feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #393 from JacobBarthelmeh/RSA-min

Browse Source 
use short for RSA min key size and check casts
This commit is contained in:
toddouska
2016-04-22 13:56:59 -07:00
parent 1e821dbd59 77a9343973
commit cc56e1da48
5 changed files with 55 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
examples/server/server.c
View File

@@ -277,7 +277,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
int echoData = 0; int echoData = 0;
int throughput = 0; int throughput = 0;
int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS; int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS;
int minRsaKeyBits = DEFAULT_MIN_RSAKEY_BITS; short minRsaKeyBits = DEFAULT_MIN_RSAKEY_BITS;
short minEccKeyBits = DEFAULT_MIN_ECCKEY_BITS; short minEccKeyBits = DEFAULT_MIN_ECCKEY_BITS;
int doListen = 1; int doListen = 1;
int crlFlags = 0; int crlFlags = 0;
@@ -647,7 +647,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
} }
#endif #endif
#ifndef NO_RSA #ifndef NO_RSA
if (wolfSSL_CTX_SetMinRsaKey_Sz(ctx, (word16)minRsaKeyBits) != SSL_SUCCESS){ if (wolfSSL_CTX_SetMinRsaKey_Sz(ctx, minRsaKeyBits) != SSL_SUCCESS){
err_sys("Error setting minimum RSA key size"); err_sys("Error setting minimum RSA key size");
} }
#endif #endif

53
src/internal.c
View File

@@ -5145,8 +5145,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
switch (dCert->keyOID) { switch (dCert->keyOID) {
#ifndef NO_RSA #ifndef NO_RSA
case RSAk: case RSAk:
if (dCert->pubKeySize < ssl->options.minRsaKeySz) { if (ssl->options.minRsaKeySz < 0 ||
WOLFSSL_MSG("RSA key in cert chain was too small"); dCert->pubKeySize < (word16)ssl->options.minRsaKeySz) {
WOLFSSL_MSG("RSA key size in cert chain error");
ret = RSA_KEY_SIZE_E; ret = RSA_KEY_SIZE_E;
} }
break; break;
@@ -13983,8 +13984,13 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &idx, &key, ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &idx, &key,
ssl->buffers.key->length); ssl->buffers.key->length);
if (ret == 0) { if (ret == 0) {
sigOutSz = wc_RsaEncryptSize(&key); int keySz = wc_RsaEncryptSize(&key);
if (sigOutSz < ssl->options.minRsaKeySz) { if (keySz < 0) { /* check if keySz has error case */
return keySz;
}
sigOutSz = (word32)keySz;
if (keySz < ssl->options.minRsaKeySz) {
WOLFSSL_MSG("RSA key size too small"); WOLFSSL_MSG("RSA key size too small");
return RSA_KEY_SIZE_E; return RSA_KEY_SIZE_E;
} }
@@ -14925,6 +14931,8 @@ int DoSessionTicket(WOLFSSL* ssl,
case rsa_sa_algo: case rsa_sa_algo:
{ {
word32 i = 0; word32 i = 0;
int keySz;
ssl->sigKey = XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA); ssl->sigKey = XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA);
if (ssl->sigKey == NULL) { if (ssl->sigKey == NULL) {
