From: pohsingwu <pohsingwu@synology.com>
Date: Fri, 9 May 2025 07:26:35 +0000 (+0800)
Subject: Raise an error if PBKDF2 iteration count set to zero on check disabled in default... 
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=53ea500c49d41f516755aab0f03d8f5066c8623b;p=thirdparty%2Fopenssl.git

Raise an error if PBKDF2 iteration count set to zero on check disabled in default provider

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27589)
---

diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
index 8b12647d8d8..6ec8e2f7656 100644
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -242,6 +242,9 @@ static int lower_bound_check_passed(KDF_PBKDF2 *ctx, int saltlen, uint64_t iter,
             ERR_raise(ERR_LIB_PROV, error);
             return 0;
         }
+    } else if (iter < 1) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_ITERATION_COUNT);
+        return 0;
     }
 #endif
 
diff --git a/test/recipes/30-test_evp_data/evpkdf_pbkdf2.txt b/test/recipes/30-test_evp_data/evpkdf_pbkdf2.txt
index b64091114b8..3ec66977466 100644
--- a/test/recipes/30-test_evp_data/evpkdf_pbkdf2.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_pbkdf2.txt
@@ -275,3 +275,12 @@ Ctrl.iter = iter:10
 Ctrl.digest = digest:sha1
 Result = KDF_CTRL_ERROR
 Reason = invalid iteration count
+
+Availablein = default
+KDF = PBKDF2
+Ctrl.pass = pass:password
+Ctrl.salt = salt:salt
+Ctrl.iter = iter:0
+Ctrl.digest = digest:sha1
+Result = KDF_CTRL_ERROR
+Reason = invalid iteration count