kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove the hard-coded SHA-1 exception for sigalgs.

Browse Source 
This is completely a no-op as currently tls12_get_psigalgs always returns a
hardcoded list which always includes SHA-1. But if this were to be made
configurable in the future, we should reject SHA-1 when configured to do so.

Change-Id: I7ab188eeff850d1e5f70b9522304812bab2d941a
Reviewed-on: https://boringssl-review.googlesource.com/6411
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
David Benjamin 2015-10-30 17:50:57 -04:00 committed by Adam Langley
parent 5d5e39f5d2
commit 788be4a3f4
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ssl/t1_lib.c
View File

@ -697,8 +697,7 @@ int tls12_check_peer_sigalg(const EVP_MD **out_md, int *out_alert, SSL *s,
} }
} }
/* Allow fallback to SHA-1. */ if (i == sent_sigslen) {
if (i == sent_sigslen && hash != TLSEXT_hash_sha1) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE); OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
*out_alert = SSL_AD_ILLEGAL_PARAMETER; *out_alert = SSL_AD_ILLEGAL_PARAMETER;
return 0; return 0;