Add upper limit to PBKDF iteration count

.wolfssl_known_macro_extras

@@ -30,8 +30,8 @@ ARDUINO_UNOR4_WIFI
 ASN_DUMP_OID
 ASN_TEMPLATE_SKIP_ISCA_CHECK
 ATCAPRINTF
-ATCA_HAL_I2C
 ATCA_ENABLE_DEPRECATED
+ATCA_HAL_I2C
 ATCA_TFLEX_SUPPORT
 ATECC_DEV_TYPE
 AVR
@@ -471,7 +471,6 @@ NO_WOLFSSL_RENESAS_FSPSM_AES
 NO_WOLFSSL_RENESAS_FSPSM_HASH
 NO_WOLFSSL_RENESAS_TSIP_CRYPT_AES
 NO_WOLFSSL_SHA256
-NO_WOLFSSL_SHA256_INTERLEAVE
 NO_WOLFSSL_SHA512_INTERLEAVE
 NO_WOLFSSL_SKIP_TRAILING_PAD
 NO_WOLFSSL_SMALL_STACK_STATIC
@@ -628,7 +627,6 @@ USS_API
 WC_AESXTS_STREAM_NO_REQUEST_ACCOUNTING
 WC_AES_BS_WORD_SIZE
 WC_AES_GCM_DEC_AUTH_EARLY
-WC_ALLOW_ECC_ZERO_HASH
 WC_ASN_HASH_SHA256
 WC_ASN_RUNTIME_DATE_CHECK_CONTROL
 WC_ASYNC_ENABLE_ECC_KEYGEN
@@ -653,8 +651,6 @@ WC_ASYNC_NO_SHA512
 WC_ASYNC_NO_X25519
 WC_ASYNC_THREAD_BIND
 WC_CACHE_RESISTANT_BASE64_TABLE
-WC_DILITHIUM_CACHE_PRIV_VECTORS
-WC_DILITHIUM_CACHE_PUB_VECTORS
 WC_DILITHIUM_FIXED_ARRAY
 WC_DISABLE_RADIX_ZERO_PAD
 WC_FLAG_DONT_USE_AESNI
@@ -719,11 +715,9 @@ WOLFSSL_ASN_EXTRA
 WOLFSSL_ASN_TEMPLATE_NEED_SET_INT32
 WOLFSSL_ASN_TEMPLATE_TYPE_CHECK
 WOLFSSL_ATECC508
-WOLFSSL_ATECC508A_NOIDLE
 WOLFSSL_ATECC508A_NOSOFTECC
 WOLFSSL_ATECC508A_TLS
 WOLFSSL_ATECC_ECDH_IOENC
-WOLFSSL_ATECC_NO_ECDH_ENC
 WOLFSSL_ATECC_RNG
 WOLFSSL_ATECC_TFLXTLS
 WOLFSSL_ATECC_TNGTLS
@@ -744,15 +738,11 @@ WOLFSSL_CLIENT_EXAMPLE
 WOLFSSL_CONTIKI
 WOLFSSL_CRL_ALLOW_MISSING_CDP
 WOLFSSL_DILITHIUM_ASSIGN_KEY
-WOLFSSL_DILITHIUM_NO_ASN1
 WOLFSSL_DILITHIUM_NO_CHECK_KEY
 WOLFSSL_DILITHIUM_NO_MAKE
 WOLFSSL_DILITHIUM_REVERSE_HASH_OID
 WOLFSSL_DILITHIUM_SIGN_CHECK_W0
 WOLFSSL_DILITHIUM_SIGN_CHECK_Y
-WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC
-WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A
-WOLFSSL_DILITHIUM_SMALL_MEM_POLY64
 WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
 WOLFSSL_DRBG_SHA256
 WOLFSSL_DTLS_DISALLOW_FUTURE
@@ -809,10 +799,8 @@ WOLFSSL_LINUXKM_USE_GET_RANDOM_USER_KRETPROBE
 WOLFSSL_LINUXKM_USE_MUTEXES
 WOLFSSL_LMS_CACHE_BITS
 WOLFSSL_LMS_FULL_HASH
-WOLFSSL_LMS_LARGE_CACHES
 WOLFSSL_LMS_MAX_HEIGHT
 WOLFSSL_LMS_MAX_LEVELS
-WOLFSSL_LMS_NO_SIG_CACHE
 WOLFSSL_LMS_ROOT_LEVELS
 WOLFSSL_LPC43xx
 WOLFSSL_MAKE_SYSTEM_NAME_LINUX
@@ -869,16 +857,10 @@ WOLFSSL_NO_TICKET_EXPIRE
 WOLFSSL_NO_TRUSTED_CERTS_VERIFY
 WOLFSSL_NO_WORD64_OPS
 WOLFSSL_NO_XOR_OPS
-WOLFSSL_NXP_LPC55S6X
-WOLFSSL_NXP_CASPER
-WOLFSSL_NXP_CASPER_ECC_MULMOD
-WOLFSSL_NXP_CASPER_ECC_MUL2ADD
-WOLFSSL_NXP_CASPER_RSA_PUB_EXPTMOD
-WOLFSSL_NXP_HASHCRYPT
-WOLFSSL_NXP_HASHCRYPT_AES
-WOLFSSL_NXP_HASHCRYPT_SHA
-WOLFSSL_NXP_RNG_1
 WOLFSSL_NRF51_AES
+WOLFSSL_NXP_CASPER_ECC_MUL2ADD
+WOLFSSL_NXP_CASPER_ECC_MULMOD
+WOLFSSL_NXP_LPC55S6X
 WOLFSSL_OLDTLS_AEAD_CIPHERSUITES
 WOLFSSL_OLD_SET_CURVES_LIST
 WOLFSSL_OLD_TIMINGPADVERIFY
@@ -971,10 +953,8 @@ WOLFSSL_USE_FLASHMEM
 WOLFSSL_USE_FORCE_ZERO
 WOLFSSL_USE_OPTIONS_H
 WOLFSSL_VALIDATE_DH_KEYGEN
-WOLFSSL_WC_LMS_SERIALIZE_STATE
 WOLFSSL_WC_SLHDSA_RECURSIVE
 WOLFSSL_WC_XMSS_NO_SHA256
-WOLFSSL_WC_XMSS_NO_SHAKE256
 WOLFSSL_WICED_PSEUDO_UNIX_EPOCH_TIME
 WOLFSSL_X509_STORE_ALLOW_NON_CA_INTERMEDIATE
 WOLFSSL_X509_STORE_CERTS
@@ -983,7 +963,6 @@ WOLFSSL_XFREE_NO_NULLNESS_CHECK
 WOLFSSL_XILINX_CRYPTO_OLD
 WOLFSSL_XILINX_PATCH
 WOLFSSL_XIL_MSG_NO_SLEEP
-WOLFSSL_XMSS_LARGE_SECRET_KEY
 WOLFSSL_ZEPHYR
 WOLF_ALLOW_BUILTIN
 WOLF_CRYPTO_CB_CMD

