Relax PBKDF2 iteration check for FIPS self-test

FIPS 140-3 IG 10.3.A.8 requires known-answer tests for KDFs. Some of these
tests for PBKDF2 use a low iteration count (e.g., 2) which is below the normal
security threshold and would otherwise fail.

This change checks if a PBKDF2 self-test is in progress and, if so, lowers the
minimum accepted iteration count to 2. This allows the required self-tests to
pass while maintaining the security check for normal operations.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)

diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
index 4a300ac022eaae30c22014d2737a20f4001035c0..10f6c7e169f5ebf9ad46e4dc9ebe307c36f41443 100644 (file)
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -57,6 +57,7 @@
 #ifndef KDF_PBKDF2_MIN_PASSWORD_LEN
 #ifdef FIPS_MODULE
 #define KDF_PBKDF2_MIN_PASSWORD_LEN (8)
+#define KDF_PBKDF2_FIPS_SELF_TEST_ITERATIONS 2
 #else
 #define KDF_PBKDF2_MIN_PASSWORD_LEN (1)
 #endif
@@ -217,6 +218,8 @@ static int pbkdf2_lower_bound_check_passed(int saltlen, uint64_t iter,
     size_t keylen, size_t passlen,
     int *error, const char **desc)
 {
+    uint64_t min_iter = KDF_PBKDF2_MIN_ITERATIONS;
+
     if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) {
         *error = PROV_R_PASSWORD_STRENGTH_TOO_WEAK;
         if (desc != NULL)
@@ -235,7 +238,13 @@ static int pbkdf2_lower_bound_check_passed(int saltlen, uint64_t iter,
             *desc = "Salt size";
         return 0;
     }
-    if (iter < KDF_PBKDF2_MIN_ITERATIONS) {
+#ifdef FIPS_MODULE
+    /* Modify this check during self-test. See FIPS 140-3 IG 10.3.A.8 */
+    if (ossl_self_test_in_progress(ST_ID_KDF_PBKDF2)) {
+        min_iter = KDF_PBKDF2_FIPS_SELF_TEST_ITERATIONS;
+    }
+#endif
+    if (iter < min_iter) {
         *error = PROV_R_INVALID_ITERATION_COUNT;
         if (desc != NULL)
             *desc = "Iteration count";