Increase limit for CRL download

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25608)

diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index 2a5063a0bf6f9795cd5964e58883595b7f09450f..d3f79591d74d10ef1dbbf337bd31f1bf64ba6a7e 100644 (file)
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -116,11 +116,13 @@ static ASN1_VALUE *simple_get_asn1(const char *url, BIO *bio, BIO *rbio,
                                    int timeout, const ASN1_ITEM *it)
 {
 #ifndef OPENSSL_NO_HTTP
+    size_t max_resp_len = (it == ASN1_ITEM_rptr(X509_CRL)) ?
+        OSSL_HTTP_DEFAULT_MAX_CRL_LEN : OSSL_HTTP_DEFAULT_MAX_RESP_LEN;
     BIO *mem = OSSL_HTTP_get(url, NULL /* proxy */, NULL /* no_proxy */,
                              bio, rbio, NULL /* cb */, NULL /* arg */,
                              1024 /* buf_size */, NULL /* headers */,
                              NULL /* expected_ct */, 1 /* expect_asn1 */,
-                             OSSL_HTTP_DEFAULT_MAX_RESP_LEN, timeout);
+                             max_resp_len, timeout);
     ASN1_VALUE *res = ASN1_item_d2i_bio(it, mem, NULL);
 
     BIO_free(mem);

diff --git a/include/openssl/http.h b/include/openssl/http.h
index 8f4e9da30b36ac8ee1a0c2b90629d48564bef476..339b567dcd33a3de7e77c5509e53923c2d73d794 100644 (file)
--- a/include/openssl/http.h
+++ b/include/openssl/http.h
@@ -35,9 +35,10 @@ extern "C" {
 
 # ifndef OPENSSL_NO_HTTP
 
-#define OSSL_HTTP_DEFAULT_MAX_LINE_LEN (4 * 1024)
-#define OSSL_HTTP_DEFAULT_MAX_RESP_LEN (100 * 1024)
-#define OSSL_HTTP_DEFAULT_MAX_RESP_HDR_LINES 256
+#  define OSSL_HTTP_DEFAULT_MAX_LINE_LEN (4 * 1024)
+#  define OSSL_HTTP_DEFAULT_MAX_RESP_LEN (100 * 1024)
+#  define OSSL_HTTP_DEFAULT_MAX_CRL_LEN (32 * 1024 * 1024)
+#  define OSSL_HTTP_DEFAULT_MAX_RESP_HDR_LINES 256
 
 
 /* Low-level HTTP API */