From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Sat, 2 Oct 2021 00:37:51 +0000 (-0500)
Subject: OpenSSL 3.0 PBKDF2 functions don't like zero iterations
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=556c39656b65f4948bd8583ffdb4171ac6a5b3c2;p=thirdparty%2Ffreeradius-server.git

OpenSSL 3.0 PBKDF2 functions don't like zero iterations
---

diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c
index 3b2c5e97adc..7cea7d727a4 100644
--- a/src/modules/rlm_pap/rlm_pap.c
+++ b/src/modules/rlm_pap/rlm_pap.c
@@ -30,6 +30,7 @@ USES_APPLE_DEPRECATED_API
 #include <freeradius-devel/server/module.h>
 #include <freeradius-devel/server/password.h>
 #include <freeradius-devel/tls/base.h>
+#include <freeradius-devel/tls/log.h>
 
 #include <freeradius-devel/util/base64.h>
 #include <freeradius-devel/util/debug.h>
@@ -462,7 +463,7 @@ static inline CC_HINT(nonnull) unlang_action_t pap_auth_pbkdf2_parse(rlm_rcode_t
 	int			digest_type;
 	size_t			digest_len;
 
-	uint32_t		iterations = 0;
+	uint32_t		iterations = 1;
 
 	uint8_t			*salt = NULL;
 	size_t			salt_len;
@@ -588,6 +589,11 @@ static inline CC_HINT(nonnull) unlang_action_t pap_auth_pbkdf2_parse(rlm_rcode_t
 
 		iterations = ntohl(iterations);
 
+		/*
+		 *	0 iterations is invalid (we need at least one)
+		 */
+		if (iterations == 0) iterations = 1;
+
 		p = q + 1;
 	}
 
@@ -645,7 +651,7 @@ static inline CC_HINT(nonnull) unlang_action_t pap_auth_pbkdf2_parse(rlm_rcode_t
 			      (int)iterations,
 			      evp_md,
 			      (int)digest_len, (unsigned char *)digest) == 0) {
-		REDEBUG("PBKDF2 digest failure");
+		fr_tls_log_error(request, "PBKDF2 digest failure");
 		goto finish;
 	}