Increase limit for CRL download

Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25608)
2024-11-27 05:21:51 +08:00 · 2024-10-04 17:07:38 +02:00 · 2024-10-04 17:07:38 +02:00 · cdbe47bf3c
commit cdbe47bf3c
parent e647220c00
2 changed files with 7 additions and 4 deletions
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@ -116,11 +116,13 @@ static ASN1_VALUE *simple_get_asn1(const char *url, BIO *bio, BIO *rbio,
                                   int timeout, const ASN1_ITEM *it)
 {
 #ifndef OPENSSL_NO_HTTP
+    size_t max_resp_len = (it == ASN1_ITEM_rptr(X509_CRL)) ?
+        OSSL_HTTP_DEFAULT_MAX_CRL_LEN : OSSL_HTTP_DEFAULT_MAX_RESP_LEN;
    BIO *mem = OSSL_HTTP_get(url, NULL /* proxy */, NULL /* no_proxy */,
                             bio, rbio, NULL /* cb */, NULL /* arg */,
                             1024 /* buf_size */, NULL /* headers */,
                             NULL /* expected_ct */, 1 /* expect_asn1 */,
-                             OSSL_HTTP_DEFAULT_MAX_RESP_LEN, timeout);
+                             max_resp_len, timeout);
    ASN1_VALUE *res = ASN1_item_d2i_bio(it, mem, NULL);

    BIO_free(mem);
--- a/include/openssl/http.h
+++ b/include/openssl/http.h
@ -35,9 +35,10 @@ extern "C" {

 # ifndef OPENSSL_NO_HTTP

-#define OSSL_HTTP_DEFAULT_MAX_LINE_LEN (4 * 1024)
-#define OSSL_HTTP_DEFAULT_MAX_RESP_LEN (100 * 1024)
-#define OSSL_HTTP_DEFAULT_MAX_RESP_HDR_LINES 256
+#  define OSSL_HTTP_DEFAULT_MAX_LINE_LEN (4 * 1024)
+#  define OSSL_HTTP_DEFAULT_MAX_RESP_LEN (100 * 1024)
+#  define OSSL_HTTP_DEFAULT_MAX_CRL_LEN (32 * 1024 * 1024)
+#  define OSSL_HTTP_DEFAULT_MAX_RESP_HDR_LINES 256


 /* Low-level HTTP API */