Added CERTIFICATE_VERIFY_MAX_LENGTH constant

- Set `CERTIFICATE_VERIFY_MAX_LENGTH` to 65539 (2 bytes for the algorithm identifier + 2 bytes of signature length + 65535 bytes of signature) - Changed `SSL3_RT_MAX_PLAIN_LENGTH` to `CERTIFICATE_VERIFY_MAX_LENGTH` in `statem_srvr.c` and `statem_clnt.c` Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20486)
2024-12-09 05:51:54 +08:00 · 2023-03-10 23:13:46 +01:00 · 2023-03-10 23:13:46 +01:00 · c6d14bfd5f
commit c6d14bfd5f
parent c77fb9af55
3 changed files with 5 additions and 2 deletions
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@ -1020,7 +1020,7 @@ size_t ossl_statem_client_max_message_size(SSL_CONNECTION *s)
        return s->max_cert_list;

    case TLS_ST_CR_CERT_VRFY:
-        return SSL3_RT_MAX_PLAIN_LENGTH;
+        return CERTIFICATE_VERIFY_MAX_LENGTH;

    case TLS_ST_CR_CERT_STATUS:
        return SSL3_RT_MAX_PLAIN_LENGTH;
--- a/ssl/statem/statem_local.h
+++ b/ssl/statem/statem_local.h
@ -31,6 +31,9 @@
 /* Max ServerHello size permitted by RFC 8446 */
 #define SERVER_HELLO_MAX_LENGTH         65607

+/* Max CertificateVerify size permitted by RFC 8446 */
+#define CERTIFICATE_VERIFY_MAX_LENGTH   65539
+
 /* Max should actually be 36 but we are generous */
 #define FINISHED_MAX_LENGTH             64

--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@ -1223,7 +1223,7 @@ size_t ossl_statem_server_max_message_size(SSL_CONNECTION *s)
        return CLIENT_KEY_EXCH_MAX_LENGTH;

    case TLS_ST_SR_CERT_VRFY:
-        return SSL3_RT_MAX_PLAIN_LENGTH;
+        return CERTIFICATE_VERIFY_MAX_LENGTH;

 #ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO: