mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-08 01:50:48 +02:00
Merge pull request #10504 from miyazakh/f-2180_pbkdf
f-2180: fix clamp iterations <= 0 to 1 instead of returning an error
This commit is contained in:
@@ -2951,6 +2951,7 @@ if(WOLFSSL_EXAMPLES)
|
||||
tests/api/test_asn.c
|
||||
tests/api/test_pkcs7.c
|
||||
tests/api/test_pkcs12.c
|
||||
tests/api/test_pwdbased.c
|
||||
tests/api/test_ossl_asn1.c
|
||||
tests/api/test_ossl_bio.c
|
||||
tests/api/test_ossl_bn.c
|
||||
|
||||
@@ -242,6 +242,7 @@
|
||||
#include <tests/api/test_asn.h>
|
||||
#include <tests/api/test_pkcs7.h>
|
||||
#include <tests/api/test_pkcs12.h>
|
||||
#include <tests/api/test_pwdbased.h>
|
||||
#include <tests/api/test_ossl_asn1.h>
|
||||
#include <tests/api/test_ossl_bn.h>
|
||||
#include <tests/api/test_ossl_bio.h>
|
||||
@@ -40260,6 +40261,9 @@ TEST_CASE testCases[] = {
|
||||
/* wolfCrypt PKCS#12 */
|
||||
TEST_PKCS12_DECLS,
|
||||
|
||||
/* wolfCrypt pwdbased (PBKDF1/PBKDF2) */
|
||||
TEST_PWDBASED_DECLS,
|
||||
|
||||
/*
|
||||
* test_wolfCrypt_Cleanup needs to come after the above wolfCrypt tests to
|
||||
* avoid memory leaks.
|
||||
|
||||
@@ -66,6 +66,8 @@ tests_unit_test_SOURCES += tests/api/test_asn.c
|
||||
tests_unit_test_SOURCES += tests/api/test_pkcs7.c
|
||||
# PKCS#12
|
||||
tests_unit_test_SOURCES += tests/api/test_pkcs12.c
|
||||
# pwdbased (PBKDF1/PBKDF2)
|
||||
tests_unit_test_SOURCES += tests/api/test_pwdbased.c
|
||||
# OpenSSL ASN.1
|
||||
tests_unit_test_SOURCES += tests/api/test_ossl_asn1.c
|
||||
# OpenSSL BN
|
||||
@@ -166,6 +168,7 @@ EXTRA_DIST += tests/api/test_x509.h
|
||||
EXTRA_DIST += tests/api/test_asn.h
|
||||
EXTRA_DIST += tests/api/test_pkcs7.h
|
||||
EXTRA_DIST += tests/api/test_pkcs12.h
|
||||
EXTRA_DIST += tests/api/test_pwdbased.h
|
||||
EXTRA_DIST += tests/api/test_ossl_asn1.h
|
||||
EXTRA_DIST += tests/api/test_ossl_bn.h
|
||||
EXTRA_DIST += tests/api/test_ossl_bio.h
|
||||
|
||||
+12
-3
@@ -647,10 +647,11 @@ int test_wc_PKCS12_PBKDF(void)
|
||||
salt2, (int)sizeof(salt2), 1000, 24, WC_SHA256, 1), 0);
|
||||
ExpectIntEQ(XMEMCMP(derived, verify2, 24), 0);
|
||||
|
||||
/* iterations <= 0 treated as 1 */
|
||||
/* iterations <= 0 must be rejected */
|
||||
ExpectIntEQ(wc_PKCS12_PBKDF(derived, passwd, (int)sizeof(passwd),
|
||||
salt, (int)sizeof(salt), 0, 24, WC_SHA256, 1), 0);
|
||||
ExpectIntEQ(XMEMCMP(derived, verify, 24), 0);
|
||||
salt, (int)sizeof(salt), 0, 24, WC_SHA256, 1), BAD_FUNC_ARG);
|
||||
ExpectIntEQ(wc_PKCS12_PBKDF(derived, passwd, (int)sizeof(passwd),
|
||||
salt, (int)sizeof(salt), -1, 24, WC_SHA256, 1), BAD_FUNC_ARG);
|
||||
#endif
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
@@ -714,6 +715,14 @@ int test_wc_PKCS12_PBKDF_ex(void)
|
||||
salt, (int)sizeof(salt), 1, 24, WC_SHA256, 2, NULL), 0);
|
||||
ExpectIntEQ(wc_PKCS12_PBKDF_ex(derived, passwd, (int)sizeof(passwd),
|
||||
