,6 +57,7 @@
#ifndef KDF_PBKDF2_MIN_PASSWORD_LEN
#ifdef FIPS_MODULE
#define KDF_PBKDF2_MIN_PASSWORD_LEN (8)
+#define KDF_PBKDF2_FIPS_SELF_TEST_ITERATIONS 2
#else
#define KDF_PBKDF2_MIN_PASSWORD_LEN (1)
#endif
@@ -217,6 +218,8 @@ static int pbkdf2_lower_bound_check_passed(int saltlen, uint64_t iter,
size_t keylen, size_t passlen,
int *error, const char **desc)
{
+ uint64_t min_iter = KDF_PBKDF2_MIN_ITERATIONS;
+
if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) {
*error = PROV_R_PASSWORD_STRENGTH_TOO_WEAK;
if (desc != NULL)
@@ -235,7 +238,13 @@ static int pbkdf2_lower_bound_check_passed(int saltlen, uint64_t iter,
*desc = "Salt size";
return 0;
}
- if (iter < KDF_PBKDF2_MIN_ITERATIONS) {
+#ifdef FIPS_MODULE
+ /* Modify this check during self-test. See FIPS 140-3 IG 10.3.A.8 */
+ if (ossl_self_test_in_progress(ST_ID_KDF_PBKDF2)) {
+ min_iter = KDF_PBKDF2_FIPS_SELF_TEST_ITERATIONS;
+ }
+#endif
+ if (iter < min_iter) {
*error = PROV_R_INVALID_ITERATION_COUNT;
if (desc != NULL)
*desc = "Iteration count";