diff options
author | David Benjamin <davidben@chromium.org> | 2015-10-31 00:50:57 +0300 |
---|---|---|
committer | Adam Langley <agl@google.com> | 2015-11-07 01:31:48 +0300 |
commit | 788be4a3f47cea5fcb86abf59321c729057830ed (patch) | |
tree | 5e2d1f3071cf2cae5bb9f8307dd9bb0ed7ce6085 | |
parent | 5d5e39f5d28f89d74a91cc2b1d6ef3b38c23fdc6 (diff) |
Remove the hard-coded SHA-1 exception for sigalgs.
This is completely a no-op as currently tls12_get_psigalgs always returns a
hardcoded list which always includes SHA-1. But if this were to be made
configurable in the future, we should reject SHA-1 when configured to do so.
Change-Id: I7ab188eeff850d1e5f70b9522304812bab2d941a
Reviewed-on: https://boringssl-review.googlesource.com/6411
Reviewed-by: Adam Langley <agl@google.com>
-rw-r--r-- | ssl/t1_lib.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 881a15a7..301d49a1 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -697,8 +697,7 @@ int tls12_check_peer_sigalg(const EVP_MD **out_md, int *out_alert, SSL *s, } } - /* Allow fallback to SHA-1. */ - if (i == sent_sigslen && hash != TLSEXT_hash_sha1) { + if (i == sent_sigslen) { OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE); *out_alert = SSL_AD_ILLEGAL_PARAMETER; return 0; |