- if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
- pkey_bits > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
-#ifndef OPENSSL_NO_RSA
- if (alg_k & SSL_kRSA) {
- if (rsa == NULL) {
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
- SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
- goto f_err;
- } else if (RSA_bits(rsa) >
- SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
- /* We have a temporary RSA key but it's too large. */
- al = SSL_AD_EXPORT_RESTRICTION;
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
- SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
- goto f_err;
- }
- } else
-#endif
-#ifndef OPENSSL_NO_DH
- if (alg_k & SSL_kDHE) {
- if (DH_bits(dh) >
- SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
- /* We have a temporary DH key but it's too large. */
- al = SSL_AD_EXPORT_RESTRICTION;
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
- SSL_R_MISSING_EXPORT_TMP_DH_KEY);
- goto f_err;
- }
- } else if (alg_k & (SSL_kDHr | SSL_kDHd)) {
- /* The cert should have had an export DH key. */
- al = SSL_AD_EXPORT_RESTRICTION;
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
- SSL_R_MISSING_EXPORT_TMP_DH_KEY);
- goto f_err;
- } else
-#endif
- {
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
- SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
- goto f_err;
- }
- }