Add FIPS pbkdf2 validation (#7187) (#7493)

mergify[bot] · michel-laterman · web-flow · commit 57e581a3ad1a · 2025-03-24T11:50:34.000-06:00
Add FIPS pbkdf2 validation. (cherry picked from commit 6097c5c) Co-authored-by: Michel Laterman <82832767+michel-laterman@users.noreply.github.com>
diff --git a/changelog/fragments/1741122475-Validate-pbkdf2-settings-when-in-FIPS-mode.yaml b/changelog/fragments/1741122475-Validate-pbkdf2-settings-when-in-FIPS-mode.yaml
@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# Change summary; a 80ish characters long description of the change.
+summary: Validate pbkdf2 settings when in FIPS mode
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: elastic-agent
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/elastic-agent/pull/7187
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+#issue: https://github.com/owner/repo/1234
diff --git a/internal/pkg/crypto/io.go b/internal/pkg/crypto/io.go
@@ -30,27 +30,6 @@ type Option struct {
 	BlockSize int
 }
 
-// Validate the options for encoding and decoding values.
-func (o *Option) Validate() error {
-	if o.IVLength == 0 {
-		return errors.New("IVLength must be superior to 0")
-	}
-
-	if o.SaltLength == 0 {
-		return errors.New("SaltLength must be superior to 0")
-	}
-
-	if o.IterationsCount == 0 {
-		return errors.New("IterationsCount must be superior to 0")
-	}
-
-	if o.KeyLength == 0 {
-		return errors.New("KeyLength must be superior to 0")
-	}
-
-	return nil
-}
-
 // DefaultOptions is the default options to use when creating the writer, changing might decrease
 // the efficacity of the encryption.
 var DefaultOptions = &Option{
diff --git a/internal/pkg/crypto/io_opts_fips.go b/internal/pkg/crypto/io_opts_fips.go
@@ -0,0 +1,32 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+//go:build requirefips
+
+package crypto
+
+import (
+	"errors"
+)
+
+// Validate the options for encoding and decoding values.
+func (o *Option) Validate() error {
+	if o.IVLength < 12 {
+		return errors.New("IVLength must be at least 96 bits (12 bytes)")
+	}
+
+	if o.SaltLength < 16 {
+		return errors.New("SaltLength must be at least 128 bits (16 bytes)")
+	}
+
+	if o.IterationsCount < 1000 {
+		return errors.New("IterationsCount must be at least 1000")
+	}
+
+	if o.KeyLength < 14 {
+		return errors.New("KeyLength must be at least 112 bits (14 bytes)")
+	}
+
+	return nil
+}
diff --git a/internal/pkg/crypto/io_opts_fips_test.go b/internal/pkg/crypto/io_opts_fips_test.go
@@ -0,0 +1,63 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+//go:build requirefips
+
+package crypto
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_Option_ValidateFIPS(t *testing.T) {
+	t.Run("default has no errors", func(t *testing.T) {
+		err := DefaultOptions.Validate()
+		assert.NoError(t, err)
+	})
+
+	tests := []struct {
+		name   string
+		option *Option
+	}{{
+		name: "IVLength is low",
+		option: &Option{
+			IVLength:        10,
+			SaltLength:      20,
+			IterationsCount: 10000,
+			KeyLength:       20,
+		},
+	}, {
+		name: "SaltLength is low",
+		option: &Option{
+			IVLength:        20,
+			SaltLength:      10,
+			IterationsCount: 10000,
+			KeyLength:       20,
+		},
+	}, {
+		name: "IterationsCount is low",
+		option: &Option{
+			IVLength:        20,
+			SaltLength:      20,
+			IterationsCount: 100,
+			KeyLength:       20,
+		},
+	}, {
+		name: "KeyLength is low",
+		option: &Option{
+			IVLength:        20,
+			SaltLength:      20,
+			IterationsCount: 10000,
+			KeyLength:       10,
+		},
+	}}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			err := tc.option.Validate()
+			assert.Error(t, err, "expected validation to fail with error")
+		})
+	}
+}
diff --git a/internal/pkg/crypto/io_opts_nofips.go b/internal/pkg/crypto/io_opts_nofips.go
@@ -0,0 +1,32 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+//go:build !requirefips
+
+package crypto
+
+import (
+	"errors"
+)
+
+// Validate the options for encoding and decoding values.
+func (o *Option) Validate() error {
+	if o.IVLength == 0 {
+		return errors.New("IVLength must be superior to 0")
+	}
+
+	if o.SaltLength == 0 {
+		return errors.New("SaltLength must be superior to 0")
+	}
+
+	if o.IterationsCount == 0 {
+		return errors.New("IterationsCount must be superior to 0")
+	}
+
+	if o.KeyLength == 0 {
+		return errors.New("KeyLength must be superior to 0")
+	}
+
+	return nil
+}
diff --git a/internal/pkg/crypto/io_opts_nofips_test.go b/internal/pkg/crypto/io_opts_nofips_test.go
@@ -0,0 +1,63 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+//go:build !requirefips
+
+package crypto
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_Option_Validate(t *testing.T) {
+	t.Run("default has no errors", func(t *testing.T) {
+		err := DefaultOptions.Validate()
+		assert.NoError(t, err)
+	})
+
+	tests := []struct {
+		name   string
+		option *Option
+	}{{
+		name: "IVLength is 0",
+		option: &Option{
+			IVLength:        0,
+			SaltLength:      1,
+			IterationsCount: 1,
+			KeyLength:       1,
+		},
+	}, {
+		name: "SaltLength is 0",
+		option: &Option{
+			IVLength:        1,
+			SaltLength:      0,
+			IterationsCount: 1,
+			KeyLength:       1,
+		},
+	}, {
+		name: "IterationsCount is 0",
+		option: &Option{
+			IVLength:        1,
+			SaltLength:      1,
+			IterationsCount: 0,
+			KeyLength:       1,
+		},
+	}, {
+		name: "KeyLength is 0",
+		option: &Option{
+			IVLength:        1,
+			SaltLength:      1,
+			IterationsCount: 1,
+			KeyLength:       0,
+		},
+	}}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			err := tc.option.Validate()
+			assert.Error(t, err, "expected validation to fail with error")
+		})
+	}
+}