salt, (int)sizeof(salt), 1, 24, WC_SHA256, 3, NULL), 0);
|
||||
|
||||
/* iterations <= 0 must be rejected */
|
||||
ExpectIntEQ(wc_PKCS12_PBKDF_ex(derived, passwd, (int)sizeof(passwd),
|
||||
salt, (int)sizeof(salt), 0, 24, WC_SHA256, 1, NULL),
|
||||
BAD_FUNC_ARG);
|
||||
ExpectIntEQ(wc_PKCS12_PBKDF_ex(derived, passwd, (int)sizeof(passwd),
|
||||
salt, (int)sizeof(salt), -1, 24, WC_SHA256, 1, NULL),
|
||||
BAD_FUNC_ARG);
|
||||
#endif
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
@@ -0,0 +1,72 @@
|
||||
/* test_pwdbased.c
|
||||
*
|
||||
* Copyright (C) 2006-2026 wolfSSL Inc.
|
||||
*
|
||||
* This file is part of wolfSSL.
|
||||
*
|
||||
* wolfSSL is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* wolfSSL is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
|
||||
*/
|
||||
|
||||
#include <tests/unit.h>
|
||||
#include <wolfssl/wolfcrypt/pwdbased.h>
|
||||
#include <tests/api/api.h>
|
||||
#include <tests/api/test_pwdbased.h>
|
||||
|
||||
/* test that wc_PBKDF1_ex rejects iterations <= 0 */
|
||||
int test_wc_PBKDF1_ex_iterations(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if defined(HAVE_PBKDF1) && !defined(NO_PWDBASED) && !defined(NO_SHA) && \
|
||||
!defined(HAVE_SELFTEST)
|
||||
static const byte passwd[] = { 'p', 'a', 's', 's' };
|
||||
static const byte salt[] = { 0x78, 0x57, 0x8E, 0x5a,
|
||||
0x5d, 0x63, 0xcb, 0x06 };
|
||||
byte derived[16];
|
||||
|
||||
ExpectIntEQ(wc_PBKDF1_ex(derived, (int)sizeof(derived), NULL, 0,
|
||||
passwd, (int)sizeof(passwd),
|
||||
salt, (int)sizeof(salt), 0, WC_SHA, HEAP_HINT),
|
||||
BAD_FUNC_ARG);
|
||||
ExpectIntEQ(wc_PBKDF1_ex(derived, (int)sizeof(derived), NULL, 0,
|
||||
passwd, (int)sizeof(passwd),
|
||||
salt, (int)sizeof(salt), -1, WC_SHA, HEAP_HINT),
|
||||
BAD_FUNC_ARG);
|
||||
#endif
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
/* test that wc_PBKDF2_ex rejects iterations <= 0 */
|
||||
int test_wc_PBKDF2_ex_iterations(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if defined(HAVE_PBKDF2) && !defined(NO_PWDBASED) && !defined(NO_HMAC) && \
|
||||
!defined(NO_SHA256) && !defined(HAVE_SELFTEST) && \
|
||||
(!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
|
||||
static const byte passwd[] = { 'p', 'a', 's', 's' };
|
||||
static const byte salt[] = { 0x78, 0x57, 0x8E, 0x5a,
|
||||
0x5d, 0x63, 0xcb, 0x06 };
|
||||
byte derived[24];
|
||||
|
||||
ExpectIntEQ(wc_PBKDF2_ex(derived, passwd, (int)sizeof(passwd),
|
||||
salt, (int)sizeof(salt), 0,
|
||||
(int)sizeof(derived), WC_SHA256, HEAP_HINT, INVALID_DEVID),
|
||||
BAD_FUNC_ARG);
|
||||
ExpectIntEQ(wc_PBKDF2_ex(derived, passwd, (int)sizeof(passwd),
|
||||
salt, (int)sizeof(salt), -1,
|
||||
(int)sizeof(derived), WC_SHA256, HEAP_HINT, INVALID_DEVID),
|
||||
BAD_FUNC_ARG);
|
||||
#endif
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
@@ -0,0 +1,34 @@
|
||||
/* test_pwdbased.h
|
||||
*
|
||||
* Copyright (C) 2006-2026 wolfSSL Inc.
