From: VeronikaNguyen <veronika.maithi.nguyen@gmail.com>
Date: Fri, 10 Mar 2023 22:13:46 +0000 (+0100)
Subject: Added `CERTIFICATE_VERIFY_MAX_LENGTH` constant
X-Git-Tag: openssl-3.2.0-alpha1~1120
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c6d14bfd5f16a103181c04614492be03e137d1a4;p=thirdparty%2Fopenssl.git

Added `CERTIFICATE_VERIFY_MAX_LENGTH` constant

- Set `CERTIFICATE_VERIFY_MAX_LENGTH` to 65539
  (2 bytes for the algorithm identifier + 2 bytes of signature length
   + 65535 bytes of signature)
- Changed `SSL3_RT_MAX_PLAIN_LENGTH` to `CERTIFICATE_VERIFY_MAX_LENGTH`
  in `statem_srvr.c` and `statem_clnt.c`

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20486)
---

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index e5b036390a9..8d90520d14a 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1020,7 +1020,7 @@ size_t ossl_statem_client_max_message_size(SSL_CONNECTION *s)
         return s->max_cert_list;
 
     case TLS_ST_CR_CERT_VRFY:
-        return SSL3_RT_MAX_PLAIN_LENGTH;
+        return CERTIFICATE_VERIFY_MAX_LENGTH;
 
     case TLS_ST_CR_CERT_STATUS:
         return SSL3_RT_MAX_PLAIN_LENGTH;
diff --git a/ssl/statem/statem_local.h b/ssl/statem/statem_local.h
index 75b7274c2ed..30b7d5b0a56 100644
--- a/ssl/statem/statem_local.h
+++ b/ssl/statem/statem_local.h
@@ -31,6 +31,9 @@
 /* Max ServerHello size permitted by RFC 8446 */
 #define SERVER_HELLO_MAX_LENGTH         65607
 
+/* Max CertificateVerify size permitted by RFC 8446 */
+#define CERTIFICATE_VERIFY_MAX_LENGTH   65539
+
 /* Max should actually be 36 but we are generous */
 #define FINISHED_MAX_LENGTH             64
 
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 6d4be61118b..3137f548efe 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1223,7 +1223,7 @@ size_t ossl_statem_server_max_message_size(SSL_CONNECTION *s)
         return CLIENT_KEY_EXCH_MAX_LENGTH;
 
     case TLS_ST_SR_CERT_VRFY:
-        return SSL3_RT_MAX_PLAIN_LENGTH;
+        return CERTIFICATE_VERIFY_MAX_LENGTH;
 
 #ifndef OPENSSL_NO_NEXTPROTONEG
     case TLS_ST_SR_NEXT_PROTO: