Improve PBKDF2 password strength too weak error message with arguments

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Apr  8 10:34:20 2026
(Merged from https://github.com/openssl/openssl/pull/30628)

diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
index 88cb8c73dffaee8249d6913f07a769eb25c39361..e1f67cecbc6e2c2fe5eebef81363c458214b7a62 100644 (file)
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -366,7 +366,9 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     if (p.pw != NULL) {
         if (ctx->lower_bound_checks != 0
             && p.pw->data_size < KDF_PBKDF2_MIN_PASSWORD_LEN) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_PASSWORD_STRENGTH_TOO_WEAK);
+            ERR_raise_data(ERR_LIB_PROV, PROV_R_PASSWORD_STRENGTH_TOO_WEAK,
+                "password length %zu should be at least %d",
+                p.pw->data_size, KDF_PBKDF2_MIN_PASSWORD_LEN);
             return 0;
         }
         if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p.pw))