lib-dcrypt: Increase salt to 16 bytes for dovecot v2 keys

This makes it FIPS compatible.

diff --git a/src/lib-dcrypt/dcrypt-openssl1.c b/src/lib-dcrypt/dcrypt-openssl1.c
index fcbdc5eb8e5f8cb9c8eee4751f0f2bc7f99aa6df..f4d97453a5b36ac0ba279974dd68d44480d7e771 100644 (file)
--- a/src/lib-dcrypt/dcrypt-openssl1.c
+++ b/src/lib-dcrypt/dcrypt-openssl1.c
@@ -2663,7 +2663,7 @@ dcrypt_openssl_encrypt_private_key_dovecot(buffer_t *key, int enctype,
        bool res;
        unsigned char *ptr;
 
-       unsigned char salt[8];
+       unsigned char salt[DCRYPT_DOVECOT_SALT_LEN];
        buffer_t *peer_key = t_buffer_create(128);
        buffer_t *secret = t_buffer_create(128);
        cipher = t_str_lcase(cipher);

diff --git a/src/lib-dcrypt/dcrypt-openssl3.c b/src/lib-dcrypt/dcrypt-openssl3.c
index d471cac7d40503f0a35a0c5cd0a1ed78707f88b2..ac8401838c2c1878c6bcfb256a08269196d37f71 100644 (file)
--- a/src/lib-dcrypt/dcrypt-openssl3.c
+++ b/src/lib-dcrypt/dcrypt-openssl3.c
@@ -2679,7 +2679,7 @@ dcrypt_openssl_encrypt_private_key_dovecot(buffer_t *key, int enctype,
        bool res;
        unsigned char *ptr;
 
-       unsigned char salt[8];
+       unsigned char salt[DCRYPT_DOVECOT_SALT_LEN];
        buffer_t *peer_key = t_buffer_create(128);
        buffer_t *secret = t_buffer_create(128);
        cipher = t_str_lcase(cipher);

diff --git a/src/lib-dcrypt/dcrypt-private.h b/src/lib-dcrypt/dcrypt-private.h
index d3bfebd046064ffb94c269a3c7c7434bd5e76811..cac02f2a6e776e392a3a2cb2f66bc99edebea345 100644 (file)
--- a/src/lib-dcrypt/dcrypt-private.h
+++ b/src/lib-dcrypt/dcrypt-private.h
@@ -12,6 +12,9 @@ struct module;
 #define DCRYPT_DOVECOT_KEY_ENCRYPT_PK 1
 #define DCRYPT_DOVECOT_KEY_ENCRYPT_PASSWORD 2
 
+/* Fips requires 16 byte salt */
+#define DCRYPT_DOVECOT_SALT_LEN 16
+
 struct dcrypt_vfs {
        bool (*initialize)(const struct dcrypt_settings *set,
                           const char **error_r);

diff --git a/src/lib-dcrypt/test-crypto.c b/src/lib-dcrypt/test-crypto.c
index a111c8248b7a4ad3165fb10a3bf1f6ae8912ff94..445817c1d4717e1cc91d30e34e64aefb204ea4b7 100644 (file)
--- a/src/lib-dcrypt/test-crypto.c
+++ b/src/lib-dcrypt/test-crypto.c
@@ -483,7 +483,13 @@ static void test_load_v2_key(void)
                "7d945aa6492275a02881071eceec5749caf2485da8c64fb601"
                "229098:ab13d251976dedab546b67354e7678821740dd534b7"
                "49c2857f66bf62bbaddfd:ab13d251976dedab546b67354e76"
-               "78821740dd534b749c2857f66bf62bbaddfd"
+               "78821740dd534b749c2857f66bf62bbaddfd",
+               "2:1.3.132.0.35:2:aes-256-ctr:cf9951243f5e609a5e20d"
+               "353e4011f62:sha256:2048:0c056337f221f5fd287eb3ef48"
+               "86e596ef3b92e7d33c01a79579b35c8595f8e13cf4bccdb7f5"
+               "409b095be5179bd94668ad88050ff828617ef3415b9e167d22"
+               "e7fd95a3f80b3b:15286fe2a53773c64efa2b8fa79d4cd5b46"
+               "3d422d30bf9103ca97999636e864f",
        };
 
        test_begin("test_load_v2_key");
@@ -527,6 +533,24 @@ static void test_load_v2_key(void)
        dcrypt_key_unref_private(&priv);
        dcrypt_key_unref_public(&pub);
 
+       /* Matches the encrypted private key in index 4 */
+       static const char *pem_key_4 =
+"-----BEGIN PRIVATE KEY-----\n"
+"MIGqAgEAMBAGByqGSM49AgEGBSuBBAAjBIGSMIGPAgEBBEIBoC5EFaNm/mWOH9Dp\n"
+"juTNIuRRyKVEFZ0o1R9gPbeza2VvvKYZaIPck2HWEmJGoHOwo+Kc/Fq0Z7ka3Irg\n"
+"o9CfYlihRgNEAAMBTSCA2WUdwGM4Q7Frxvbd785xLALRGfY454bOH6Esn5CrKgo+\n"
+"/gmOCWVYR346VqT0OFxUamc3cglQsk3oFcTjQqY=\n"
+"-----END PRIVATE KEY-----\n";
+
+       test_assert_idx(dcrypt_key_load_private(&priv,
+               keys[4], "password", NULL, &error), 4);
+       test_assert_idx(dcrypt_key_store_private(priv,
+               DCRYPT_FORMAT_PEM, NULL, tmp,
+               NULL, NULL, &error), 4);
+       test_assert_strcmp_idx(str_c(tmp), pem_key_4, 4);
+       buffer_set_used_size(tmp, 0);
+       dcrypt_key_unref_private(&priv);
+
        buffer_free(&tmp);
 
        if (error != NULL) error = NULL;
@@ -547,6 +571,12 @@ static void test_load_v2_public_key(void)
                "bbc615415f06af06c8cc80c37f4e94ff6c7:185a721254278"
                "2e239111f9c19d126ad55b18ddaf4883d66afe8d9627c3607"
                "d8",
+               "2:3058301006072a8648ce3d020106052b810400230344000"
+               "301897d80b69ed3eccda4c5a5edc67e9a11ef76c4894710af"
+               "b3deb52e5d996f23b6252d93ab349d1931a234eda9ff7cc40"
+               "095b2b084b86e066839c7de8a08bf5bf46b:0a955323b7c00"
+               "ef44581122c510cbfacfc503aea291b3a3fa2a811356df5be"
+               "cd",
        };
 
        for (size_t i = 0; i < N_ELEMENTS(keys); i++) {