Bug 2137557

Summary: In FIPS mode, openssl should set a minimum length for passwords in PBKDF2
Product: Red Hat Enterprise Linux 9 Reporter: Clemens Lang <cllang>
Component: opensslAssignee: Clemens Lang <cllang>
Status: CLOSED ERRATA QA Contact: Alicja Kario <hkario>
Severity: urgent Docs Contact: Jan Fiala <jafiala>
Priority: high    
Version: 9.0CC: cllang, gfialova, hkario, ssorce
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openssl-3.0.7-1.el9 Doc Type: Deprecated Functionality
Doc Text:
.OpenSSL in FIPS mode requires longer passwords for key-derivation with PBKDF2 With this update, key-derivation in OpenSSL from passwords shorter than 8 characters with the PBKDF2 algorithm fails in FIPS mode.
 Story Points: ---
Clone Of:
: 2144003 2144004 (view as bug list) Environment:
Last Closed: 2023-05-09 08:20:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2144003, 2144004    
Attachments:
Description Flags
PBKDF2 reproducer for OpenSSL 3 none

Description Clemens Lang 2022-10-25 13:49:21 UTC 
Created attachment 1920262 [details]
PBKDF2 reproducer for OpenSSL 3

Description of problem:
In FIPS mode, OpenSSL accepts arbitrarily short passwords in PBKDF2. It should reject short passwords.

When invoked with short passwords, OpenSSL should either set an explicit indicator, or fail the call (i.e., have an implicit indicator).

Version-Release number of selected component (if applicable):
3.0.1-41.el9_0

How reproducible:
Run the attached reproducer with a short password.

Steps to Reproduce:
1. cc -std=c99 -Wall -Werror -pedantic -D_XOPEN_SOURCE=600 -o pbkdf2 pbkdf2.c -lcrypto
2. ./pbkdf2 sha256 16 1000 14 ""

Actual results:
OK: 0x9e3cbde11511443b1d66bd614ac0

Expected results:
ERR Failed to set EVP_KDF_CTX parameters: error:1C800070:Provider routines::invalid password length (in function kdf_pbkdf2_set_ctx_params in providers/implementations/kdfs/pbkdf2.c:196)

Additional info:
Similar checks already exist for short salt lengths and short output password lengths. See the error message in "Expected results", which was modified from a short salt length. Also see the documentation for OSSL_KDF_PARAM_PKCS5 in https://www.openssl.org/docs/man3.0/man7/EVP_KDF-PBKDF2.html, which already refers to checks that are done in FIPS mode but not outside of FIPS mode by default. We should probably just extend those tests.

As reasonable limit for the password length is probably >= 8 bytes. Do not choose a minimum password length of more than 8 bytes combined with an implicit indicator, since ACVP testing expects 8-byte passwords to work.
Comment 13 errata-xmlrpc 2023-05-09 08:20:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: openssl security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2523