Stop allowing SHA-224 in TLS 1.2.
Take the mappings for MD5 and SHA-224 values out of the code altogether. This aligns with the current TLS 1.3 draft. For MD5, this is a no-op. It is not currently possible to configure accepted signature algorithms, MD5 wasn't in the hardcoded list, and we already had a test ensuring we enforced our preferences correctly. MD5 also wasn't in the default list of hashes our keys could sign and no one overrides it with a different hash. For SHA-224, this is not quite a no-op. The hardcoded accepted signature algorithms list included SHA-224, so this will break servers relying on that. However, Chrome's metrics have zero data points of servers picking SHA-224 and no other major browser includes it. Thus that should be safe. SHA-224 was also in the default list of hashes we are willing to sign. For client certificates, Chromium's abstractions already did not allow signing SHA-224, so this is a no-op there. For servers, this will break any clients which only accept SHA-224. But no major browsers do this and I am not aware of any client implementation which does such ridiculous thing. (SHA-1's still in there. Getting rid of that one is going to take more effort.) Change-Id: I6a765fdeea9e19348e409d58a0eac770b318e599 Reviewed-on: https://boringssl-review.googlesource.com/7020 Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
parent
5fa8f5bc9a
commit
72f7e21087
15
ssl/t1_lib.c
15
ssl/t1_lib.c
@ -510,7 +510,6 @@ static const uint8_t tls12_sigalgs[] = {
|
|||||||
tlsext_sigalg(TLSEXT_hash_sha512)
|
tlsext_sigalg(TLSEXT_hash_sha512)
|
||||||
tlsext_sigalg(TLSEXT_hash_sha384)
|
tlsext_sigalg(TLSEXT_hash_sha384)
|
||||||
tlsext_sigalg(TLSEXT_hash_sha256)
|
tlsext_sigalg(TLSEXT_hash_sha256)
|
||||||
tlsext_sigalg(TLSEXT_hash_sha224)
|
|
||||||
tlsext_sigalg(TLSEXT_hash_sha1)
|
tlsext_sigalg(TLSEXT_hash_sha1)
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -2564,12 +2563,12 @@ typedef struct {
|
|||||||
int id;
|
int id;
|
||||||
} tls12_lookup;
|
} tls12_lookup;
|
||||||
|
|
||||||
static const tls12_lookup tls12_md[] = {{NID_md5, TLSEXT_hash_md5},
|
static const tls12_lookup tls12_md[] = {
|
||||||
{NID_sha1, TLSEXT_hash_sha1},
|
{NID_sha1, TLSEXT_hash_sha1},
|
||||||
{NID_sha224, TLSEXT_hash_sha224},
|
|
||||||
{NID_sha256, TLSEXT_hash_sha256},
|
{NID_sha256, TLSEXT_hash_sha256},
|
||||||
{NID_sha384, TLSEXT_hash_sha384},
|
{NID_sha384, TLSEXT_hash_sha384},
|
||||||
{NID_sha512, TLSEXT_hash_sha512}};
|
{NID_sha512, TLSEXT_hash_sha512},
|
||||||
|
};
|
||||||
|
|
||||||
static const tls12_lookup tls12_sig[] = {{EVP_PKEY_RSA, TLSEXT_signature_rsa},
|
static const tls12_lookup tls12_sig[] = {{EVP_PKEY_RSA, TLSEXT_signature_rsa},
|
||||||
{EVP_PKEY_EC, TLSEXT_signature_ecdsa}};
|
{EVP_PKEY_EC, TLSEXT_signature_ecdsa}};
|
||||||
@ -2603,15 +2602,9 @@ int tls12_add_sigandhash(SSL *ssl, CBB *out, const EVP_MD *md) {
|
|||||||
|
|
||||||
const EVP_MD *tls12_get_hash(uint8_t hash_alg) {
|
const EVP_MD *tls12_get_hash(uint8_t hash_alg) {
|
||||||
switch (hash_alg) {
|
switch (hash_alg) {
|
||||||
case TLSEXT_hash_md5:
|
|
||||||
return EVP_md5();
|
|
||||||
|
|
||||||
case TLSEXT_hash_sha1:
|
case TLSEXT_hash_sha1:
|
||||||
return EVP_sha1();
|
return EVP_sha1();
|
||||||
|
|
||||||
case TLSEXT_hash_sha224:
|
|
||||||
return EVP_sha224();
|
|
||||||
|
|
||||||
case TLSEXT_hash_sha256:
|
case TLSEXT_hash_sha256:
|
||||||
return EVP_sha256();
|
return EVP_sha256();
|
||||||
|
|
||||||
@ -2697,7 +2690,7 @@ const EVP_MD *tls1_choose_signing_digest(SSL *ssl) {
|
|||||||
size_t i, j;
|
size_t i, j;
|
||||||
|
|
||||||
static const int kDefaultDigestList[] = {NID_sha256, NID_sha384, NID_sha512,
|
static const int kDefaultDigestList[] = {NID_sha256, NID_sha384, NID_sha512,
|
||||||
NID_sha224, NID_sha1};
|
NID_sha1};
|
||||||
|
|
||||||
const int *digest_nids = kDefaultDigestList;
|
const int *digest_nids = kDefaultDigestList;
|
||||||
size_t num_digest_nids =
|
size_t num_digest_nids =
|
||||||
|
@ -4109,7 +4109,6 @@ var testHashes = []struct {
|
|||||||
id uint8
|
id uint8
|
||||||
}{
|
}{
|
||||||
{"SHA1", hashSHA1},
|
{"SHA1", hashSHA1},
|
||||||
{"SHA224", hashSHA224},
|
|
||||||
{"SHA256", hashSHA256},
|
{"SHA256", hashSHA256},
|
||||||
{"SHA384", hashSHA384},
|
{"SHA384", hashSHA384},
|
||||||
{"SHA512", hashSHA512},
|
{"SHA512", hashSHA512},
|
||||||
|
Loading…
Reference in New Issue
Block a user