forked from wolfSSL/wolfssl
follow verifyNone variable when checking key size
This commit is contained in:
Jacob Barthelmeh
@@ -5138,19 +5138,21 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
|
||||
/* Check key sizes for certs. Is redundent check since ProcessBuffer
|
||||
also performs this check. */
|
||||
switch (dCert->keyOID) {
|
||||
#ifndef NO_RSA
|
||||
case RSAk:
|
||||
if (dCert->pubKeySize < ssl->options.minRsaKeySz) {
|
||||
WOLFSSL_MSG("RSA key in cert chain was too small");
|
||||
ret = RSA_KEY_SIZE_E;
|
||||
}
|
||||
break;
|
||||
#endif /* !NO_RSA */
|
||||
if (!ssl->options.verifyNone) {
|
||||
switch (dCert->keyOID) {
|
||||
#ifndef NO_RSA
|
||||
case RSAk:
|
||||
if (dCert->pubKeySize < ssl->options.minRsaKeySz) {
|
||||
WOLFSSL_MSG("RSA key in cert chain was too small");
|
||||
ret = RSA_KEY_SIZE_E;
|
||||
}
|
||||
break;
|
||||
#endif /* !NO_RSA */
|
||||
|
||||
default:
|
||||
WOLFSSL_MSG("Key size not checked");
|
||||
break; /* key is not being checked for size if not in switch */
|
||||
default:
|
||||
WOLFSSL_MSG("Key size not checked");
|
||||
break; /* key not being checked for size if not in switch */
|
||||
}
|
||||
}
|
||||
|
||||
if (ret == 0 && dCert->isCA == 0) {
|
||||
@@ -5467,6 +5469,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
|
||||
/* check size of peer RSA key */
|
||||
if (ret == 0 && ssl->peerRsaKeyPresent &&
|
||||
!ssl->options.verifyNone &&
|
||||
wc_RsaEncryptSize(ssl->peerRsaKey)
|
||||
< ssl->options.minRsaKeySz) {
|
||||
ret = RSA_KEY_SIZE_E;
|
||||
|
||||
32
src/ssl.c
32
src/ssl.c
@@ -2587,19 +2587,21 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
|
||||
#endif
|
||||
|
||||
/* check CA key size */
|
||||
switch (cert->keyOID) {
|
||||
#ifndef NO_RSA
|
||||
case RSAk:
|
||||
if (cert->pubKeySize < cm->minRsaKeySz) {
|
||||
ret = RSA_KEY_SIZE_E;
|
||||
WOLFSSL_MSG(" CA RSA key is too small");
|
||||
}
|
||||
break;
|
||||
#endif /* !NO_RSA */
|
||||
if (verify) {
|
||||
switch (cert->keyOID) {
|
||||
#ifndef NO_RSA
|
||||
case RSAk:
|
||||
if (cert->pubKeySize < cm->minRsaKeySz) {
|
||||
ret = RSA_KEY_SIZE_E;
|
||||
WOLFSSL_MSG(" CA RSA key is too small");
|
||||
}
|
||||
break;
|
||||
#endif /* !NO_RSA */
|
||||
|
||||
default:
|
||||
WOLFSSL_MSG(" No key size check done on CA");
|
||||
break; /* no size check if key type is not in switch */
|
||||
default:
|
||||
WOLFSSL_MSG(" No key size check done on CA");
|
||||
break; /* no size check if key type is not in switch */
|
||||
}
|
||||
}
|
||||
|
||||
if (ret == 0 && cert->isCA == 0 && type != WOLFSSL_USER_CA) {
|
||||
@@ -3588,17 +3590,17 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
|
||||
}
|
||||
#endif
|
||||
|
||||
/* check key size of cert */
|
||||
/* check key size of cert unless specified not to */
|
||||
switch (cert->keyOID) {
|
||||
#ifndef NO_RSA
|
||||
case RSAk:
|
||||
if (ssl) {
|
||||
if (ssl && !ssl->options.verifyNone) {
|
||||
if (cert->pubKeySize < ssl->options.minRsaKeySz) {
|
||||
ret = RSA_KEY_SIZE_E;
|
||||
WOLFSSL_MSG("Certificate RSA key size too small");
|
||||
}
|
||||
}
|
||||
else if (ctx) {
|
||||
else if (ctx && !ctx->verifyNone) {
|
||||
if (cert->pubKeySize < ctx->minRsaKeySz) {
|
||||
ret = RSA_KEY_SIZE_E;
|
||||
WOLFSSL_MSG("Certificate RSA key size too small");
|
||||
|
||||
Reference in New Issue
Block a user