Correctly check for export size limit (3b509e8c) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

crypto/evp/evp.h

+0 −1

Original line number	Diff line number	Diff line
		@@ -103,7 +103,6 @@
		# define EVP_PKS_RSA 0x0100
		# define EVP_PKS_DSA 0x0200
		# define EVP_PKS_EC 0x0400
		# define EVP_PKT_EXP 0x1000 /* <= 512 bit key */

		# define EVP_PKEY_NONE NID_undef
		# define EVP_PKEY_RSA NID_rsaEncryption

+0 −3

Original line number	Diff line number	Diff line
		@@ -121,9 +121,6 @@ int X509_certificate_type(X509 x, EVP_PKEY pkey)
		}
		}

		/* /8 because it's 1024 bits we look for, not bytes */
		if (EVP_PKEY_size(pk) <= 1024 / 8)
		ret \|= EVP_PKT_EXP;
		if (pkey == NULL)
		EVP_PKEY_free(pk);
		return (ret);

+4 −1

Original line number	Diff line number	Diff line
		@@ -3228,6 +3228,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
		int i, idx;
		long alg_k, alg_a;
		EVP_PKEY *pkey = NULL;
		int pkey_bits;
		SESS_CERT *sc;
		#ifndef OPENSSL_NO_RSA
		RSA *rsa;
		@@ -3270,6 +3271,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
		}
		#endif
		pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509);
		pkey_bits = EVP_PKEY_bits(pkey);
		i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);
		EVP_PKEY_free(pkey);

		@@ -3323,7 +3325,8 @@ int ssl3_check_cert_and_algorithm(SSL *s)
		}
		#endif /* !OPENSSL_NO_DH */

		if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) {
		if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
		pkey_bits > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
		#ifndef OPENSSL_NO_RSA
		if (alg_k & SSL_kRSA) {
		if (rsa == NULL