ERROR_OUT(MEMORY_E, exit_sske); ERROR_OUT(MEMORY_E, exit_sske);
@@ -14941,12 +14949,15 @@ int DoSessionTicket(WOLFSSL* ssl,
if (ret != 0) { if (ret != 0) {
goto exit_sske; goto exit_sske;
} }
sigSz = wc_RsaEncryptSize((RsaKey*)ssl->sigKey); keySz = wc_RsaEncryptSize((RsaKey*)ssl->sigKey);
if (keySz < 0) { /* test if keySz has error */
ERROR_OUT(keySz, exit_sske);
}
if (sigSz < ssl->options.minRsaKeySz) { sigSz = (word32)keySz;
if (keySz < ssl->options.minRsaKeySz) {
WOLFSSL_MSG("RSA signature key size too small"); WOLFSSL_MSG("RSA signature key size too small");
ret = RSA_KEY_SIZE_E; ERROR_OUT(RSA_KEY_SIZE_E, exit_sske);
goto exit_sske;
} }
break; break;
} }
@@ -15212,6 +15223,7 @@ int DoSessionTicket(WOLFSSL* ssl,
if (!ssl->options.usingAnon_cipher) { if (!ssl->options.usingAnon_cipher) {
word32 i = 0; word32 i = 0;
int keySz;
ssl->sigKey = XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA); ssl->sigKey = XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA);
if (ssl->sigKey == NULL) { if (ssl->sigKey == NULL) {
@@ -15236,13 +15248,16 @@ int DoSessionTicket(WOLFSSL* ssl,
if (ret != 0) { if (ret != 0) {
goto exit_sske; goto exit_sske;
} }
sigSz = wc_RsaEncryptSize((RsaKey*)ssl->sigKey); keySz = wc_RsaEncryptSize((RsaKey*)ssl->sigKey);
if (keySz < 0) { /* test if keySz has error */
ERROR_OUT(keySz, exit_sske);
}
sigSz = (word32)keySz;
length += sigSz; length += sigSz;
if (sigSz < ssl->options.minRsaKeySz) { if (keySz < ssl->options.minRsaKeySz) {
WOLFSSL_MSG("RSA key size too small"); WOLFSSL_MSG("RSA key size too small");
ret = RSA_KEY_SIZE_E; ERROR_OUT(RSA_KEY_SIZE_E, exit_sske);
goto exit_sske;
} }
if (IsAtLeastTLSv1_2(ssl)) { if (IsAtLeastTLSv1_2(ssl)) {
@@ -17048,6 +17063,8 @@ int DoSessionTicket(WOLFSSL* ssl,
case rsa_kea: case rsa_kea:
{ {
word32 i = 0; word32 i = 0;
int keySz;
ssl->sigKey = XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA); ssl->sigKey = XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA);
if (ssl->sigKey == NULL) { if (ssl->sigKey == NULL) {
ERROR_OUT(MEMORY_E, exit_dcke); ERROR_OUT(MEMORY_E, exit_dcke);
@@ -17064,11 +17081,15 @@ int DoSessionTicket(WOLFSSL* ssl,
if (ret != 0) { if (ret != 0) {
goto exit_dcke; goto exit_dcke;
} }
length = wc_RsaEncryptSize((RsaKey*)ssl->sigKey); keySz = wc_RsaEncryptSize((RsaKey*)ssl->sigKey);
if (length < ssl->options.minRsaKeySz) { if (keySz < 0) { /* test if keySz has error */
ERROR_OUT(keySz, exit_dcke);
}
length = (word32)keySz;
if (keySz < ssl->options.minRsaKeySz) {
WOLFSSL_MSG("Peer RSA key is too small"); WOLFSSL_MSG("Peer RSA key is too small");
ret = RSA_KEY_SIZE_E; ERROR_OUT(RSA_KEY_SIZE_E, exit_dcke);
goto exit_dcke;
} }
ssl->arrays->preMasterSz = SECRET_LEN; ssl->arrays->preMasterSz = SECRET_LEN;