|
||||
*
|
||||
* This file is part of wolfSSL.
|
||||
*
|
||||
* wolfSSL is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* wolfSSL is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
|
||||
*/
|
||||
|
||||
#ifndef WOLFCRYPT_TEST_PWDBASED_H
|
||||
#define WOLFCRYPT_TEST_PWDBASED_H
|
||||
|
||||
#include <tests/api/api_decl.h>
|
||||
|
||||
int test_wc_PBKDF1_ex_iterations(void);
|
||||
int test_wc_PBKDF2_ex_iterations(void);
|
||||
|
||||
#define TEST_PWDBASED_DECLS \
|
||||
TEST_DECL_GROUP("pwdbased", test_wc_PBKDF1_ex_iterations), \
|
||||
TEST_DECL_GROUP("pwdbased", test_wc_PBKDF2_ex_iterations)
|
||||
|
||||
#endif /* WOLFCRYPT_TEST_PWDBASED_H */
|
||||
@@ -6791,6 +6791,10 @@ void wolfSSL_EVP_init(void)
|
||||
if (ret == WC_NO_ERR_TRACE(WOLFSSL_FAILURE))
|
||||
goto end;
|
||||
|
||||
/* OpenSSL treats count <= 0 as 1 iteration */
|
||||
if (count <= 0)
|
||||
count = 1;
|
||||
|
||||
ret = wc_PBKDF1_ex(key, (int)info->keySz, iv, (int)info->ivSz, data, sz,
|
||||
salt, EVP_SALT_SIZE, count, hashType, NULL);
|
||||
if (ret == 0)
|
||||
|
||||
@@ -98,7 +98,7 @@ int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen,
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
if (iterations <= 0)
|
||||
iterations = 1;
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
if (iterations > current_wc_pbkdf_max_iterations) {
|
||||
WOLFSSL_MSG("PBKDF1 iteration count exceeds current_wc_pbkdf_max_iterations");
|
||||
@@ -239,7 +239,7 @@ int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen, const byte* salt,
|
||||
}
|
||||
#endif
|
||||
if (iterations <= 0)
|
||||
iterations = 1;
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
if (iterations > current_wc_pbkdf_max_iterations) {
|
||||
WOLFSSL_MSG("PBKDF2 iteration count exceeds current_wc_pbkdf_max_iterations");
|
||||
@@ -432,7 +432,7 @@ int wc_PKCS12_PBKDF_ex(byte* output, const byte* passwd, int passLen,
|
||||
}
|
||||
|
||||
if (iterations <= 0)
|
||||
iterations = 1;
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
if (iterations > current_wc_pbkdf_max_iterations) {
|
||||
WOLFSSL_MSG("PKCS12 PBKDF iteration count exceeds "
|
||||
@@ -660,7 +660,7 @@ int wc_PKCS12_PBKDF_ex(byte* output, const byte* passwd, int passLen,
|
||||
}
|
||||
|
||||
if (iterations <= 0) {
|
||||
iterations = 1;
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
|
||||
if (iterations > current_wc_pbkdf_max_iterations) {
|
||||
|
||||
Reference in New Issue
Block a user