diff --git a/examples/server/server.c b/examples/server/server.c index d15217166..be5de5c68 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -277,7 +277,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) int echoData = 0; int throughput = 0; int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS; - int minRsaKeyBits = DEFAULT_MIN_RSAKEY_BITS; + short minRsaKeyBits = DEFAULT_MIN_RSAKEY_BITS; short minEccKeyBits = DEFAULT_MIN_ECCKEY_BITS; int doListen = 1; int crlFlags = 0; @@ -647,7 +647,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) } #endif #ifndef NO_RSA - if (wolfSSL_CTX_SetMinRsaKey_Sz(ctx, (word16)minRsaKeyBits) != SSL_SUCCESS){ + if (wolfSSL_CTX_SetMinRsaKey_Sz(ctx, minRsaKeyBits) != SSL_SUCCESS){ err_sys("Error setting minimum RSA key size"); } #endif diff --git a/src/internal.c b/src/internal.c index 1e81e3b6e..b0d0b7f66 100755 --- a/src/internal.c +++ b/src/internal.c @@ -5145,8 +5145,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, switch (dCert->keyOID) { #ifndef NO_RSA case RSAk: - if (dCert->pubKeySize < ssl->options.minRsaKeySz) { - WOLFSSL_MSG("RSA key in cert chain was too small"); + if (ssl->options.minRsaKeySz < 0 || + dCert->pubKeySize < (word16)ssl->options.minRsaKeySz) { + WOLFSSL_MSG("RSA key size in cert chain error"); ret = RSA_KEY_SIZE_E; } break; @@ -13983,8 +13984,13 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer) ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &idx, &key, ssl->buffers.key->length); if (ret == 0) { - sigOutSz = wc_RsaEncryptSize(&key); - if (sigOutSz < ssl->options.minRsaKeySz) { + int keySz = wc_RsaEncryptSize(&key); + if (keySz < 0) { /* check if keySz has error case */ + return keySz; + } + + sigOutSz = (word32)keySz; + if (keySz < ssl->options.minRsaKeySz) { WOLFSSL_MSG("RSA key size too small"); return RSA_KEY_SIZE_E; } @@ -14925,6 +14931,8 @@ int DoSessionTicket(WOLFSSL* ssl, case rsa_sa_algo: { word32 i = 0; + int keySz; + ssl->sigKey = XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA); if (ssl->sigKey == NULL) { ERROR_OUT(MEMORY_E, exit_sske); @@ -14941,12 +14949,15 @@ int DoSessionTicket(WOLFSSL* ssl, if (ret != 0) { goto exit_sske; } - sigSz = wc_RsaEncryptSize((RsaKey*)ssl->sigKey); + keySz = wc_RsaEncryptSize((RsaKey*)ssl->sigKey); + if (keySz < 0) { /* test if keySz has error */ + ERROR_OUT(keySz, exit_sske); + } - if (sigSz < ssl->options.minRsaKeySz) { + sigSz = (word32)keySz; + if (keySz < ssl->options.minRsaKeySz) { WOLFSSL_MSG("RSA signature key size too small"); - ret = RSA_KEY_SIZE_E; - goto exit_sske; + ERROR_OUT(RSA_KEY_SIZE_E, exit_sske); } break; } @@ -15212,6 +15223,7 @@ int DoSessionTicket(WOLFSSL* ssl, if (!ssl->options.usingAnon_cipher) { word32 i = 0; + int keySz; ssl->sigKey = XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA); if (ssl->sigKey == NULL) { @@ -15236,13 +15248,16 @@ int DoSessionTicket(WOLFSSL* ssl, if (ret != 0) { goto exit_sske; } - sigSz = wc_RsaEncryptSize((RsaKey*)ssl->sigKey); + keySz = wc_RsaEncryptSize((RsaKey*)ssl->sigKey); + if (keySz < 0) { /* test if keySz has error */ + ERROR_OUT(keySz, exit_sske); + } + sigSz = (word32)keySz; length += sigSz; - if (sigSz < ssl->options.minRsaKeySz) { + if (keySz < ssl->options.minRsaKeySz) { WOLFSSL_MSG("RSA key size too small"); - ret = RSA_KEY_SIZE_E; - goto exit_sske; + ERROR_OUT(RSA_KEY_SIZE_E, exit_sske); } if (IsAtLeastTLSv1_2(ssl)) { @@ -17048,6 +17063,8 @@ int DoSessionTicket(WOLFSSL* ssl, case rsa_kea: { word32 i = 0; + int keySz; + ssl->sigKey = XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA); if (ssl->sigKey == NULL) { ERROR_OUT(MEMORY_E, exit_dcke); @@ -17064,11 +17081,15 @@ int DoSessionTicket(WOLFSSL* ssl, if (ret != 0) { goto exit_dcke; } - length = wc_RsaEncryptSize((RsaKey*)ssl->sigKey); - if (length < ssl->options.minRsaKeySz) { + keySz = wc_RsaEncryptSize((RsaKey*)ssl->sigKey); + if (keySz < 0) { /* test if keySz has error */ + ERROR_OUT(keySz, exit_dcke); + } + length = (word32)keySz; + + if (keySz < ssl->options.minRsaKeySz) { WOLFSSL_MSG("Peer RSA key is too small"); - ret = RSA_KEY_SIZE_E; - goto exit_dcke; + ERROR_OUT(RSA_KEY_SIZE_E, exit_dcke); } ssl->arrays->preMasterSz = SECRET_LEN; diff --git a/src/ssl.c b/src/ssl.c index 1eaca0782..bf4925bb8 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -510,9 +510,9 @@ int wolfSSL_SetMinEccKey_Sz(WOLFSSL* ssl, short keySz) #endif /* !NO_RSA */ #ifndef NO_RSA -int wolfSSL_CTX_SetMinRsaKey_Sz(WOLFSSL_CTX* ctx, word16 keySz) +int wolfSSL_CTX_SetMinRsaKey_Sz(WOLFSSL_CTX* ctx, short keySz) { - if (ctx == NULL || keySz % 8 != 0) { + if (ctx == NULL || keySz < 0 || keySz % 8 != 0) { WOLFSSL_MSG("Key size must be divisable by 8 or ctx was null"); return BAD_FUNC_ARG; } @@ -523,9 +523,9 @@ int wolfSSL_CTX_SetMinRsaKey_Sz(WOLFSSL_CTX* ctx, word16 keySz) } -int wolfSSL_SetMinRsaKey_Sz(WOLFSSL* ssl, word16 keySz) +int wolfSSL_SetMinRsaKey_Sz(WOLFSSL* ssl, short keySz) { - if (ssl == NULL || keySz % 8 != 0) { + if (ssl == NULL || keySz < 0 || keySz % 8 != 0) { WOLFSSL_MSG("Key size must be divisable by 8 or ssl was null"); return BAD_FUNC_ARG; } @@ -2625,9 +2625,10 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) switch (cert->keyOID) { #ifndef NO_RSA case RSAk: - if (cert->pubKeySize < cm->minRsaKeySz) { + if (cm->minRsaKeySz < 0 || + cert->pubKeySize < (word16)cm->minRsaKeySz) { ret = RSA_KEY_SIZE_E; - WOLFSSL_MSG(" CA RSA key is too small"); + WOLFSSL_MSG(" CA RSA key size error"); } break; #endif /* !NO_RSA */ @@ -3655,13 +3656,15 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, #ifndef NO_RSA case RSAk: if (ssl && !ssl->options.verifyNone) { - if (cert->pubKeySize < ssl->options.minRsaKeySz) { + if (ssl->options.minRsaKeySz < 0 || + cert->pubKeySize < (word16)ssl->options.minRsaKeySz) { ret = RSA_KEY_SIZE_E; WOLFSSL_MSG("Certificate RSA key size too small"); } } else if (ctx && !ctx->verifyNone) { - if (cert->pubKeySize < ctx->minRsaKeySz) { + if (ctx->minRsaKeySz < 0 || + cert->pubKeySize < (word16)ctx->minRsaKeySz) { ret = RSA_KEY_SIZE_E; WOLFSSL_MSG("Certificate RSA key size too small"); } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index e20d28433..cf101366a 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1516,7 +1516,7 @@ struct WOLFSSL_CERT_MANAGER { byte ocspStaplingEnabled; /* is OCSP Stapling on ? */ #ifndef NO_RSA - word16 minRsaKeySz; /* minimum allowed RSA key size */ + short minRsaKeySz; /* minimum allowed RSA key size */ #endif #ifdef HAVE_ECC short minEccKeySz; /* minimum allowed ECC key size */ @@ -1918,7 +1918,7 @@ struct WOLFSSL_CTX { word16 minDhKeySz; /* minimum DH key size */ #endif #ifndef NO_RSA - word16 minRsaKeySz; /* minimum RSA key size */ + short minRsaKeySz; /* minimum RSA key size */ #endif #ifdef HAVE_ECC short minEccKeySz; /* minimum ECC key size */ @@ -2388,7 +2388,7 @@ typedef struct Options { word16 dhKeySz; /* actual DH key size */ #endif #ifndef NO_RSA - word16 minRsaKeySz; /* minimum RSA key size */ + short minRsaKeySz; /* minimum RSA key size */ #endif #ifdef HAVE_ECC short minEccKeySz; /* minimum ECC key size */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 755cde40e..34fd8536a 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -939,8 +939,8 @@ WOLFSSL_API int wolfSSL_GetDhKey_Sz(WOLFSSL*); #endif /* NO_DH */ #ifndef NO_RSA -WOLFSSL_API int wolfSSL_CTX_SetMinRsaKey_Sz(WOLFSSL_CTX*, unsigned short); -WOLFSSL_API int wolfSSL_SetMinRsaKey_Sz(WOLFSSL*, unsigned short); +WOLFSSL_API int wolfSSL_CTX_SetMinRsaKey_Sz(WOLFSSL_CTX*, short); +WOLFSSL_API int wolfSSL_SetMinRsaKey_Sz(WOLFSSL*, short); #endif /* NO_RSA */ #ifdef HAVE_ECC