Add upper limit to PBKDF iteration count

.wolfssl_known_macro_extras

@@ -646,6 +646,7 @@ WC_NO_ASYNC_SLEEP
 WC_NO_RNG_SIMPLE
 WC_NO_STATIC_ASSERT
 WC_NO_VERBOSE_RNG
+WC_PBKDF_MAX_ITERATIONS
 WC_PKCS11_FIND_WITH_ID_ONLY
 WC_PKCS12_PBKDF_USING_MP_API
 WC_PROTECT_ENCRYPTED_MEM

doc/dox_comments/header_files/pwdbased.h

@@ -174,7 +174,8 @@ int wc_PKCS12_PBKDF(byte* output, const byte* passwd, int passLen,
     \brief Extended version of PBKDF1 with heap hint.
 
     \return 0 on success
-    \return BAD_FUNC_ARG on invalid arguments
+    \return BAD_FUNC_ARG on invalid arguments or iterations is greater than
+    WC_PBKDF_MAX_ITERATIONS
     \return MEMORY_E on memory allocation error
 
     \param key Output key buffer
@@ -209,7 +210,8 @@ int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen,
     \brief Extended version of PBKDF2 with heap hint and device ID.
 
     \return 0 on success
-    \return BAD_FUNC_ARG on invalid arguments
+    \return BAD_FUNC_ARG on invalid arguments or iterations is greater than
+    WC_PBKDF_MAX_ITERATIONS
     \return MEMORY_E on memory allocation error
 
     \param output Output key buffer
@@ -244,7 +246,8 @@ int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen,
     \brief Extended version of PKCS12_PBKDF with heap hint.
 
     \return 0 on success
-    \return BAD_FUNC_ARG on invalid arguments
+    \return BAD_FUNC_ARG on invalid arguments or iterations is greater than
+    WC_PBKDF_MAX_ITERATIONS
     \return MEMORY_E on memory allocation error
 
     \param output Output key buffer

wolfcrypt/src/pwdbased.c

@@ -79,6 +79,11 @@ int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen,
     if (iterations <= 0)
         iterations = 1;
 
+    if (iterations > WC_PBKDF_MAX_ITERATIONS) {
+        WOLFSSL_MSG("PBKDF1 iteration count exceeds WC_PBKDF_MAX_ITERATIONS");
+        return BAD_FUNC_ARG;
+    }
+
     hashT = wc_HashTypeConvert(hashType);
     err = wc_HashGetDigestSize(hashT);
     if (err < 0)
@@ -215,6 +220,11 @@ int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen, const byte* salt,
     if (iterations <= 0)
         iterations = 1;
 
+    if (iterations > WC_PBKDF_MAX_ITERATIONS) {
+        WOLFSSL_MSG("PBKDF2 iteration count exceeds WC_PBKDF_MAX_ITERATIONS");
+        return BAD_FUNC_ARG;
+    }
+
     hashT = wc_HashTypeConvert(hashType);
     hLen = wc_HashGetDigestSize(hashT);
     if (hLen < 0)
@@ -403,6 +413,12 @@ int wc_PKCS12_PBKDF_ex(byte* output, const byte* passwd, int passLen,
     if (iterations <= 0)
         iterations = 1;
 
+    if (iterations > WC_PBKDF_MAX_ITERATIONS) {
+        WOLFSSL_MSG("PKCS12 PBKDF iteration count exceeds "
+                    "WC_PBKDF_MAX_ITERATIONS");
+        return BAD_FUNC_ARG;
+    }
+
     hashT = wc_HashTypeConvert(hashType);
     ret = wc_HashGetDigestSize(hashT);
     if (ret < 0)
@@ -611,6 +627,12 @@ int wc_PKCS12_PBKDF_ex(byte* output, const byte* passwd, int passLen,
         iterations = 1;
     }
 
+    if (iterations > WC_PBKDF_MAX_ITERATIONS) {
+        WOLFSSL_MSG("PKCS12 PBKDF iteration count exceeds "
+                    "WC_PBKDF_MAX_ITERATIONS");
+        return BAD_FUNC_ARG;
+    }
+
     /* u = hash output size. */
     hashT = wc_HashTypeConvert(hashType);
     ret = wc_HashGetDigestSize(hashT);

wolfssl/wolfcrypt/pwdbased.h

@@ -35,6 +35,15 @@
     extern "C" {
 #endif
 
+/* Maximum allowed PBKDF iteration count to prevent CPU exhaustion DoS.
+ * Attacker-controlled PKCS#12 files can specify iterations up to INT_MAX
+ * (2,147,483,647) in the MAC data, causing hours of CPU time.
+ * Override by defining WC_PBKDF_MAX_ITERATIONS before including this header.
+ * Normal p12 files use 1k to 10k iterations. */
+#ifndef WC_PBKDF_MAX_ITERATIONS
+    #define WC_PBKDF_MAX_ITERATIONS 2000000
+#endif
+
 #if FIPS_VERSION3_GE(6,0,0)
     extern const unsigned int wolfCrypt_FIPS_pbkdf_ro_sanity[2];
     WOLFSSL_LOCAL int wolfCrypt_FIPS_PBKDF_sanity(void);