Correctly check for export size limit

40 bit ciphers are limited to 512 bit RSA, 56 bit ciphers to 1024 bit. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit ac38115c1a4fb61c66c2a8cd2a9800751828d328)
author: Kurt Roeckx <kurt@roeckx.be> 2015-04-18 12:50:25 +0200
committer: Kurt Roeckx <kurt@roeckx.be> 2015-05-20 22:23:28 +0200
commit: 3b509e8cdc5ca6f42fd66a1325c9d0d23a4103c6 (patch)
tree: 69a1741715487a321166c8bde1f0fa7abe04dfc2
parent: 63830384e90d9b36d2793d4891501ec024827433 (diff)
3 files changed, 4 insertions, 5 deletions
diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h
index 01bdeebfbc..6cf98acc0b 100644
--- a/crypto/evp/evp.h
+++ b/crypto/evp/evp.h
@@ -103,7 +103,6 @@
 # define EVP_PKS_RSA     0x0100
 # define EVP_PKS_DSA     0x0200
 # define EVP_PKS_EC      0x0400
-# define EVP_PKT_EXP     0x1000 /* <= 512 bit key */
 
 # define EVP_PKEY_NONE   NID_undef
 # define EVP_PKEY_RSA    NID_rsaEncryption
diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c
index 033175257a..9219f753bf 100644
--- a/crypto/x509/x509type.c
+++ b/crypto/x509/x509type.c
@@ -121,9 +121,6 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
         }
     }
 
-    /* /8 because it's 1024 bits we look for, not bytes */
-    if (EVP_PKEY_size(pk) <= 1024 / 8)
-        ret |= EVP_PKT_EXP;
     if (pkey == NULL)
         EVP_PKEY_free(pk);
     return (ret);
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 780a03f1e6..012905b046 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -3228,6 +3228,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
     int i, idx;
     long alg_k, alg_a;
     EVP_PKEY *pkey = NULL;
+    int pkey_bits;
     SESS_CERT *sc;
 #ifndef OPENSSL_NO_RSA
     RSA *rsa;
@@ -3270,6 +3271,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
     }
 #endif
     pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509);
+    pkey_bits = EVP_PKEY_bits(pkey);
     i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);
     EVP_PKEY_free(pkey);
 
@@ -3323,7 +3325,8 @@ int ssl3_check_cert_and_algorithm(SSL *s)
     }
 #endif  /* !OPENSSL_NO_DH */
 
-    if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) {
+    if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
+        pkey_bits > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
 #ifndef OPENSSL_NO_RSA
         if (alg_k & SSL_kRSA) {
             if (rsa == NULL
author	Kurt Roeckx <kurt@roeckx.be>	2015-04-18 12:50:25 +0200
committer	Kurt Roeckx <kurt@roeckx.be>	2015-05-20 22:23:28 +0200
commit	3b509e8cdc5ca6f42fd66a1325c9d0d23a4103c6 (patch)
tree	69a1741715487a321166c8bde1f0fa7abe04dfc2
parent	63830384e90d9b36d2793d4891501ec024827433 (diff)