follow verifyNone variable when checking key size

2016-04-19 10:23:01 -06:00
parent 0eb57ccab0
commit 789f346c5f
2 changed files with 32 additions and 27 deletions
--- a/src/internal.c
+++ b/src/internal.c
@@ -5138,6 +5138,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,

        /* Check key sizes for certs. Is redundent check since ProcessBuffer
           also performs this check. */
+        if (!ssl->options.verifyNone) {
            switch (dCert->keyOID) {
                #ifndef NO_RSA
                case RSAk:
@@ -5150,7 +5151,8 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,

                default:
                    WOLFSSL_MSG("Key size not checked");
-                break; /* key is not being checked for size if not in switch */
+                    break; /* key not being checked for size if not in switch */
+            }
        }

        if (ret == 0 && dCert->isCA == 0) {
@@ -5467,6 +5469,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,

                    /* check size of peer RSA key */
                    if (ret == 0 && ssl->peerRsaKeyPresent &&
+                                              !ssl->options.verifyNone &&
                                              wc_RsaEncryptSize(ssl->peerRsaKey)
                                              < ssl->options.minRsaKeySz) {
                        ret = RSA_KEY_SIZE_E;
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -2587,6 +2587,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
 #endif

    /* check CA key size */
+    if (verify) {
        switch (cert->keyOID) {
            #ifndef NO_RSA
            case RSAk:
@@ -2601,6 +2602,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
                WOLFSSL_MSG("    No key size check done on CA");
                break; /* no size check if key type is not in switch */
        }
+    }

    if (ret == 0 && cert->isCA == 0 && type != WOLFSSL_USER_CA) {
        WOLFSSL_MSG("    Can't add as CA if not actually one");
@@ -3588,17 +3590,17 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
        }
    #endif

-        /* check key size of cert */
+        /* check key size of cert unless specified not to */
        switch (cert->keyOID) {
        #ifndef NO_RSA
            case RSAk:
-                if (ssl) {
+                if (ssl && !ssl->options.verifyNone) {
                    if (cert->pubKeySize < ssl->options.minRsaKeySz) {
                        ret = RSA_KEY_SIZE_E;
                        WOLFSSL_MSG("Certificate RSA key size too small");
                    }
                }
-                else if (ctx) {
+                else if (ctx && !ctx->verifyNone) {
                    if (cert->pubKeySize < ctx->minRsaKeySz) {
                        ret = RSA_KEY_SIZE_E;
                        WOLFSSL_MSG("Certificate RSA key size too small");