pkcs7: determine iteration count for PBKDF2 at build time

author Daiki Ueno <ueno@gnu.org>

Mon, 20 Dec 2021 15:13:06 +0000 (16:13 +0100)

committer Daiki Ueno <ueno@gnu.org>

Fri, 7 Jan 2022 16:45:14 +0000 (17:45 +0100)
author Daiki Ueno <ueno@gnu.org>
Mon, 20 Dec 2021 15:13:06 +0000 (16:13 +0100)
committer Daiki Ueno <ueno@gnu.org>
Fri, 7 Jan 2022 16:45:14 +0000 (17:45 +0100)
diff --git a/configure.ac b/configure.ac

index a8711998238cdc94baf846dc532e16cb00d09e92..667e07fdc2366a88f3cb1b71007984b74a2be831 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -601,6 +601,16 @@ if [ test "$enable_fips" = "yes" ];then
    fi
  fi
  
+AC_ARG_WITH([pkcs12-iter-count],
+       [AS_HELP_STRING([--with-pkcs12-iter-count],
+         [specify iteration count for PKCS\#12 key derivation @<:@default=600000@:>@])],
+       [pkcs12_iter_count="$withval"],
+        [pkcs12_iter_count=600000])
+
+AC_DEFINE_UNQUOTED([PKCS12_ITER_COUNT], [$pkcs12_iter_count],
+       [The iteration count for PKCS\#12 key derivation])
+AC_SUBST([PKCS12_ITER_COUNT], [$pkcs12_iter_count])
+
  PKG_CHECK_MODULES(CMOCKA, [cmocka >= 1.0.1], [with_cmocka=yes], [with_cmocka=no])
  AM_CONDITIONAL(HAVE_CMOCKA, test "$with_cmocka" != "no")
  
diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c

index 7c153c051ebb0554fac18eb1caf1dcc6c9afe230..c1e7bef21cd6730ccd4a1e5a50d3e334a4511adb 100644 (file)
--- a/lib/x509/pkcs7-crypt.c
+++ b/lib/x509/pkcs7-crypt.c
@@ -1552,7 +1552,7 @@ _gnutls_pkcs_generate_key(schema_id schema,
                 goto cleanup;
         }
  
-       kdf_params->iter_count = 5 * 1024 + rnd[0];
+       kdf_params->iter_count = PKCS12_ITER_COUNT;
         key->size = kdf_params->key_size =
             gnutls_cipher_get_key_size(enc_params->cipher);
author	Daiki Ueno <ueno@gnu.org>
	Mon, 20 Dec 2021 15:13:06 +0000 (16:13 +0100)
committer	Daiki Ueno <ueno@gnu.org>
	Fri, 7 Jan 2022 16:45:14 +0000 (17:45 +0100)
configure.ac		patch \| blob \| blame \| history
lib/x509/pkcs7-crypt.c		patch \| blob \| blame \| history