diff options
| author | Kurt Roeckx <kurt@roeckx.be> | 2015-04-18 12:50:25 +0200 |
|---|---|---|
| committer | Kurt Roeckx <kurt@roeckx.be> | 2015-05-20 22:19:34 +0200 |
| commit | 2d8e705b2a68a6dfe620f781c55e8230a0cb2dfb (patch) | |
| tree | a49fa90026109a5f734d4200c51acda596c11970 | |
| parent | f4d1fb776955187a35c3ee36d4413871917c3138 (diff) | |
Correctly check for export size limit
40 bit ciphers are limited to 512 bit RSA, 56 bit ciphers to 1024 bit.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit ac38115c1a4fb61c66c2a8cd2a9800751828d328)
| -rw-r--r-- | crypto/evp/evp.h | 1 | ||||
| -rw-r--r-- | crypto/x509/x509type.c | 3 | ||||
| -rw-r--r-- | ssl/s3_clnt.c | 5 |
3 files changed, 4 insertions, 5 deletions
diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index 4891133dae..1d705cd5de 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -103,7 +103,6 @@ # define EVP_PKS_RSA 0x0100 # define EVP_PKS_DSA 0x0200 # define EVP_PKS_EC 0x0400 -# define EVP_PKT_EXP 0x1000 /* <= 512 bit key */ # define EVP_PKEY_NONE NID_undef # define EVP_PKEY_RSA NID_rsaEncryption diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c index 033175257a..9219f753bf 100644 --- a/crypto/x509/x509type.c +++ b/crypto/x509/x509type.c @@ -121,9 +121,6 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) } } - /* /8 because it's 1024 bits we look for, not bytes */ - if (EVP_PKEY_size(pk) <= 1024 / 8) - ret |= EVP_PKT_EXP; if (pkey == NULL) EVP_PKEY_free(pk); return (ret); diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index c25e077288..98c7b9e3f0 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -3398,6 +3398,7 @@ int ssl3_check_cert_and_algorithm(SSL *s) int i, idx; long alg_k, alg_a; EVP_PKEY *pkey = NULL; + int pkey_bits; SESS_CERT *sc; #ifndef OPENSSL_NO_RSA RSA *rsa; @@ -3447,6 +3448,7 @@ int ssl3_check_cert_and_algorithm(SSL *s) } #endif pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509); + pkey_bits = EVP_PKEY_bits(pkey); i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey); EVP_PKEY_free(pkey); @@ -3511,7 +3513,8 @@ int ssl3_check_cert_and_algorithm(SSL *s) } #endif /* !OPENSSL_NO_DH */ - if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) { + if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && + pkey_bits > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { #ifndef OPENSSL_NO_RSA if (alg_k & SSL_kRSA) { if (rsa == NULL |