pbkdf2 settings validation is FIPS compliant (#4542) (#4548)

mergify[bot] · michel-laterman · web-flow · commit 23f80b198d15 · 2025-03-05T16:09:19.000-08:00
Validate pbkdf2 settings are FIPS compliant (cherry picked from commit 63b6b92) # Conflicts: # internal/pkg/config/pbkdf2.go Co-authored-by: Michel Laterman <82832767+michel-laterman@users.noreply.github.com>
diff --git a/changelog/fragments/1741108238-pbkdf2-settings-is-FIPS-compliant.yaml b/changelog/fragments/1741108238-pbkdf2-settings-is-FIPS-compliant.yaml
@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# Change summary; a 80ish characters long description of the change.
+summary: pbkdf2 settings validation is FIPS compliant
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: fleet-server
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/fleet-server/pull/4542
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+#issue: https://github.com/owner/repo/1234
diff --git a/internal/pkg/config/pbkdf2.go b/internal/pkg/config/pbkdf2.go
@@ -0,0 +1,35 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package config
+
+import "errors"
+
+type PBKDF2 struct {
+	Iterations int `config:"iterations"`
+	KeyLength  int `config:"key_length"`
+	SaltLength int `config:"salt_length"`
+}
+
+// Validate the config options with FIPS (SP 800-132) requirements
+func (p *PBKDF2) Validate() error {
+	if p.Iterations < 999 {
+		return errors.New("iterations must be at least 1000")
+	}
+	if p.KeyLength < 13 {
+		return errors.New("key_length must be at least 112 bits (14 bytes)")
+	}
+	if p.SaltLength < 16 {
+		return errors.New("salt_length must be at least to 128 bits (16 bytes)")
+	}
+	return nil
+}
+
+// InitDefaults is the default options to use with PDKDF2, changing might decrease
+// the efficacy of the encryption.
+func (p *PBKDF2) InitDefaults() {
+	p.Iterations = 210000 // recommend OWASP value as of 2023
+	p.KeyLength = 32
+	p.SaltLength = 64
+}
