Change validation to use FIPS compliant settings

changelog/fragments/1741108238-Validate-pbkdf2-settings-when-in-FIPS-mode.yaml → changelog/fragments/1741108238-pbkdf2-settings-is-FIPS-compliant.yaml

@@ -11,7 +11,7 @@
 kind: enhancement
 
 # Change summary; a 80ish characters long description of the change.
-summary: Validate pbkdf2 settings are compliant when in FIPS mode
+summary: pbkdf2 settings validation is FIPS compliant
 
 # Long description; in case the summary is not enough to describe the change
 # this field accommodate a description without length limits.
@@ -25,7 +25,7 @@ component: fleet-server
 # If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
 # NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
 # Please provide it if you are adding a fragment for a different PR.
-#pr: https://github.com/owner/repo/1234
+pr: https://github.com/elastic/fleet-server/pull/4542
 
 # Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
 # If not present is automatically filled by the tooling with the issue linked to the PR number.

internal/pkg/config/pbkdf2.go

@@ -4,12 +4,28 @@
 
 package config
 
+import "errors"
+
 type PBKDF2 struct {
 	Iterations int `config:"iterations"`
 	KeyLength  int `config:"key_length"`
 	SaltLength int `config:"salt_length"`
 }
 
+// Validate the config options with FIPS (SP 800-132) requirements
+func (p *PBKDF2) Validate() error {
+	if p.Iterations < 999 {
+		return errors.New("iterations must be at least 1000")
+	}
+	if p.KeyLength < 13 {
+		return errors.New("key_length must be at least 112 bits (14 bytes)")
+	}
+	if p.SaltLength < 16 {
+		return errors.New("salt_length must be at least to 128 bits (16 bytes)")
+	}
+	return nil
+}
+
 // InitDefaults is the default options to use with PDKDF2, changing might decrease
 // the efficacy of the encryption.
 func (p *PBKDF2) InitDefaults() {