diff --git a/src/internal.c b/src/internal.c index 74a06f506..06fa29237 100755 --- a/src/internal.c +++ b/src/internal.c @@ -5138,19 +5138,21 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* Check key sizes for certs. Is redundent check since ProcessBuffer also performs this check. */ - switch (dCert->keyOID) { - #ifndef NO_RSA - case RSAk: - if (dCert->pubKeySize < ssl->options.minRsaKeySz) { - WOLFSSL_MSG("RSA key in cert chain was too small"); - ret = RSA_KEY_SIZE_E; - } - break; - #endif /* !NO_RSA */ + if (!ssl->options.verifyNone) { + switch (dCert->keyOID) { + #ifndef NO_RSA + case RSAk: + if (dCert->pubKeySize < ssl->options.minRsaKeySz) { + WOLFSSL_MSG("RSA key in cert chain was too small"); + ret = RSA_KEY_SIZE_E; + } + break; + #endif /* !NO_RSA */ - default: - WOLFSSL_MSG("Key size not checked"); - break; /* key is not being checked for size if not in switch */ + default: + WOLFSSL_MSG("Key size not checked"); + break; /* key not being checked for size if not in switch */ + } } if (ret == 0 && dCert->isCA == 0) { @@ -5467,6 +5469,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* check size of peer RSA key */ if (ret == 0 && ssl->peerRsaKeyPresent && + !ssl->options.verifyNone && wc_RsaEncryptSize(ssl->peerRsaKey) < ssl->options.minRsaKeySz) { ret = RSA_KEY_SIZE_E; diff --git a/src/ssl.c b/src/ssl.c index 14e993c41..510326aa3 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2587,19 +2587,21 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) #endif /* check CA key size */ - switch (cert->keyOID) { - #ifndef NO_RSA - case RSAk: - if (cert->pubKeySize < cm->minRsaKeySz) { - ret = RSA_KEY_SIZE_E; - WOLFSSL_MSG(" CA RSA key is too small"); - } - break; - #endif /* !NO_RSA */ + if (verify) { + switch (cert->keyOID) { + #ifndef NO_RSA + case RSAk: + if (cert->pubKeySize < cm->minRsaKeySz) { + ret = RSA_KEY_SIZE_E; + WOLFSSL_MSG(" CA RSA key is too small"); + } + break; + #endif /* !NO_RSA */ - default: - WOLFSSL_MSG(" No key size check done on CA"); - break; /* no size check if key type is not in switch */ + default: + WOLFSSL_MSG(" No key size check done on CA"); + break; /* no size check if key type is not in switch */ + } } if (ret == 0 && cert->isCA == 0 && type != WOLFSSL_USER_CA) { @@ -3588,17 +3590,17 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, } #endif - /* check key size of cert */ + /* check key size of cert unless specified not to */ switch (cert->keyOID) { #ifndef NO_RSA case RSAk: - if (ssl) { + if (ssl && !ssl->options.verifyNone) { if (cert->pubKeySize < ssl->options.minRsaKeySz) { ret = RSA_KEY_SIZE_E; WOLFSSL_MSG("Certificate RSA key size too small"); } } - else if (ctx) { + else if (ctx && !ctx->verifyNone) { if (cert->pubKeySize < ctx->minRsaKeySz) { ret = RSA_KEY_SIZE_E; WOLFSSL_MSG("Certificate RSA key size too small");