On Sat, May 10, 2025 at 06:49:18PM +0100, Dimitri John Ledkov wrote:
> Currently PKCS12_setup_mac() function uses salt length of 8 bytes / 64
> bits when no salt length is specified. Increase this fallback default
> to 16 bytes / 128 bits, as recommended by NIST SP 800-132.
> 
> Note this is for interoperability purposes. Some FIPS implementations
> enforce minimum salt length of 16 bytes. Examples of such FIPS
> implemenations are Bouncycastle FIPS Java API and Chainguard FIPS
> Provider for OpenSSL. Also future v3.6 release of OpenSSL will also
> increase the default salt length to 16 bytes.

Applied, thank you. Most users of PKCS12_set_mac() that I could find
indeed use the fallback default, so will generate .pfx that soon won't
be usable anymore.

Since the macSalt is serialized as an octet string as part of the
macData, I can't see a use case for adding a knob to the openssl pkc12
command line utility. The default should be fine and it is intelligible
to older implementations.

We should also look into using better default ciphers...