From 624ea825e453bae891607ed6d19badab152d4831 Mon Sep 17 00:00:00 2001
From: Sumitra Sharma <sumitraartsy@gmail.com>
Date: Tue, 3 Oct 2023 09:28:44 +0530
Subject: Correct documentation for PKCS5_PBKDF2_HMAC

In OpenSSL 3.x, the documentation for PKCS5_PBKDF2_HMAC incorrectly states
that an iter value less than 1 is treated as a single iteration. Upon further
investigation in providers/implementations/kdfs/pbkdf2.c, it appears that
invalid iter values will result in failure and raise the
PROV_R_INVALID_ITERATION_COUNT error. This commit corrects the documentation
to accurately reflect the behavior in OpenSSL 3.x.

Closes openssl#22168

Signed-off-by: Sumitra Sharma <sumitraartsy@gmail.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22252)

(cherry picked from commit 82496b8663f20ff12f02adbe46a060a94b0cbfc5)
---
 doc/man3/PKCS5_PBKDF2_HMAC.pod | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'doc')

diff --git a/doc/man3/PKCS5_PBKDF2_HMAC.pod b/doc/man3/PKCS5_PBKDF2_HMAC.pod
index 0984e993da..3da271bdbf 100644
--- a/doc/man3/PKCS5_PBKDF2_HMAC.pod
+++ b/doc/man3/PKCS5_PBKDF2_HMAC.pod
@@ -33,7 +33,8 @@ be NULL terminated.
 
 B<iter> is the iteration count and its value should be greater than or
 equal to 1. RFC 2898 suggests an iteration count of at least 1000. Any
-B<iter> less than 1 is treated as a single iteration.
+B<iter> value less than 1 is invalid; such values will result in failure
+and raise the PROV_R_INVALID_ITERATION_COUNT error.
 
 B<digest> is the message digest function used in the derivation.
 PKCS5_PBKDF2_HMAC_SHA1() calls PKCS5_PBKDF2_HMAC() with EVP_sha1().
-- 
cgit v1.2.3