diff --git a/src/ssl.c b/src/ssl.c index 08f78e32b..39c7f1caf 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -6812,14 +6812,16 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, if (ssl && !ssl->options.verifyNone) { if (ssl->options.minRsaKeySz < 0 || - keySz < (int)ssl->options.minRsaKeySz) { + keySz < (int)ssl->options.minRsaKeySz || + keySz > (RSA_MAX_SIZE / 8)) { ret = RSA_KEY_SIZE_E; WOLFSSL_MSG("Certificate RSA key size too small"); } } else if (ctx && !ctx->verifyNone) { if (ctx->minRsaKeySz < 0 || - keySz < (int)ctx->minRsaKeySz) { + keySz < (int)ctx->minRsaKeySz || + keySz > (RSA_MAX_SIZE / 8)) { ret = RSA_KEY_SIZE_E; WOLFSSL_MSG("Certificate RSA key size too small"); } diff --git a/tests/api.c b/tests/api.c index 20d7a059f..51b9ffb15 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2402,7 +2402,7 @@ static int test_wolfSSL_CertRsaPss(void) XFILE f; const char* rsaPssSha256Cert = "./certs/rsapss/ca-rsapss.der"; const char* rsaPssRootSha256Cert = "./certs/rsapss/root-rsapss.pem"; -#ifdef WOLFSSL_SHA384 +#if defined(WOLFSSL_SHA384) && RSA_MAX_SIZE >= 3072 const char* rsaPssSha384Cert = "./certs/rsapss/ca-3072-rsapss.der"; const char* rsaPssRootSha384Cert = "./certs/rsapss/root-3072-rsapss.pem"; #endif @@ -2417,7 +2417,7 @@ static int test_wolfSSL_CertRsaPss(void) AssertNotNull(cm); AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerLoadCA(cm, rsaPssRootSha256Cert, NULL)); -#ifdef WOLFSSL_SHA384 +#if defined(WOLFSSL_SHA384) && RSA_MAX_SIZE >= 3072 AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerLoadCA(cm, rsaPssRootSha384Cert, NULL)); #endif @@ -2430,7 +2430,8 @@ static int test_wolfSSL_CertRsaPss(void) AssertIntEQ(wc_ParseCert(&cert, CERT_TYPE, VERIFY, cm), 0); wc_FreeDecodedCert(&cert); -#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_PSS_LONG_SALT) +#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_PSS_LONG_SALT) && \ + RSA_MAX_SIZE >= 3072 f = XFOPEN(rsaPssSha384Cert, "rb"); AssertTrue((f != XBADFILE)); bytes = (int)XFREAD(buf, 1, sizeof(buf), f);