f-2180: fix clamp iterations <= 0 to 1 instead of returning an error

[miyazakh]

Why

All four PBKDF functions (wc_PBKDF1_ex, wc_PBKDF2_ex, and both
implementations of wc_PKCS12_PBKDF_ex) previously accepted
iterations <= 0 and silently clamped the value to 1. This is a
fail-open behavior: a caller that accidentally passes 0 — for example
due to an uninitialized variable, a parsing error, or a misconfigured
parameter — receives a successfully derived key that provides
essentially no password-based key stretching, rather than an error.

The silent clamp was introduced by a 2018 refactoring commit
(1f00ea2, "Added some additional argument checks on pwdbased") that
unified parameter validation across the four functions. Before that
commit, wc_PBKDF1_ex correctly returned BAD_FUNC_ARG when
iterations < 1; the refactoring inadvertently replaced this with the
clamp. This change restores the original fail-safe behavior across all
four functions.

The fix is also consistent with existing upper-bound enforcement: all
four functions already return BAD_FUNC_ARG when iterations exceeds
current_wc_pbkdf_max_iterations. Making the lower-bound check
symmetric removes an asymmetry that was itself a code smell.

What changed

wolfcrypt/src/pwdbased.c

In all four locations where iterations <= 0 was silently clamped to 1:

/* before */
if (iterations <= 0)
    iterations = 1;

/* after */
if (iterations <= 0)
    return BAD_FUNC_ARG;

Affected functions:

Function	Location
wc_PBKDF1_ex	line 100
wc_PBKDF2_ex	line 241
wc_PKCS12_PBKDF_ex (MP-integer impl)	line 434
wc_PKCS12_PBKDF_ex (native-integer impl)	line 662

No callers in the wolfSSL tree pass iterations <= 0; all production
call sites use hardcoded positive values (1, 2048, etc.) or values
parsed from well-formed structures.

Tests

tests/api/test_pkcs12.c — updated existing unit tests

test_wc_PKCS12_PBKDF previously included a case asserting that
iterations = 0 succeeded and produced the same output as
iterations = 1. That assertion is replaced with checks that both
iterations = 0 and iterations = -1 return BAD_FUNC_ARG.

test_wc_PKCS12_PBKDF_ex receives the same two negative cases.

Active when: HAVE_PKCS12 && !NO_PWDBASED && !NO_SHA256

tests/api/test_pwdbased.c — new file

wc_PBKDF1_ex and wc_PBKDF2_ex previously had no API-level unit
tests. Two new test functions are added:

• test_wc_PBKDF1_ex_iterations: verifies that iterations = 0 and
  iterations = -1 both return BAD_FUNC_ARG.
  Active when: HAVE_PBKDF1 && !NO_SHA && !HAVE_SELFTEST

• test_wc_PBKDF2_ex_iterations: same for wc_PBKDF2_ex.
  Active when: HAVE_PBKDF2 && !NO_HMAC && !NO_SHA256 && !HAVE_SELFTEST
&& (!HAVE_FIPS || FIPS_VERSION3_GE(7,0,0))

All four tests pass under a standard ./configure && make check build.

Checklist

• added tests
• updated/added doxygen
• updated appropriate READMEs
• Updated manual and documentation

[Copilot]

Pull request overview

This PR hardens wolfCrypt PBKDF APIs by changing the handling of invalid iteration counts so that iterations <= 0 is rejected with BAD_FUNC_ARG instead of being silently clamped to 1, and updates/extends unit tests to cover the new behavior.

Changes:

• Updated wc_PBKDF1_ex, wc_PBKDF2_ex, and both wc_PKCS12_PBKDF_ex implementations to return BAD_FUNC_ARG when iterations <= 0.
• Updated PKCS#12 API tests to assert rejection of iterations 0 and -1.
• Added new API-level tests for PBKDF1/PBKDF2 iteration lower-bound validation and registered them in the test runner/build (Automake).

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
wolfcrypt/src/pwdbased.c	Rejects iterations <= 0 across PBKDF1/PBKDF2/PKCS12 PBKDF APIs.
tests/api/test_pwdbased.h	Declares and registers new PBKDF API tests.
tests/api/test_pwdbased.c	Adds new unit tests verifying iterations <= 0 returns BAD_FUNC_ARG.
tests/api/test_pkcs12.c	Updates PKCS#12 PBKDF tests to expect failure for iterations <= 0.
tests/api/include.am	Adds the new test source/header to Automake test build and dist.
tests/api.c	Registers the new PBKDF test group in the API test runner.

Comments suppressed due to low confidence (2)

wolfcrypt/src/pwdbased.c:105

• This changes the public API contract: iterations <= 0 now returns BAD_FUNC_ARG instead of being clamped to 1. The doxygen docs for wc_PBKDF1_ex/wc_PBKDF2_ex/wc_PKCS12_PBKDF_ex currently only mention failing when iterations exceeds current_wc_pbkdf_max_iterations, so they will be inaccurate after this change. Please update the corresponding doxygen documentation to mention the new lower-bound validation (iterations must be >= 1).

This issue also appears on line 98 of the same file.

        return BAD_FUNC_ARG;

    if (iterations <= 0)
        return BAD_FUNC_ARG;

    if (iterations > current_wc_pbkdf_max_iterations) {
        WOLFSSL_MSG("PBKDF1 iteration count exceeds current_wc_pbkdf_max_iterations");
        return BAD_FUNC_ARG;

wolfcrypt/src/pwdbased.c:102

• PR title appears to describe the opposite behavior (clamp iterations<=0 to 1 instead of returning an error), but this change makes iterations<=0 return BAD_FUNC_ARG. Please update the PR title to match the actual behavior change to avoid confusion in release notes/history.

        return BAD_FUNC_ARG;

    if (iterations <= 0)
        return BAD_FUNC_ARG;

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

MemBrowse Memory Report

No memory changes detected for:

• gcc-arm-cortex-m4
• gcc-arm-cortex-m4-baremetal
• gcc-arm-cortex-m4-min-ecc
• gcc-arm-cortex-m4-tls12

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #10504

Scan targets checked: wolfcrypt-bugs, wolfcrypt-rs-bugs, wolfcrypt-src

No new issues found in the changed files. ✅