doc/dox_comments/header_files/pwdbased.h

@@ -174,7 +174,8 @@ int wc_PKCS12_PBKDF(byte* output, const byte* passwd, int passLen,
     \brief Extended version of PBKDF1 with heap hint.
 
     \return 0 on success
-    \return BAD_FUNC_ARG on invalid arguments
+    \return BAD_FUNC_ARG on invalid arguments or iterations is greater than
+    current_wc_pbkdf_max_iterations
     \return MEMORY_E on memory allocation error
 
     \param key Output key buffer
@@ -199,6 +200,8 @@ int wc_PKCS12_PBKDF(byte* output, const byte* passwd, int passLen,
     \endcode
 
     \sa wc_PBKDF1
+    \sa wc_PBKDF_max_iterations_set
+    \sa wc_PBKDF_max_iterations_get
 */
 int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen,
     const byte* passwd, int passwdLen, const byte* salt, int saltLen,
@@ -209,7 +212,8 @@ int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen,
     \brief Extended version of PBKDF2 with heap hint and device ID.
 
     \return 0 on success
-    \return BAD_FUNC_ARG on invalid arguments
+    \return BAD_FUNC_ARG on invalid arguments or iterations is greater than
+    current_wc_pbkdf_max_iterations
     \return MEMORY_E on memory allocation error
 
     \param output Output key buffer
@@ -234,6 +238,8 @@ int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen,
     \endcode
 
     \sa wc_PBKDF2
+    \sa wc_PBKDF_max_iterations_set
+    \sa wc_PBKDF_max_iterations_get
 */
 int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen,
     const byte* salt, int sLen, int iterations, int kLen,
@@ -244,7 +250,8 @@ int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen,
     \brief Extended version of PKCS12_PBKDF with heap hint.
 
