Correctly check for export size limit

author Kurt Roeckx <kurt@roeckx.be>

Sat, 18 Apr 2015 10:50:25 +0000 (12:50 +0200)

committer Kurt Roeckx <kurt@roeckx.be>

Wed, 20 May 2015 20:18:44 +0000 (22:18 +0200)
author Kurt Roeckx <kurt@roeckx.be>
Sat, 18 Apr 2015 10:50:25 +0000 (12:50 +0200)
committer Kurt Roeckx <kurt@roeckx.be>
Wed, 20 May 2015 20:18:44 +0000 (22:18 +0200)
diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c

index bc93697a2d4783abafe155b049d81b7f663b53b4..97e5babab1d1c8666f2734b9b4ba356adf21a0ea 100644 (file)
--- a/crypto/x509/x509type.c
+++ b/crypto/x509/x509type.c
@@ -121,9 +121,6 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
          }
      }
  
          }
      }
  
-    /* /8 because it's 1024 bits we look for, not bytes */
-    if (EVP_PKEY_size(pk) <= 1024 / 8)
-        ret |= EVP_PKT_EXP;
      if (pkey == NULL)
          EVP_PKEY_free(pk);
      return (ret);
      if (pkey == NULL)
          EVP_PKEY_free(pk);
      return (ret);
diff --git a/include/openssl/evp.h b/include/openssl/evp.h

index 2af823f236873d3a1b07d74cc0a01b43568c8e93..d5af5ed1929c1687c5180745aad8d8a5d4ba920e 100644 (file)
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -94,7 +94,6 @@
  # define EVP_PKS_RSA     0x0100
  # define EVP_PKS_DSA     0x0200
  # define EVP_PKS_EC      0x0400
  # define EVP_PKS_RSA     0x0100
  # define EVP_PKS_DSA     0x0200
  # define EVP_PKS_EC      0x0400
-# define EVP_PKT_EXP     0x1000 /* <= 512 bit key */
  
  # define EVP_PKEY_NONE   NID_undef
  # define EVP_PKEY_RSA    NID_rsaEncryption
  
  # define EVP_PKEY_NONE   NID_undef
  # define EVP_PKEY_RSA    NID_rsaEncryption
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c

index 46f9909830ca3a0c3d583fe3ccd7792d5ccebdbc..4977e9c5a1cc2ea1ef5ba6b720d9170bb309cf21 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -3324,6 +3324,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
      int i, idx;
      long alg_k, alg_a;
      EVP_PKEY *pkey = NULL;
      int i, idx;
      long alg_k, alg_a;
      EVP_PKEY *pkey = NULL;
+    int pkey_bits;
      SESS_CERT *sc;
  #ifndef OPENSSL_NO_RSA
      RSA *rsa;
      SESS_CERT *sc;
  #ifndef OPENSSL_NO_RSA
      RSA *rsa;
@@ -3373,6 +3374,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
      }
  #endif
      pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509);
      }
  #endif
      pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509);
+    pkey_bits = EVP_PKEY_bits(pkey);
      i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);
      EVP_PKEY_free(pkey);
  
      i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);
      EVP_PKEY_free(pkey);
  
@@ -3418,7 +3420,8 @@ int ssl3_check_cert_and_algorithm(SSL *s)
  # endif
  #endif
  
  # endif
  #endif
  
-    if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) {
+    if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
+        pkey_bits > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
  #ifndef OPENSSL_NO_RSA
          if (alg_k & SSL_kRSA) {
              if (rsa == NULL
  #ifndef OPENSSL_NO_RSA
          if (alg_k & SSL_kRSA) {
              if (rsa == NULL
author	Kurt Roeckx <kurt@roeckx.be>
	Sat, 18 Apr 2015 10:50:25 +0000 (12:50 +0200)
committer	Kurt Roeckx <kurt@roeckx.be>
	Wed, 20 May 2015 20:18:44 +0000 (22:18 +0200)
crypto/x509/x509type.c		patch \| blob \| history
include/openssl/evp.h		patch \| blob \| history
ssl/s3_clnt.c		patch \| blob \| history