Dimitri John Ledkov
Dimitri John Ledkov
Will add indicator.
Is "pkcs5" (OSSL_KDF_PARAM_PKCS5) and "fips-indicator" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) and the related `pbkdf2-lower-bound-check = 0` implemented correctly? My expectation was that this patch hooks into all of that, and thus should already have...
From command-line it is possible to generate KDF from short password using pkcs5:1 kdf param: ``` $ ./util/wrap.pl -fips ./apps/openssl kdf -keylen 32 -kdfopt pass:short -kdfopt salt:verylongsaul -kdfopt pkcs5:0 PBKDF2...
> For tests, can you use the evp_test harness? added blocked, unapproved, and approved test cases.
@t8m made new error PROV_R_PASSWORD_STRENGTH_TOO_WEAK and using that, as whilst this code base only enforces length, some other ones (see earlier mentioned security policies) have other non-length related conditionals too....
> @xnox Are you able to make the change @paulidale suggested? Yes but I am on holiday until next week.
I want https://github.com/openssl/openssl/pull/27001 to get in first; as this branch will need changes on that code.
> Is it worth adding something to one of the INSTALL or README files describing this option? I am now following -DOPENSSL_TLS_SECURITY_LEVEL example for documenting compile time constant in the...
> Likely needs an indicator 😞 Note existing dynamic indicator of unapproved usage are in use for this password length check too.
better late than never! =)