feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #393 from JacobBarthelmeh/RSA-min

Browse Source 
use short for RSA min key size and check casts
This commit is contained in:
toddouska
2016-04-22 13:56:59 -07:00
parent 1e821dbd59 77a9343973
commit cc56e1da48
5 changed files with 55 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
examples/server/server.c
View File

@ -277,7 +277,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
int echoData = 0;
int throughput = 0;
int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS;
int minRsaKeyBits = DEFAULT_MIN_RSAKEY_BITS;
short minRsaKeyBits = DEFAULT_MIN_RSAKEY_BITS;
short minEccKeyBits = DEFAULT_MIN_ECCKEY_BITS;
int doListen = 1;
int crlFlags = 0;
@ -647,7 +647,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
}
#endif
#ifndef NO_RSA
if (wolfSSL_CTX_SetMinRsaKey_Sz(ctx, (word16)minRsaKeyBits) != SSL_SUCCESS){
if (wolfSSL_CTX_SetMinRsaKey_Sz(ctx, minRsaKeyBits) != SSL_SUCCESS){
err_sys("Error setting minimum RSA key size");
}
#endif

53
src/internal.c
View File

@ -5145,8 +5145,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
switch (dCert->keyOID) {
#ifndef NO_RSA
case RSAk:
if (dCert->pubKeySize < ssl->options.minRsaKeySz) {
WOLFSSL_MSG("RSA key in cert chain was too small");
if (ssl->options.minRsaKeySz < 0 ||
dCert->pubKeySize < (word16)ssl->options.minRsaKeySz) {
WOLFSSL_MSG("RSA key size in cert chain error");
ret = RSA_KEY_SIZE_E;
}
break;
@ -13983,8 +13984,13 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &idx, &key,
ssl->buffers.key->length);
if (ret == 0) {
sigOutSz = wc_RsaEncryptSize(&key);
if (sigOutSz < ssl->options.minRsaKeySz) {
int keySz = wc_RsaEncryptSize(&key);
if (keySz < 0) { /* check if keySz has error case */
return keySz;
}
sigOutSz = (word32)keySz;
if (keySz < ssl->options.minRsaKeySz) {
WOLFSSL_MSG("RSA key size too small");
return RSA_KEY_SIZE_E;
}
@ -14925,6 +14931,8 @@ int DoSessionTicket(WOLFSSL* ssl,
case rsa_sa_algo:
{
word32 i = 0;
int keySz;
ssl->sigKey = XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA);
if (ssl->sigKey == NULL) {
ERROR_OUT(MEMORY_E, exit_sske);
@ -14941,12 +14949,15 @@ int DoSessionTicket(WOLFSSL* ssl,
if (ret != 0) {
goto exit_sske;
}
sigSz = wc_RsaEncryptSize((RsaKey*)ssl->sigKey);
keySz = wc_RsaEncryptSize((RsaKey*)ssl->sigKey);
if (keySz < 0) { /* test if keySz has error */
ERROR_OUT(keySz, exit_sske);
}
if (sigSz < ssl->options.minRsaKeySz) {
sigSz = (word32)keySz;
if (keySz < ssl->options.minRsaKeySz) {
WOLFSSL_MSG("RSA signature key size too small");
ret = RSA_KEY_SIZE_E;
goto exit_sske;
ERROR_OUT(RSA_KEY_SIZE_E, exit_sske);
}
break;
}
@ -15212,6 +15223,7 @@ int DoSessionTicket(WOLFSSL* ssl,
if (!ssl->options.usingAnon_cipher) {
word32 i = 0;
int keySz;
ssl->sigKey = XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA);
if (ssl->sigKey == NULL) {
@ -15236,13 +15248,16 @@ int DoSessionTicket(WOLFSSL* ssl,
if (ret != 0) {
goto exit_sske;
}
sigSz = wc_RsaEncryptSize((RsaKey*)ssl->sigKey);
keySz = wc_RsaEncryptSize((RsaKey*)ssl->sigKey);
if (keySz < 0) { /* test if keySz has error */
ERROR_OUT(keySz, exit_sske);
}
sigSz = (word32)keySz;
length += sigSz;
if (sigSz < ssl->options.minRsaKeySz) {
if (keySz < ssl->options.minRsaKeySz) {
WOLFSSL_MSG("RSA key size too small");
ret = RSA_KEY_SIZE_E;
goto exit_sske;
ERROR_OUT(RSA_KEY_SIZE_E, exit_sske);
}
if (IsAtLeastTLSv1_2(ssl)) {
@ -17048,6 +17063,8 @@ int DoSessionTicket(WOLFSSL* ssl,
case rsa_kea:
{
word32 i = 0;
int keySz;
ssl->sigKey = XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA);
if (ssl->sigKey == NULL) {
ERROR_OUT(MEMORY_E, exit_dcke);
@ -17064,11 +17081,15 @@ int DoSessionTicket(WOLFSSL* ssl,
if (ret != 0) {
goto exit_dcke;
}
length = wc_RsaEncryptSize((RsaKey*)ssl->sigKey);
if (length < ssl->options.minRsaKeySz) {
keySz = wc_RsaEncryptSize((RsaKey*)ssl->sigKey);
if (keySz < 0) { /* test if keySz has error */
ERROR_OUT(keySz, exit_dcke);
}
length = (word32)keySz;
if (keySz < ssl->options.minRsaKeySz) {
WOLFSSL_MSG("Peer RSA key is too small");
ret = RSA_KEY_SIZE_E;
goto exit_dcke;
ERROR_OUT(RSA_KEY_SIZE_E, exit_dcke);
}
ssl->arrays->preMasterSz = SECRET_LEN;

