[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Matt Caswell matt at openssl.org
Fri May 22 23:04:34 UTC 2015 

The branch OpenSSL_1_0_2-stable has been updated
       via  e4731f76e2dc2a36e62522a4ec115880ba7dfc1f (commit)
       via  595487ea1978d65ca8db7b1c4990fc8c4f781399 (commit)
      from  c6eb1cbd1e2afbf0e0e9170cb9b5df1ff25bfd14 (commit)


- Log -----------------------------------------------------------------
commit e4731f76e2dc2a36e62522a4ec115880ba7dfc1f
Author: Matt Caswell <matt at openssl.org>
Date:   Fri May 22 13:48:49 2015 +0100

    Fix typo setting up certificate masks
    
    The certificate masks are used to select which ciphersuite we are going to
    use. The variables |emask_k| and |emask_a| relate to export grade key
    exchange and authentication respecitively. The variables |mask_k| and
    |mask_a| are the equivalent versions for non-export grade. This fixes an
    instance where the two usages of export/non-export were mixed up. In
    practice it makes little difference since it still works!
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit fdfe8b06ae97da3bc3a77aa3db00f8e0445f3c70)

commit 595487ea1978d65ca8db7b1c4990fc8c4f781399
Author: Matt Caswell <matt at openssl.org>
Date:   Fri May 22 13:33:19 2015 +0100

    Remove export static DH ciphersuites
    
    Remove support for the two export grade static DH ciphersuites. These two
    ciphersuites were newly added (along with a number of other static DH
    ciphersuites) to 1.0.2. However the two export ones have *never* worked
    since they were introduced. It seems strange in any case to be adding new
    export ciphersuites, and given "logjam" it also does not seem correct to
    fix them.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit 13f8eb4730b9fc039e743870f81e5ff54b3d05b8)
    
    Conflicts:
    	CHANGES

-----------------------------------------------------------------------

Summary of changes:
 CHANGES              | 8 ++++++++
 doc/apps/ciphers.pod | 2 --
 ssl/s3_lib.c         | 4 ++--
 ssl/ssl_lib.c        | 2 +-
 4 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 0fedee6..c65ce82 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,14 @@
 
  Changes between 1.0.2a and 1.0.2b [xx XXX xxxx]
 
+  *) Removed support for the two export grade static DH ciphersuites
+     EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
+     were newly added (along with a number of other static DH ciphersuites) to
+     1.0.2. However the two export ones have *never* worked since they were
+     introduced. It seems strange in any case to be adding new export
+     ciphersuites, and given "logjam" it also does not seem correct to fix them.
+     [Matt Caswell]
+
   *) Only support 256-bit or stronger elliptic curves with the
      'ecdh_auto' setting (server) or by default (client). Of supported
      curves, prefer P-256 (both).
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index e9280bc..1c26e3b 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -365,10 +365,8 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
  SSL_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
  SSL_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
 
- SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    EXP-DH-DSS-DES-CBC-SHA
  SSL_DH_DSS_WITH_DES_CBC_SHA             DH-DSS-DES-CBC-SHA
  SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA        DH-DSS-DES-CBC3-SHA
- SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA    EXP-DH-RSA-DES-CBC-SHA
  SSL_DH_RSA_WITH_DES_CBC_SHA             DH-RSA-DES-CBC-SHA
  SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA        DH-RSA-DES-CBC3-SHA
  SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-DSS-DES-CBC-SHA
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 28129f6..5db349a 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -330,7 +330,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
 /* The DH ciphers */
 /* Cipher 0B */
     {
-     1,
+     0,
      SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
      SSL3_CK_DH_DSS_DES_40_CBC_SHA,
      SSL_kDHd,
@@ -378,7 +378,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
 
 /* Cipher 0E */
     {
-     1,
+     0,
      SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
      SSL3_CK_DH_RSA_DES_40_CBC_SHA,
      SSL_kDHr,
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index b60fe1a..c0931e7 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2330,7 +2330,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
     if (dh_dsa_export)
         emask_k |= SSL_kDHd;
 
-    if (emask_k & (SSL_kDHr | SSL_kDHd))
+    if (mask_k & (SSL_kDHr | SSL_kDHd))
         mask_a |= SSL_aDH;
 
     if (rsa_enc || rsa_sign) {

More information about the openssl-commits mailing list