wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-01 19:54:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

RSA max key size checks

Browse Source 
Detect when certificate's RSA public key size is too big and fail on
loading of certificate.
Fix unit test to only attempt to use 3072 bit RSA-PSS keys when
RSA_MAX_SIZE supports it.
This commit is contained in:
Sean Parkinson
2022-09-02 10:37:12 +10:00
parent db6d69143e
commit 3bf6baf596
2 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/ssl.c
View File

@@ -6812,14 +6812,16 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
if (ssl && !ssl->options.verifyNone) { if (ssl && !ssl->options.verifyNone) {
if (ssl->options.minRsaKeySz < 0 || if (ssl->options.minRsaKeySz < 0 ||
keySz < (int)ssl->options.minRsaKeySz) { keySz < (int)ssl->options.minRsaKeySz ||
keySz > (RSA_MAX_SIZE / 8)) {
ret = RSA_KEY_SIZE_E; ret = RSA_KEY_SIZE_E;
WOLFSSL_MSG("Certificate RSA key size too small"); WOLFSSL_MSG("Certificate RSA key size too small");
} }
} }
else if (ctx && !ctx->verifyNone) { else if (ctx && !ctx->verifyNone) {
if (ctx->minRsaKeySz < 0 || if (ctx->minRsaKeySz < 0 ||
keySz < (int)ctx->minRsaKeySz) { keySz < (int)ctx->minRsaKeySz ||
keySz > (RSA_MAX_SIZE / 8)) {
ret = RSA_KEY_SIZE_E; ret = RSA_KEY_SIZE_E;
WOLFSSL_MSG("Certificate RSA key size too small"); WOLFSSL_MSG("Certificate RSA key size too small");
} }

7
tests/api.c
View File

@@ -2402,7 +2402,7 @@ static int test_wolfSSL_CertRsaPss(void)
XFILE f; XFILE f;
const char* rsaPssSha256Cert = "./certs/rsapss/ca-rsapss.der"; const char* rsaPssSha256Cert = "./certs/rsapss/ca-rsapss.der";
const char* rsaPssRootSha256Cert = "./certs/rsapss/root-rsapss.pem"; const char* rsaPssRootSha256Cert = "./certs/rsapss/root-rsapss.pem";
#ifdef WOLFSSL_SHA384 #if defined(WOLFSSL_SHA384) && RSA_MAX_SIZE >= 3072
const char* rsaPssSha384Cert = "./certs/rsapss/ca-3072-rsapss.der"; const char* rsaPssSha384Cert = "./certs/rsapss/ca-3072-rsapss.der";
const char* rsaPssRootSha384Cert = "./certs/rsapss/root-3072-rsapss.pem"; const char* rsaPssRootSha384Cert = "./certs/rsapss/root-3072-rsapss.pem";
#endif #endif
@@ -2417,7 +2417,7 @@ static int test_wolfSSL_CertRsaPss(void)
AssertNotNull(cm); AssertNotNull(cm);
AssertIntEQ(WOLFSSL_SUCCESS, AssertIntEQ(WOLFSSL_SUCCESS,
wolfSSL_CertManagerLoadCA(cm, rsaPssRootSha256Cert, NULL)); wolfSSL_CertManagerLoadCA(cm, rsaPssRootSha256Cert, NULL));
#ifdef WOLFSSL_SHA384 #if defined(WOLFSSL_SHA384) && RSA_MAX_SIZE >= 3072
AssertIntEQ(WOLFSSL_SUCCESS, AssertIntEQ(WOLFSSL_SUCCESS,
wolfSSL_CertManagerLoadCA(cm, rsaPssRootSha384Cert, NULL)); wolfSSL_CertManagerLoadCA(cm, rsaPssRootSha384Cert, NULL));
#endif #endif
@@ -2430,7 +2430,8 @@ static int test_wolfSSL_CertRsaPss(void)
AssertIntEQ(wc_ParseCert(&cert, CERT_TYPE, VERIFY, cm), 0); AssertIntEQ(wc_ParseCert(&cert, CERT_TYPE, VERIFY, cm), 0);
wc_FreeDecodedCert(&cert); wc_FreeDecodedCert(&cert);
#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_PSS_LONG_SALT) #if defined(WOLFSSL_SHA384) && defined(WOLFSSL_PSS_LONG_SALT) && \
RSA_MAX_SIZE >= 3072
f = XFOPEN(rsaPssSha384Cert, "rb"); f = XFOPEN(rsaPssSha384Cert, "rb");
AssertTrue((f != XBADFILE)); AssertTrue((f != XBADFILE));
bytes = (int)XFREAD(buf, 1, sizeof(buf), f); bytes = (int)XFREAD(buf, 1, sizeof(buf), f);