From 7047991cda8ff202703491143e771cefe9fdcd86 Mon Sep 17 00:00:00 2001
From: kaleb-himes <kaleb@wolfssl.com>
Date: Wed, 8 May 2024 17:43:08 -0400
Subject: [PATCH] Log when iterations LT 1000 but take no action

---
 wolfcrypt/src/pwdbased.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/wolfcrypt/src/pwdbased.c b/wolfcrypt/src/pwdbased.c
index 685939128..471b1b0a8 100644
--- a/wolfcrypt/src/pwdbased.c
+++ b/wolfcrypt/src/pwdbased.c
@@ -219,6 +219,15 @@ int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen, const byte* salt,
         return BAD_LENGTH_E;
 #endif
 
+#if FIPS_VERSION3_GE(6,0,0) && defined(DEBUG_WOLFSSL)
+    /* SP800-132 §5.2 recommends an iteration count of 1000 but this is not
+     * strictly enforceable and is listed in Appendix B Table 1 as a
+     * non-testable requirement. wolfCrypt will log it when appropriate but
+     * take no action */
+    if (iterations < 1000) {
+        WOLFSSL_MSG("WARNING: Iteration < 1,000, see SP800-132 §5.2");
+    }
+#endif
     if (iterations <= 0)
         iterations = 1;