From 53ea500c49d41f516755aab0f03d8f5066c8623b Mon Sep 17 00:00:00 2001 From: pohsingwu Date: Fri, 9 May 2025 15:26:35 +0800 Subject: [PATCH] Raise an error if PBKDF2 iteration count set to zero on check disabled in default provider Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/27589) --- providers/implementations/kdfs/pbkdf2.c | 3 +++ test/recipes/30-test_evp_data/evpkdf_pbkdf2.txt | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c index 8b12647d8d8..6ec8e2f7656 100644 --- a/providers/implementations/kdfs/pbkdf2.c +++ b/providers/implementations/kdfs/pbkdf2.c @@ -242,6 +242,9 @@ static int lower_bound_check_passed(KDF_PBKDF2 *ctx, int saltlen, uint64_t iter, ERR_raise(ERR_LIB_PROV, error); return 0; } + } else if (iter < 1) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_ITERATION_COUNT); + return 0; } #endif diff --git a/test/recipes/30-test_evp_data/evpkdf_pbkdf2.txt b/test/recipes/30-test_evp_data/evpkdf_pbkdf2.txt index b64091114b8..3ec66977466 100644 --- a/test/recipes/30-test_evp_data/evpkdf_pbkdf2.txt +++ b/test/recipes/30-test_evp_data/evpkdf_pbkdf2.txt @@ -275,3 +275,12 @@ Ctrl.iter = iter:10 Ctrl.digest = digest:sha1 Result = KDF_CTRL_ERROR Reason = invalid iteration count + +Availablein = default +KDF = PBKDF2 +Ctrl.pass = pass:password +Ctrl.salt = salt:salt +Ctrl.iter = iter:0 +Ctrl.digest = digest:sha1 +Result = KDF_CTRL_ERROR +Reason = invalid iteration count -- 2.47.3