summaryrefslogtreecommitdiff
path: root/ssl/t1_lib.c
diff options
context:
space:
mode:
authorDr. Stephen Henson <steve@openssl.org>2013-10-15 14:15:54 +0100
committerDr. Stephen Henson <steve@openssl.org>2013-10-20 12:23:27 +0100
commit5e1ff664f95ab4c9176b3e86b5111e5777bad61a (patch)
tree93b97c06403ab4d335092b92a5839ae83b37f9ec /ssl/t1_lib.c
parent833a896681b3287e5ab9c01f4f0234691f4076a8 (diff)
downloadopenssl-new-5e1ff664f95ab4c9176b3e86b5111e5777bad61a.tar.gz
Don't use RSA+MD5 with TLS 1.2
Since the TLS 1.2 supported signature algorithms extension is less sophisticaed in OpenSSL 1.0.1 this has to be done in two stages. RSA+MD5 is removed from supported signature algorithms extension: any compliant implementation should never use RSA+MD5 as a result. To cover the case of a broken implementation using RSA+MD5 anyway disable lookup of MD5 algorithm in TLS 1.2.
Diffstat (limited to 'ssl/t1_lib.c')
-rw-r--r--ssl/t1_lib.c16
1 files changed, 0 insertions, 16 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index f93216d454..33afdeba33 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -342,19 +342,11 @@ static unsigned char tls12_sigalgs[] = {
#ifndef OPENSSL_NO_SHA
tlsext_sigalg(TLSEXT_hash_sha1)
#endif
-#ifndef OPENSSL_NO_MD5
- tlsext_sigalg_rsa(TLSEXT_hash_md5)
-#endif
};
int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
{
size_t slen = sizeof(tls12_sigalgs);
-#ifdef OPENSSL_FIPS
- /* If FIPS mode don't include MD5 which is last */
- if (FIPS_mode())
- slen -= 2;
-#endif
if (p)
memcpy(p, tls12_sigalgs, slen);
return (int)slen;
@@ -2452,14 +2444,6 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg)
{
switch(hash_alg)
{
-#ifndef OPENSSL_NO_MD5
- case TLSEXT_hash_md5:
-#ifdef OPENSSL_FIPS
- if (FIPS_mode())
- return NULL;
-#endif
- return EVP_md5();
-#endif
#ifndef OPENSSL_NO_SHA
case TLSEXT_hash_sha1:
return EVP_sha1();
View Lorry Controller Status