19
src/ssl.c
View File

@ -510,9 +510,9 @@ int wolfSSL_SetMinEccKey_Sz(WOLFSSL* ssl, short keySz)
#endif /* !NO_RSA */
#ifndef NO_RSA
int wolfSSL_CTX_SetMinRsaKey_Sz(WOLFSSL_CTX* ctx, word16 keySz)
int wolfSSL_CTX_SetMinRsaKey_Sz(WOLFSSL_CTX* ctx, short keySz)
{
if (ctx == NULL || keySz % 8 != 0) {
if (ctx == NULL || keySz < 0 || keySz % 8 != 0) {
WOLFSSL_MSG("Key size must be divisable by 8 or ctx was null");
return BAD_FUNC_ARG;
}
@ -523,9 +523,9 @@ int wolfSSL_CTX_SetMinRsaKey_Sz(WOLFSSL_CTX* ctx, word16 keySz)
}
int wolfSSL_SetMinRsaKey_Sz(WOLFSSL* ssl, word16 keySz)
int wolfSSL_SetMinRsaKey_Sz(WOLFSSL* ssl, short keySz)
{
if (ssl == NULL || keySz % 8 != 0) {
if (ssl == NULL || keySz < 0 || keySz % 8 != 0) {
WOLFSSL_MSG("Key size must be divisable by 8 or ssl was null");
return BAD_FUNC_ARG;
}
@ -2625,9 +2625,10 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
switch (cert->keyOID) {
#ifndef NO_RSA
case RSAk:
if (cert->pubKeySize < cm->minRsaKeySz) {
if (cm->minRsaKeySz < 0 ||
cert->pubKeySize < (word16)cm->minRsaKeySz) {
ret = RSA_KEY_SIZE_E;
WOLFSSL_MSG(" CA RSA key is too small");
WOLFSSL_MSG(" CA RSA key size error");
}
break;
#endif /* !NO_RSA */
@ -3655,13 +3656,15 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#ifndef NO_RSA
case RSAk:
if (ssl && !ssl->options.verifyNone) {
if (cert->pubKeySize < ssl->options.minRsaKeySz) {
if (ssl->options.minRsaKeySz < 0 ||
cert->pubKeySize < (word16)ssl->options.minRsaKeySz) {
ret = RSA_KEY_SIZE_E;
WOLFSSL_MSG("Certificate RSA key size too small");
}
}
else if (ctx && !ctx->verifyNone) {
if (cert->pubKeySize < ctx->minRsaKeySz) {
if (ctx->minRsaKeySz < 0 ||
cert->pubKeySize < (word16)ctx->minRsaKeySz) {
ret = RSA_KEY_SIZE_E;
WOLFSSL_MSG("Certificate RSA key size too small");
}

6
wolfssl/internal.h
View File

@ -1516,7 +1516,7 @@ struct WOLFSSL_CERT_MANAGER {
byte ocspStaplingEnabled; /* is OCSP Stapling on ? */
#ifndef NO_RSA
word16 minRsaKeySz; /* minimum allowed RSA key size */
short minRsaKeySz; /* minimum allowed RSA key size */
#endif
#ifdef HAVE_ECC
short minEccKeySz; /* minimum allowed ECC key size */
@ -1918,7 +1918,7 @@ struct WOLFSSL_CTX {
word16 minDhKeySz; /* minimum DH key size */
#endif
#ifndef NO_RSA
word16 minRsaKeySz; /* minimum RSA key size */
short minRsaKeySz; /* minimum RSA key size */
#endif
#ifdef HAVE_ECC
short minEccKeySz; /* minimum ECC key size */
@ -2388,7 +2388,7 @@ typedef struct Options {
word16 dhKeySz; /* actual DH key size */
#endif
#ifndef NO_RSA
word16 minRsaKeySz; /* minimum RSA key size */
short minRsaKeySz; /* minimum RSA key size */
#endif
#ifdef HAVE_ECC
short minEccKeySz; /* minimum ECC key size */

4
wolfssl/ssl.h
View File

@ -939,8 +939,8 @@ WOLFSSL_API int wolfSSL_GetDhKey_Sz(WOLFSSL*);
#endif /* NO_DH */
#ifndef NO_RSA
WOLFSSL_API int wolfSSL_CTX_SetMinRsaKey_Sz(WOLFSSL_CTX*, unsigned short);
WOLFSSL_API int wolfSSL_SetMinRsaKey_Sz(WOLFSSL*, unsigned short);
WOLFSSL_API int wolfSSL_CTX_SetMinRsaKey_Sz(WOLFSSL_CTX*, short);
WOLFSSL_API int wolfSSL_SetMinRsaKey_Sz(WOLFSSL*, short);
#endif /* NO_RSA */
#ifdef HAVE_ECC