Google Git
Sign in
boringssl / boringssl / 2a514a51baebd5a232fc64f7b082f7a8b28cd29d..89973806bc2ef652189e157f2736a7d32229c404 / .
commit89973806bc2ef652189e157f2736a7d32229c404[log] [tgz]
authorDavid Benjamin <davidben@google.com>Tue May 13 13:24:48 2025 -0400
committerBoringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>Tue May 13 11:13:04 2025 -0700
tree37c07fccc29fd3bc715c5dda2a473ff8c676a363
parent2a514a51baebd5a232fc64f7b082f7a8b28cd29d [diff]
Tidy up some comments and #defines around salt lengths

https://boringssl-review.googlesource.com/c/boringssl/+/79267 will
bump the PKCS5_SALT_LEN constant to 16. To avoid some confusing results
from that:

1. Don't bother using a constant for EVP_BytesToKey (a generalized
   PBKDF1). It's not really doing anything there, since the public API
   just says 8 anyway.

2. Fix the structure citation from PKCS #5 (RFC 2898, now RFC 8018) to
   PKCS #12 (RFC 7292). This is actually the PKCS #12 version of the
   structure, which has no constraint on the salt length. See
   https://crbug.com/416889523#comment4

Bug: 416889523
Change-Id: I1aded3bf93c2ffc281b71013a6ea4135d39e28d9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/79287
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Auto-Submit: David Benjamin <davidben@google.com>

diff --git a/crypto/cipher/derive_key.cc b/crypto/cipher/derive_key.cc
index ac0f284..4dc493e 100644
--- a/crypto/cipher/derive_key.cc
+++ b/crypto/cipher/derive_key.cc

@@ -20,10 +20,8 @@
 #include <openssl/mem.h>
 
 
-#define PKCS5_SALT_LEN 8
-
 int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
-                   const uint8_t *salt, const uint8_t *data, size_t data_len,
+                   const uint8_t salt[8], const uint8_t *data, size_t data_len,
                    unsigned count, uint8_t *key, uint8_t *iv) {
   uint8_t md_buf[EVP_MAX_MD_SIZE];
   unsigned addmd = 0;
@@ -54,7 +52,7 @@
       goto err;
     }
     if (salt != nullptr) {
-      if (!EVP_DigestUpdate(c.get(), salt, PKCS5_SALT_LEN)) {
+      if (!EVP_DigestUpdate(c.get(), salt, 8)) {
         goto err;
       }
     }

diff --git a/crypto/pkcs8/pkcs8.cc b/crypto/pkcs8/pkcs8.cc
index 4b5609d..91a81fa 100644
--- a/crypto/pkcs8/pkcs8.cc
+++ b/crypto/pkcs8/pkcs8.cc

@@ -301,7 +301,10 @@
     return 0;
   }
 
-  // See RFC 2898, appendix A.3.
+  // See RFC 7292, appendix C. All our supported "PBES1" schemes are the PKCS#12
+  // schemes, which use a different KDF. The true PBES1 schemes in RFC 8018 use
+  // PBKDF1, which use a very similar PBEParameter structure, but require the
+  // salt be exactly 8 bytes.
   CBB algorithm, param;
   if (!CBB_add_asn1(out, &algorithm, CBS_ASN1_SEQUENCE) ||
       !CBB_add_asn1_element(&algorithm, CBS_ASN1_OBJECT, suite->oid,