19
src/ssl.c
View File

@@ -510,9 +510,9 @@ int wolfSSL_SetMinEccKey_Sz(WOLFSSL* ssl, short keySz)
#endif /* !NO_RSA */ #endif /* !NO_RSA */
#ifndef NO_RSA #ifndef NO_RSA
int wolfSSL_CTX_SetMinRsaKey_Sz(WOLFSSL_CTX* ctx, word16 keySz) int wolfSSL_CTX_SetMinRsaKey_Sz(WOLFSSL_CTX* ctx, short keySz)
{ {
if (ctx == NULL || keySz % 8 != 0) { if (ctx == NULL || keySz < 0 || keySz % 8 != 0) {
WOLFSSL_MSG("Key size must be divisable by 8 or ctx was null"); WOLFSSL_MSG("Key size must be divisable by 8 or ctx was null");
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
@@ -523,9 +523,9 @@ int wolfSSL_CTX_SetMinRsaKey_Sz(WOLFSSL_CTX* ctx, word16 keySz)
} }
int wolfSSL_SetMinRsaKey_Sz(WOLFSSL* ssl, word16 keySz) int wolfSSL_SetMinRsaKey_Sz(WOLFSSL* ssl, short keySz)
{ {
if (ssl == NULL || keySz % 8 != 0) { if (ssl == NULL || keySz < 0 || keySz % 8 != 0) {
WOLFSSL_MSG("Key size must be divisable by 8 or ssl was null"); WOLFSSL_MSG("Key size must be divisable by 8 or ssl was null");
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
@@ -2625,9 +2625,10 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
switch (cert->keyOID) { switch (cert->keyOID) {
#ifndef NO_RSA #ifndef NO_RSA
case RSAk: case RSAk:
if (cert->pubKeySize < cm->minRsaKeySz) { if (cm->minRsaKeySz < 0 ||
cert->pubKeySize < (word16)cm->minRsaKeySz) {
ret = RSA_KEY_SIZE_E; ret = RSA_KEY_SIZE_E;
WOLFSSL_MSG(" CA RSA key is too small"); WOLFSSL_MSG(" CA RSA key size error");
} }
break; break;
#endif /* !NO_RSA */ #endif /* !NO_RSA */
@@ -3655,13 +3656,15 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#ifndef NO_RSA #ifndef NO_RSA
case RSAk: case RSAk:
if (ssl && !ssl->options.verifyNone) { if (ssl && !ssl->options.verifyNone) {
if (cert->pubKeySize < ssl->options.minRsaKeySz) { if (ssl->options.minRsaKeySz < 0 ||
cert->pubKeySize < (word16)ssl->options.minRsaKeySz) {
ret = RSA_KEY_SIZE_E; ret = RSA_KEY_SIZE_E;
WOLFSSL_MSG("Certificate RSA key size too small"); WOLFSSL_MSG("Certificate RSA key size too small");
} }
} }
else if (ctx && !ctx->verifyNone) { else if (ctx && !ctx->verifyNone) {
if (cert->pubKeySize < ctx->minRsaKeySz) { if (ctx->minRsaKeySz < 0 ||
cert->pubKeySize < (word16)ctx->minRsaKeySz) {
ret = RSA_KEY_SIZE_E; ret = RSA_KEY_SIZE_E;
WOLFSSL_MSG("Certificate RSA key size too small"); WOLFSSL_MSG("Certificate RSA key size too small");
} }

6
wolfssl/internal.h
View File

@@ -1516,7 +1516,7 @@ struct WOLFSSL_CERT_MANAGER {
byte ocspStaplingEnabled; /* is OCSP Stapling on ? */ byte ocspStaplingEnabled; /* is OCSP Stapling on ? */
#ifndef NO_RSA #ifndef NO_RSA
word16 minRsaKeySz; /* minimum allowed RSA key size */ short minRsaKeySz; /* minimum allowed RSA key size */
#endif #endif
#ifdef HAVE_ECC #ifdef HAVE_ECC
short minEccKeySz; /* minimum allowed ECC key size */ short minEccKeySz; /* minimum allowed ECC key size */
@@ -1918,7 +1918,7 @@ struct WOLFSSL_CTX {
word16 minDhKeySz; /* minimum DH key size */ word16 minDhKeySz; /* minimum DH key size */
#endif #endif
#ifndef NO_RSA #ifndef NO_RSA
word16 minRsaKeySz; /* minimum RSA key size */ short minRsaKeySz; /* minimum RSA key size */
#endif #endif
#ifdef HAVE_ECC #ifdef HAVE_ECC
short minEccKeySz; /* minimum ECC key size */ short minEccKeySz; /* minimum ECC key size */
@@ -2388,7 +2388,7 @@ typedef struct Options {
word16 dhKeySz; /* actual DH key size */ word16 dhKeySz; /* actual DH key size */
#endif #endif
#ifndef NO_RSA #ifndef NO_RSA
word16 minRsaKeySz; /* minimum RSA key size */ short minRsaKeySz; /* minimum RSA key size */
#endif #endif
#ifdef HAVE_ECC #ifdef HAVE_ECC
short minEccKeySz; /* minimum ECC key size */ short minEccKeySz; /* minimum ECC key size */

4
wolfssl/ssl.h
View File

@@ -939,8 +939,8 @@ WOLFSSL_API int wolfSSL_GetDhKey_Sz(WOLFSSL*);
#endif /* NO_DH */ #endif /* NO_DH */
#ifndef NO_RSA #ifndef NO_RSA
WOLFSSL_API int wolfSSL_CTX_SetMinRsaKey_Sz(WOLFSSL_CTX*, unsigned short); WOLFSSL_API int wolfSSL_CTX_SetMinRsaKey_Sz(WOLFSSL_CTX*, short);
WOLFSSL_API int wolfSSL_SetMinRsaKey_Sz(WOLFSSL*, unsigned short); WOLFSSL_API int wolfSSL_SetMinRsaKey_Sz(WOLFSSL*, short);
#endif /* NO_RSA */ #endif /* NO_RSA */
#ifdef HAVE_ECC #ifdef HAVE_ECC