feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

follow verifyNone variable when checking key size

Browse Source
This commit is contained in:
Jacob Barthelmeh
2016-04-19 10:23:01 -06:00
parent 0eb57ccab0
commit 789f346c5f
2 changed files with 32 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
src/internal.c
View File

@@ -5138,19 +5138,21 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* Check key sizes for certs. Is redundent check since ProcessBuffer /* Check key sizes for certs. Is redundent check since ProcessBuffer
also performs this check. */ also performs this check. */
switch (dCert->keyOID) { if (!ssl->options.verifyNone) {
#ifndef NO_RSA switch (dCert->keyOID) {
case RSAk: #ifndef NO_RSA
if (dCert->pubKeySize < ssl->options.minRsaKeySz) { case RSAk:
WOLFSSL_MSG("RSA key in cert chain was too small"); if (dCert->pubKeySize < ssl->options.minRsaKeySz) {
ret = RSA_KEY_SIZE_E; WOLFSSL_MSG("RSA key in cert chain was too small");
} ret = RSA_KEY_SIZE_E;
break; }
#endif /* !NO_RSA */ break;
#endif /* !NO_RSA */
default: default:
WOLFSSL_MSG("Key size not checked"); WOLFSSL_MSG("Key size not checked");
break; /* key is not being checked for size if not in switch */ break; /* key not being checked for size if not in switch */
}
} }
if (ret == 0 && dCert->isCA == 0) { if (ret == 0 && dCert->isCA == 0) {
@@ -5467,6 +5469,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* check size of peer RSA key */ /* check size of peer RSA key */
if (ret == 0 && ssl->peerRsaKeyPresent && if (ret == 0 && ssl->peerRsaKeyPresent &&
!ssl->options.verifyNone &&
wc_RsaEncryptSize(ssl->peerRsaKey) wc_RsaEncryptSize(ssl->peerRsaKey)
< ssl->options.minRsaKeySz) { < ssl->options.minRsaKeySz) {
ret = RSA_KEY_SIZE_E; ret = RSA_KEY_SIZE_E;

32
src/ssl.c
View File

@@ -2587,19 +2587,21 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
#endif #endif
/* check CA key size */ /* check CA key size */
switch (cert->keyOID) { if (verify) {
#ifndef NO_RSA switch (cert->keyOID) {
case RSAk: #ifndef NO_RSA
if (cert->pubKeySize < cm->minRsaKeySz) { case RSAk:
ret = RSA_KEY_SIZE_E; if (cert->pubKeySize < cm->minRsaKeySz) {
WOLFSSL_MSG(" CA RSA key is too small"); ret = RSA_KEY_SIZE_E;
} WOLFSSL_MSG(" CA RSA key is too small");
break; }
#endif /* !NO_RSA */ break;
#endif /* !NO_RSA */
default: default:
WOLFSSL_MSG(" No key size check done on CA"); WOLFSSL_MSG(" No key size check done on CA");
break; /* no size check if key type is not in switch */ break; /* no size check if key type is not in switch */
}
} }
if (ret == 0 && cert->isCA == 0 && type != WOLFSSL_USER_CA) { if (ret == 0 && cert->isCA == 0 && type != WOLFSSL_USER_CA) {
@@ -3588,17 +3590,17 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
} }
#endif #endif
/* check key size of cert */ /* check key size of cert unless specified not to */
switch (cert->keyOID) { switch (cert->keyOID) {
#ifndef NO_RSA #ifndef NO_RSA
case RSAk: case RSAk:
if (ssl) { if (ssl && !ssl->options.verifyNone) {
if (cert->pubKeySize < ssl->options.minRsaKeySz) { if (cert->pubKeySize < ssl->options.minRsaKeySz) {
ret = RSA_KEY_SIZE_E; ret = RSA_KEY_SIZE_E;
WOLFSSL_MSG("Certificate RSA key size too small"); WOLFSSL_MSG("Certificate RSA key size too small");
} }
} }
else if (ctx) { else if (ctx && !ctx->verifyNone) {
if (cert->pubKeySize < ctx->minRsaKeySz) { if (cert->pubKeySize < ctx->minRsaKeySz) {
ret = RSA_KEY_SIZE_E; ret = RSA_KEY_SIZE_E;
WOLFSSL_MSG("Certificate RSA key size too small"); WOLFSSL_MSG("Certificate RSA key size too small");