Log when iterations LT 1000 but take no action

2024-05-08 17:43:08 -04:00
parent a9511e118a
commit 7047991cda
1 changed files with 9 additions and 0 deletions
--- a/wolfcrypt/src/pwdbased.c
+++ b/wolfcrypt/src/pwdbased.c
@@ -219,6 +219,15 @@ int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen, const byte* salt,
        return BAD_LENGTH_E;
 #endif

+#if FIPS_VERSION3_GE(6,0,0) && defined(DEBUG_WOLFSSL)
+    /* SP800-132 §5.2 recommends an iteration count of 1000 but this is not
+     * strictly enforceable and is listed in Appendix B Table 1 as a
+     * non-testable requirement. wolfCrypt will log it when appropriate but
+     * take no action */
+    if (iterations < 1000) {
+        WOLFSSL_MSG("WARNING: Iteration < 1,000, see SP800-132 §5.2");
+    }
+#endif
    if (iterations <= 0)
        iterations = 1;