generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Correctly check for export size limit

Browse Source 
40 bit ciphers are limited to 512 bit RSA, 56 bit ciphers to 1024 bit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit ac38115c1a)
This commit is contained in:
Kurt Roeckx
2015-04-18 12:50:25 +02:00
parent 63830384e9
commit 3b509e8cdc
3 changed files with 4 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ssl/s3_clnt.c
View File

@@ -3228,6 +3228,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
int i, idx;
long alg_k, alg_a;
EVP_PKEY *pkey = NULL;
int pkey_bits;
SESS_CERT *sc;
#ifndef OPENSSL_NO_RSA
RSA *rsa;
@@ -3270,6 +3271,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
}
#endif
pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509);
pkey_bits = EVP_PKEY_bits(pkey);
i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);
EVP_PKEY_free(pkey);
@@ -3323,7 +3325,8 @@ int ssl3_check_cert_and_algorithm(SSL *s)
}
#endif /* !OPENSSL_NO_DH */
if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) {
if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
pkey_bits > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
#ifndef OPENSSL_NO_RSA
if (alg_k & SSL_kRSA) {
if (rsa == NULL