[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Fri May 22 23:04:15 UTC 2015 

The branch master has been updated
       via  fdfe8b06ae97da3bc3a77aa3db00f8e0445f3c70 (commit)
       via  13f8eb4730b9fc039e743870f81e5ff54b3d05b8 (commit)
      from  efee575ad464bfb60bf72dcb73f9b51768f4b1a1 (commit)


- Log -----------------------------------------------------------------
commit fdfe8b06ae97da3bc3a77aa3db00f8e0445f3c70
Author: Matt Caswell <matt at openssl.org>
Date:   Fri May 22 13:48:49 2015 +0100

    Fix typo setting up certificate masks
    
    The certificate masks are used to select which ciphersuite we are going to
    use. The variables |emask_k| and |emask_a| relate to export grade key
    exchange and authentication respecitively. The variables |mask_k| and
    |mask_a| are the equivalent versions for non-export grade. This fixes an
    instance where the two usages of export/non-export were mixed up. In
    practice it makes little difference since it still works!
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 13f8eb4730b9fc039e743870f81e5ff54b3d05b8
Author: Matt Caswell <matt at openssl.org>
Date:   Fri May 22 13:33:19 2015 +0100

    Remove export static DH ciphersuites
    
    Remove support for the two export grade static DH ciphersuites. These two
    ciphersuites were newly added (along with a number of other static DH
    ciphersuites) to 1.0.2. However the two export ones have *never* worked
    since they were introduced. It seems strange in any case to be adding new
    export ciphersuites, and given "logjam" it also does not seem correct to
    fix them.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES              | 8 ++++++++
 doc/apps/ciphers.pod | 2 --
 ssl/s3_lib.c         | 4 ++--
 ssl/ssl_lib.c        | 2 +-
 4 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index e1e0721..6016151 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,14 @@
      not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed.
      [Matt Caswell]
 
+  *) Removed support for the two export grade static DH ciphersuites
+     EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
+     were newly added (along with a number of other static DH ciphersuites) to
+     1.0.2. However the two export ones have *never* worked since they were
+     introduced. It seems strange in any case to be adding new export
+     ciphersuites, and given "logjam" it also does not seem correct to fix them.
+     [Matt Caswell]
+
   *) Version negotiation has been rewritten. In particular SSLv23_method(),
      SSLv23_client_method() and SSLv23_server_method() have been deprecated,
      and turned into macros which simply call the new preferred function names
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index 84d8260..c2d40ac 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -365,10 +365,8 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
  SSL_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
  SSL_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
 
- SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    EXP-DH-DSS-DES-CBC-SHA
  SSL_DH_DSS_WITH_DES_CBC_SHA             DH-DSS-DES-CBC-SHA
  SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA        DH-DSS-DES-CBC3-SHA
- SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA    EXP-DH-RSA-DES-CBC-SHA
  SSL_DH_RSA_WITH_DES_CBC_SHA             DH-RSA-DES-CBC-SHA
  SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA        DH-RSA-DES-CBC3-SHA
  SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   EXP-DHE-DSS-DES-CBC-SHA
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 3aa9863..efd9683 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -330,7 +330,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
 /* The DH ciphers */
 /* Cipher 0B */
     {
-     1,
+     0,
      SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
      SSL3_CK_DH_DSS_DES_40_CBC_SHA,
      SSL_kDHd,
@@ -378,7 +378,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
 
 /* Cipher 0E */
     {
-     1,
+     0,
      SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
      SSL3_CK_DH_RSA_DES_40_CBC_SHA,
      SSL_kDHr,
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 3952b6b..5ca9171 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2024,7 +2024,7 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
     if (dh_dsa_export)
         emask_k |= SSL_kDHd;
 
-    if (emask_k & (SSL_kDHr | SSL_kDHd))
+    if (mask_k & (SSL_kDHr | SSL_kDHd))
         mask_a |= SSL_aDH;
 
     if (rsa_enc || rsa_sign) {

More information about the openssl-commits mailing list