Reject iterationCount == 0 when parsing PBKDF2-params. Previously a value of 0 would be accepted and intepreted as equivalent to 1. This contradicts RFC 2898 which defines: iterationCount INTEGER (1..MAX), BUG=https://crbug.com/534961 Change-Id: I89623980f99fde3ca3780880d311955d3f6fe0b5 Reviewed-on: https://boringssl-review.googlesource.com/5971 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>

commit: 1aec2cbad22084333a3b42ebf6993d8d8eaca86e [log] [tgz]
author: Eric Roman <eroman@chromium.org> Tue Sep 22 16:40:43 2015 -0700
committer: Adam Langley <agl@google.com> Fri Oct 02 16:19:04 2015 +0000
tree: 1df177cb0c15981a11c045b3e60ed1906204f067
parent: 20c0e90d116dace7884b7feacb81bee07aff7665 [diff]
diff --git a/crypto/pkcs8/p5_pbev2.c b/crypto/pkcs8/p5_pbev2.c
index f58aae7..506e0ab 100644
--- a/crypto/pkcs8/p5_pbev2.c
+++ b/crypto/pkcs8/p5_pbev2.c

@@ -356,7 +356,7 @@
     goto err;
   }
   long iterations = ASN1_INTEGER_get(pbkdf2param->iter);
-  if (iterations < 0 || iterations > UINT_MAX) {
+  if (iterations <= 0 || iterations > UINT_MAX) {
     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_ITERATION_COUNT);
     goto err;
   }
commit	1aec2cbad22084333a3b42ebf6993d8d8eaca86e	[log] [tgz]
author	Eric Roman <eroman@chromium.org>	Tue Sep 22 16:40:43 2015 -0700
committer	Adam Langley <agl@google.com>	Fri Oct 02 16:19:04 2015 +0000
tree	1df177cb0c15981a11c045b3e60ed1906204f067
parent	20c0e90d116dace7884b7feacb81bee07aff7665 [diff]