     \return 0 on success
-    \return BAD_FUNC_ARG on invalid arguments
+    \return BAD_FUNC_ARG on invalid arguments or iterations is greater than
+    current_wc_pbkdf_max_iterations
     \return MEMORY_E on memory allocation error
 
     \param output Output key buffer
@@ -268,6 +275,8 @@ int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen,
     \endcode
 
     \sa wc_PKCS12_PBKDF
+    \sa wc_PBKDF_max_iterations_set
+    \sa wc_PBKDF_max_iterations_get
 */
 int wc_PKCS12_PBKDF_ex(byte* output, const byte* passwd,int passLen,
     const byte* salt, int saltLen, int iterations, int kLen,
@@ -338,3 +347,44 @@ int wc_scrypt(byte* output, const byte* passwd, int passLen,
 int wc_scrypt_ex(byte* output, const byte* passwd, int passLen,
     const byte* salt, int saltLen, word32 iterations, int blockSize,
     int parallel, int dkLen);
+
+/*!
+    \ingroup Password
+    \brief Set the current iteration limit for PBKDF.
+
+    By default, the iteration limit is set to WC_PBKDF_DEFAULT_MAX_ITERATIONS,
+    which can be overridden at build time.  This function allows runtime
+    override of the limit.
+
+    Note that `wc_PBKDF_max_iterations_set()` has no provisions for thread
+    synchronization.  Users should arrange to call it at startup or idle times,
+    when there are no other PBKDF calls in progress.
+
+    \return Previous iteration limit on success
+    \return BAD_FUNC_ARG on invalid arguments
+
+    \param iters The new iteration limit.
+
+    _Example_
+    \code
+    int prev_iter_limit = wc_PBKDF_max_iterations_set(100000000);
+    \endcode
+
+    \sa wc_scrypt
+*/
+int wc_PBKDF_max_iterations_set(int iters);
+
+/*!
+    \ingroup Password
+    \brief Get the current iteration limit for PBKDF.
+
+    \return Current iteration limit
+
+    _Example_
+    \code
+    int cur_iter_limit = wc_PBKDF_max_iterations_get();
+    \endcode
+
+    \sa wc_scrypt
+*/
+int wc_PBKDF_max_iterations_get(void);

wolfcrypt/src/pwdbased.c

@@ -54,6 +54,24 @@
     }
 #endif
 
+static int current_wc_pbkdf_max_iterations = WC_PBKDF_DEFAULT_MAX_ITERATIONS;
+
+int wc_PBKDF_max_iterations_set(int iters)
+{
+    if (iters <= 0)
+        return BAD_FUNC_ARG;
+    else {
+        int prev = current_wc_pbkdf_max_iterations;
+        current_wc_pbkdf_max_iterations = iters;
+        return prev;
+    }
+}
+
+int wc_PBKDF_max_iterations_get(void)
+{
+    return current_wc_pbkdf_max_iterations;
+}
+
 #ifdef HAVE_PBKDF1
 
 /* PKCS#5 v1.5 with non standard extension to optionally derive the extra data (IV) */
@@ -82,6 +100,11 @@ int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen,
     if (iterations <= 0)
         iterations = 1;
 
+    if (iterations > current_wc_pbkdf_max_iterations) {
+        WOLFSSL_MSG("PBKDF1 iteration count exceeds current_wc_pbkdf_max_iterations");
+        return BAD_FUNC_ARG;
+    }
+
     hashT = wc_HashTypeConvert(hashType);
     err = wc_HashGetDigestSize(hashT);
     if (err < 0)
@@ -218,6 +241,11 @@ int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen, const byte* salt,
     if (iterations <= 0)
         iterations = 1;
 
