wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-03 12:44:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

follow verifyNone variable when checking key size

Browse Source
This commit is contained in:
Jacob Barthelmeh
2016-04-19 10:23:01 -06:00
parent 0eb57ccab0
commit 789f346c5f
2 changed files with 32 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/internal.c
View File

@@ -5138,6 +5138,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* Check key sizes for certs. Is redundent check since ProcessBuffer /* Check key sizes for certs. Is redundent check since ProcessBuffer
also performs this check. */ also performs this check. */
if (!ssl->options.verifyNone) {
switch (dCert->keyOID) { switch (dCert->keyOID) {
#ifndef NO_RSA #ifndef NO_RSA
case RSAk: case RSAk:
@@ -5150,7 +5151,8 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
default: default:
WOLFSSL_MSG("Key size not checked"); WOLFSSL_MSG("Key size not checked");
break; /* key is not being checked for size if not in switch */ break; /* key not being checked for size if not in switch */
}
} }
if (ret == 0 && dCert->isCA == 0) { if (ret == 0 && dCert->isCA == 0) {
@@ -5467,6 +5469,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* check size of peer RSA key */ /* check size of peer RSA key */
if (ret == 0 && ssl->peerRsaKeyPresent && if (ret == 0 && ssl->peerRsaKeyPresent &&
!ssl->options.verifyNone &&
wc_RsaEncryptSize(ssl->peerRsaKey) wc_RsaEncryptSize(ssl->peerRsaKey)
< ssl->options.minRsaKeySz) { < ssl->options.minRsaKeySz) {
ret = RSA_KEY_SIZE_E; ret = RSA_KEY_SIZE_E;

8
src/ssl.c
View File

@@ -2587,6 +2587,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
#endif #endif
/* check CA key size */ /* check CA key size */
if (verify) {
switch (cert->keyOID) { switch (cert->keyOID) {
#ifndef NO_RSA #ifndef NO_RSA
case RSAk: case RSAk:
@@ -2601,6 +2602,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
WOLFSSL_MSG(" No key size check done on CA"); WOLFSSL_MSG(" No key size check done on CA");
break; /* no size check if key type is not in switch */ break; /* no size check if key type is not in switch */
} }
}
if (ret == 0 && cert->isCA == 0 && type != WOLFSSL_USER_CA) { if (ret == 0 && cert->isCA == 0 && type != WOLFSSL_USER_CA) {
WOLFSSL_MSG(" Can't add as CA if not actually one"); WOLFSSL_MSG(" Can't add as CA if not actually one");
@@ -3588,17 +3590,17 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
} }
#endif #endif
/* check key size of cert */ /* check key size of cert unless specified not to */
switch (cert->keyOID) { switch (cert->keyOID) {
#ifndef NO_RSA #ifndef NO_RSA
case RSAk: case RSAk:
if (ssl) { if (ssl && !ssl->options.verifyNone) {
if (cert->pubKeySize < ssl->options.minRsaKeySz) { if (cert->pubKeySize < ssl->options.minRsaKeySz) {
ret = RSA_KEY_SIZE_E; ret = RSA_KEY_SIZE_E;
WOLFSSL_MSG("Certificate RSA key size too small"); WOLFSSL_MSG("Certificate RSA key size too small");
} }
} }
else if (ctx) { else if (ctx && !ctx->verifyNone) {
if (cert->pubKeySize < ctx->minRsaKeySz) { if (cert->pubKeySize < ctx->minRsaKeySz) {
ret = RSA_KEY_SIZE_E; ret = RSA_KEY_SIZE_E;
WOLFSSL_MSG("Certificate RSA key size too small"); WOLFSSL_MSG("Certificate RSA key size too small");