diff --git a/wolfcrypt/src/pwdbased.c b/wolfcrypt/src/pwdbased.c index 68e3ab1635..75251af6a7 100644 --- a/wolfcrypt/src/pwdbased.c +++ b/wolfcrypt/src/pwdbased.c @@ -79,6 +79,11 @@ int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen, if (iterations <= 0) iterations = 1; + if (iterations > WC_PBKDF_MAX_ITERATIONS) { + WOLFSSL_MSG("PBKDF1 iteration count exceeds WC_PBKDF_MAX_ITERATIONS"); + return BAD_FUNC_ARG; + } + hashT = wc_HashTypeConvert(hashType); err = wc_HashGetDigestSize(hashT); if (err < 0) @@ -215,6 +220,11 @@ int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen, const byte* salt, if (iterations <= 0) iterations = 1; + if (iterations > WC_PBKDF_MAX_ITERATIONS) { + WOLFSSL_MSG("PBKDF2 iteration count exceeds WC_PBKDF_MAX_ITERATIONS"); + return BAD_FUNC_ARG; + } + hashT = wc_HashTypeConvert(hashType); hLen = wc_HashGetDigestSize(hashT); if (hLen < 0) @@ -410,6 +420,11 @@ int wc_PKCS12_PBKDF_ex(byte* output, const byte* passwd, int passLen, if (iterations <= 0) iterations = 1; + if (iterations > WC_PBKDF_MAX_ITERATIONS) { + WOLFSSL_MSG("PKCS12 PBKDF iteration count exceeds WC_PBKDF_MAX_ITERATIONS"); + return BAD_FUNC_ARG; + } + hashT = wc_HashTypeConvert(hashType); ret = wc_HashGetDigestSize(hashT); if (ret < 0) diff --git a/wolfssl/wolfcrypt/pwdbased.h b/wolfssl/wolfcrypt/pwdbased.h index fc2eddfd8d..fb56df627f 100644 --- a/wolfssl/wolfcrypt/pwdbased.h +++ b/wolfssl/wolfcrypt/pwdbased.h @@ -35,6 +35,15 @@ extern "C" { #endif +/* Maximum allowed PBKDF iteration count to prevent CPU exhaustion DoS. + * Attacker-controlled PKCS#12 files can specify iterations up to INT_MAX + * (2,147,483,647) in the MAC data, causing hours of CPU time. + * Override by defining WC_PBKDF_MAX_ITERATIONS before including this header. + * Normal PKCS#12 files use 1,000–10,000 iterations. */ +#ifndef WC_PBKDF_MAX_ITERATIONS + #define WC_PBKDF_MAX_ITERATIONS 100000 +#endif + #if FIPS_VERSION3_GE(6,0,0) extern const unsigned int wolfCrypt_FIPS_pbkdf_ro_sanity[2]; WOLFSSL_LOCAL int wolfCrypt_FIPS_PBKDF_sanity(void);