Remove the hard-coded SHA-1 exception for sigalgs.

This is completely a no-op as currently tls12_get_psigalgs always returns a hardcoded list which always includes SHA-1. But if this were to be made configurable in the future, we should reject SHA-1 when configured to do so. Change-Id: I7ab188eeff850d1e5f70b9522304812bab2d941a Reviewed-on: https://boringssl-review.googlesource.com/6411 Reviewed-by: Adam Langley <agl@google.com>
author: David Benjamin <davidben@chromium.org> 2015-10-31 00:50:57 +0300
committer: Adam Langley <agl@google.com> 2015-11-07 01:31:48 +0300
commit: 788be4a3f47cea5fcb86abf59321c729057830ed (patch)
tree: 5e2d1f3071cf2cae5bb9f8307dd9bb0ed7ce6085
parent: 5d5e39f5d28f89d74a91cc2b1d6ef3b38c23fdc6 (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 881a15a7..301d49a1 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -697,8 +697,7 @@ int tls12_check_peer_sigalg(const EVP_MD **out_md, int *out_alert, SSL *s,
     }
   }
 
-  /* Allow fallback to SHA-1. */
-  if (i == sent_sigslen && hash != TLSEXT_hash_sha1) {
+  if (i == sent_sigslen) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
     *out_alert = SSL_AD_ILLEGAL_PARAMETER;
     return 0;
author	David Benjamin <davidben@chromium.org>	2015-10-31 00:50:57 +0300
committer	Adam Langley <agl@google.com>	2015-11-07 01:31:48 +0300
commit	788be4a3f47cea5fcb86abf59321c729057830ed (patch)
tree	5e2d1f3071cf2cae5bb9f8307dd9bb0ed7ce6085
parent	5d5e39f5d28f89d74a91cc2b1d6ef3b38c23fdc6 (diff)