File openssl-3-large-CRLs.patch of Package openssl-3.40081
From 891bce01c61c33d7e68d8109932b71d8c43fab68 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Fri, 4 Oct 2024 17:06:38 +0200
Subject: [PATCH] Documenting CRL download usage and restrictions
Fixes #25603
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25608)
(cherry picked from commit e647220c00bb1da0518f8a31ed07b2a0977a3c9e)
---
doc/man1/openssl-s_client.pod.in | 4 +++-
doc/man3/X509_load_http.pod | 3 +++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in
index 31729d6bdd252..d722bea9e3563 100644
--- a/doc/man1/openssl-s_client.pod.in
+++ b/doc/man1/openssl-s_client.pod.in
@@ -263,7 +263,9 @@ See L<openssl-format-options(1)> for details.
=item B<-crl_download>
-Download CRL from distribution points in the certificate.
+Download CRL from distribution points in the certificate. Note that this option
+is ignored if B<-crl_check> option is not provided. Note that the maximum size
+of CRL is limited by L<X509_CRL_load_http(3)> function.
=item B<-key> I<filename>|I<uri>
diff --git a/doc/man3/X509_load_http.pod b/doc/man3/X509_load_http.pod
index a147c43caa3fd..e17330b05587f 100644
--- a/doc/man3/X509_load_http.pod
+++ b/doc/man3/X509_load_http.pod
@@ -27,6 +27,9 @@ see L<openssl_user_macros(7)>:
X509_load_http() and X509_CRL_load_http() loads a certificate or a CRL,
respectively, in ASN.1 format using HTTP from the given B<url>.
+Maximum size of the HTTP response is 100 kB for certificates and 32 MB for CRLs
+and hard coded in the functions.
+
If B<bio> is given and B<rbio> is NULL then this BIO is used instead of an
internal one for connecting, writing the request, and reading the response.
If both B<bio> and B<rbio> are given (which may be memory BIOs, for instance)
From 3004712d4bc4b6bf039c9017c6fd3039b7b4300c Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Fri, 4 Oct 2024 17:07:38 +0200
Subject: [PATCH] Increase limit for CRL download
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25608)
(cherry picked from commit cdbe47bf3c02979183d1f66b42c511a18a63c61d)
---
crypto/x509/x_all.c | 4 +++-
include/openssl/http.h | 5 +++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index e58c9ab1c117b..158e11a8649c5 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -92,11 +92,13 @@ int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
static ASN1_VALUE *simple_get_asn1(const char *url, BIO *bio, BIO *rbio,
int timeout, const ASN1_ITEM *it)
{
+ size_t max_resp_len = (it == ASN1_ITEM_rptr(X509_CRL)) ?
+ OSSL_HTTP_DEFAULT_MAX_CRL_LEN : OSSL_HTTP_DEFAULT_MAX_RESP_LEN;
BIO *mem = OSSL_HTTP_get(url, NULL /* proxy */, NULL /* no_proxy */,
bio, rbio, NULL /* cb */, NULL /* arg */,
1024 /* buf_size */, NULL /* headers */,
NULL /* expected_ct */, 1 /* expect_asn1 */,
- OSSL_HTTP_DEFAULT_MAX_RESP_LEN, timeout);
+ max_resp_len, timeout);
ASN1_VALUE *res = ASN1_item_d2i_bio(it, mem, NULL);
BIO_free(mem);
diff --git a/include/openssl/http.h b/include/openssl/http.h
index f7ab214265e47..c63762b70deb5 100644
--- a/include/openssl/http.h
+++ b/include/openssl/http.h
@@ -33,8 +33,9 @@ extern "C" {
# define OPENSSL_HTTP_PROXY "HTTP_PROXY"
# define OPENSSL_HTTPS_PROXY "HTTPS_PROXY"
-#define OSSL_HTTP_DEFAULT_MAX_LINE_LEN (4 * 1024)
-#define OSSL_HTTP_DEFAULT_MAX_RESP_LEN (100 * 1024)
+# define OSSL_HTTP_DEFAULT_MAX_LINE_LEN (4 * 1024)
+# define OSSL_HTTP_DEFAULT_MAX_RESP_LEN (100 * 1024)
+# define OSSL_HTTP_DEFAULT_MAX_CRL_LEN (32 * 1024 * 1024)
/* Low-level HTTP API */
OSSL_HTTP_REQ_CTX *OSSL_HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, int buf_size);