+    if (iterations > current_wc_pbkdf_max_iterations) {
+        WOLFSSL_MSG("PBKDF2 iteration count exceeds current_wc_pbkdf_max_iterations");
+        return BAD_FUNC_ARG;
+    }
+
     hashT = wc_HashTypeConvert(hashType);
     hLen = wc_HashGetDigestSize(hashT);
     if (hLen < 0)
@@ -406,6 +434,12 @@ int wc_PKCS12_PBKDF_ex(byte* output, const byte* passwd, int passLen,
     if (iterations <= 0)
         iterations = 1;
 
+    if (iterations > current_wc_pbkdf_max_iterations) {
+        WOLFSSL_MSG("PKCS12 PBKDF iteration count exceeds "
+                    "current_wc_pbkdf_max_iterations");
+        return BAD_FUNC_ARG;
+    }
+
     hashT = wc_HashTypeConvert(hashType);
     ret = wc_HashGetDigestSize(hashT);
     if (ret < 0)
@@ -443,22 +477,17 @@ int wc_PKCS12_PBKDF_ex(byte* output, const byte* passwd, int passLen,
      * must be 1 or greater here and is always 'true' */
     pLen = v * (((word32)passLen + v - 1) / v);
 
-    /* Guard against overflow in iLen = sLen + pLen and totalLen = dLen + iLen.
-     * Individual sLen/pLen values fit in word32 (max 0x80000000 for INT_MAX
-     * inputs), but their sum can overflow. */
-    if (sLen > 0xFFFFFFFFU - pLen) {
+    if (! WC_SAFE_SUM_UNSIGNED(word32, sLen, pLen, iLen)) {
         WC_FREE_VAR_EX(Ai, heap, DYNAMIC_TYPE_TMP_BUFFER);
         WC_FREE_VAR_EX(B, heap, DYNAMIC_TYPE_TMP_BUFFER);
         return BAD_FUNC_ARG;
     }
-    iLen = sLen + pLen;
 
-    if (iLen > 0xFFFFFFFFU - dLen) {
+    if (! WC_SAFE_SUM_UNSIGNED(word32, dLen, sLen, totalLen)) {
         WC_FREE_VAR_EX(Ai, heap, DYNAMIC_TYPE_TMP_BUFFER);
         WC_FREE_VAR_EX(B, heap, DYNAMIC_TYPE_TMP_BUFFER);
         return BAD_FUNC_ARG;
     }
-    totalLen = dLen + sLen + pLen;
 
     if (totalLen > sizeof(staticBuffer)) {
         buffer = (byte*)XMALLOC(totalLen, heap, DYNAMIC_TYPE_KEY);
@@ -634,6 +663,12 @@ int wc_PKCS12_PBKDF_ex(byte* output, const byte* passwd, int passLen,
         iterations = 1;
     }
 
+    if (iterations > current_wc_pbkdf_max_iterations) {
+        WOLFSSL_MSG("PKCS12 PBKDF iteration count exceeds "
+                    "current_wc_pbkdf_max_iterations");
+        return BAD_FUNC_ARG;
+    }
+
     /* u = hash output size. */
     hashT = wc_HashTypeConvert(hashType);
     ret = wc_HashGetDigestSize(hashT);
@@ -656,19 +691,14 @@ int wc_PKCS12_PBKDF_ex(byte* output, const byte* passwd, int passLen,
     /* RFC 7292 B.2 step 3: P = password repeated to ceil(passLen/v)*v bytes */
     pLen = v * (((word32)passLen + v - 1) / v);
 
-    /* Guard against overflow in iLen = sLen + pLen and totalLen = v + iLen.
-     * Individual sLen/pLen values fit in word32 (max 0x80000000 for INT_MAX
-     * inputs), but their sum can overflow. */
-    if (sLen > 0xFFFFFFFFU - pLen) {
+    /* RFC 7292 B.2 step 4: I = S || P */
+    if (! WC_SAFE_SUM_UNSIGNED(word32, sLen, pLen, iLen)) {
         return BAD_FUNC_ARG;
     }
-    /* RFC 7292 B.2 step 4: I = S || P */
-    iLen = sLen + pLen;
 
-    if (iLen > 0xFFFFFFFFU - v) {
+    if (! WC_SAFE_SUM_UNSIGNED(word32, v, iLen, totalLen)) {
         return BAD_FUNC_ARG;
     }
-    totalLen = v + iLen;
 
     nwc     = v / (word32)sizeof(PKCS12_WORD);
     nBlocks = iLen / v;