[openssl-commits] [openssl] OpenSSL_1_0_1-stable update
Kurt Roeckx
kurt at openssl.org
Wed May 20 20:26:39 UTC 2015
The branch OpenSSL_1_0_1-stable has been updated
via 3b509e8cdc5ca6f42fd66a1325c9d0d23a4103c6 (commit)
from 63830384e90d9b36d2793d4891501ec024827433 (commit)
- Log -----------------------------------------------------------------
commit 3b509e8cdc5ca6f42fd66a1325c9d0d23a4103c6
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Sat Apr 18 12:50:25 2015 +0200
Correctly check for export size limit
40 bit ciphers are limited to 512 bit RSA, 56 bit ciphers to 1024 bit.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(cherry picked from commit ac38115c1a4fb61c66c2a8cd2a9800751828d328)
-----------------------------------------------------------------------
Summary of changes:
crypto/evp/evp.h | 1 -
crypto/x509/x509type.c | 3 ---
ssl/s3_clnt.c | 5 ++++-
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h
index 01bdeeb..6cf98ac 100644
--- a/crypto/evp/evp.h
+++ b/crypto/evp/evp.h
@@ -103,7 +103,6 @@
# define EVP_PKS_RSA 0x0100
# define EVP_PKS_DSA 0x0200
# define EVP_PKS_EC 0x0400
-# define EVP_PKT_EXP 0x1000 /* <= 512 bit key */
# define EVP_PKEY_NONE NID_undef
# define EVP_PKEY_RSA NID_rsaEncryption
diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c
index 0331752..9219f75 100644
--- a/crypto/x509/x509type.c
+++ b/crypto/x509/x509type.c
@@ -121,9 +121,6 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
}
}
- /* /8 because it's 1024 bits we look for, not bytes */
- if (EVP_PKEY_size(pk) <= 1024 / 8)
- ret |= EVP_PKT_EXP;
if (pkey == NULL)
EVP_PKEY_free(pk);
return (ret);
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 780a03f..012905b 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -3228,6 +3228,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
int i, idx;
long alg_k, alg_a;
EVP_PKEY *pkey = NULL;
+ int pkey_bits;
SESS_CERT *sc;
#ifndef OPENSSL_NO_RSA
RSA *rsa;
@@ -3270,6 +3271,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
}
#endif
pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509);
+ pkey_bits = EVP_PKEY_bits(pkey);
i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);
EVP_PKEY_free(pkey);
@@ -3323,7 +3325,8 @@ int ssl3_check_cert_and_algorithm(SSL *s)
}
#endif /* !OPENSSL_NO_DH */
- if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) {
+ if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
+ pkey_bits > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
#ifndef OPENSSL_NO_RSA
if (alg_k & SSL_kRSA) {
if (rsa == NULL
More information about the openssl-commits
mailing list