diff options
| author | Philip Guenther <guenther@cvs.openbsd.org> | 2014-07-28 04:23:13 +0000 |
|---|---|---|
| committer | Philip Guenther <guenther@cvs.openbsd.org> | 2014-07-28 04:23:13 +0000 |
| commit | 908f1b0be0b918b0bcee8f79fb20082ddf0f101d (patch) | |
| tree | 9d50de2845b1ff2f687ecebf616f920e38031d8d /lib/libssl/s3_srvr.c | |
| parent | 3b4a36e739050f0743e25b9457ac7c2064c00743 (diff) | |
The RSA, DH, and ECDH temporary key callbacks expect the number of keybits
for the key (expressed in RSA key bits, which makes *no sense* for ECDH) as
their second argument, not zero.
(jsing@ notes that the RSA callback is only invoked for 'export' ciphers,
which have been removed from LibreSSL, and for the SSL_OP_EPHEMERAL_RSA
option, which is makes the application non-compliant. More fuel for the
tedu fire...)
jasper@ noted the breakage and bisected it down to the diff that broke this
ok jsing@ miod@
Diffstat (limited to 'lib/libssl/s3_srvr.c')
| -rw-r--r-- | lib/libssl/s3_srvr.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index 8d47a16b559..ed2aaf19b52 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.78 2014/07/12 22:33:39 jsing Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.79 2014/07/28 04:23:12 guenther Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1395,7 +1395,8 @@ ssl3_send_server_key_exchange(SSL *s) if (type & SSL_kRSA) { rsa = cert->rsa_tmp; if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) { - rsa = s->cert->rsa_tmp_cb(s, 0, 0); + rsa = s->cert->rsa_tmp_cb(s, 0, + SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher)); if (rsa == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr( @@ -1419,7 +1420,8 @@ ssl3_send_server_key_exchange(SSL *s) if (type & SSL_kDHE) { dhp = cert->dh_tmp; if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) - dhp = s->cert->dh_tmp_cb(s, 0, 0); + dhp = s->cert->dh_tmp_cb(s, 0, + SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher)); if (dhp == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, @@ -1468,7 +1470,8 @@ ssl3_send_server_key_exchange(SSL *s) ecdhp = cert->ecdh_tmp; if (ecdhp == NULL && s->cert->ecdh_tmp_cb != NULL) - ecdhp = s->cert->ecdh_tmp_cb(s, 0, 0); + ecdhp = s->cert->ecdh_tmp_cb(s, 0, + SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher)); if (ecdhp == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, |