Stop allowing SHA-224 in TLS 1.2.
Take the mappings for MD5 and SHA-224 values out of the code altogether. This
aligns with the current TLS 1.3 draft.
For MD5, this is a no-op. It is not currently possible to configure accepted
signature algorithms, MD5 wasn't in the hardcoded list, and we already had a
test ensuring we enforced our preferences correctly. MD5 also wasn't in the
default list of hashes our keys could sign and no one overrides it with a
different hash.
For SHA-224, this is not quite a no-op. The hardcoded accepted signature
algorithms list included SHA-224, so this will break servers relying on that.
However, Chrome's metrics have zero data points of servers picking SHA-224 and
no other major browser includes it. Thus that should be safe.
SHA-224 was also in the default list of hashes we are willing to sign. For
client certificates, Chromium's abstractions already did not allow signing
SHA-224, so this is a no-op there. For servers, this will break any clients
which only accept SHA-224. But no major browsers do this and I am not aware of
any client implementation which does such ridiculous thing.
(SHA-1's still in there. Getting rid of that one is going to take more effort.)
Change-Id: I6a765fdeea9e19348e409d58a0eac770b318e599
Reviewed-on: https://boringssl-review.googlesource.com/7020
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 7a336f1..decf5fc 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -510,7 +510,6 @@
tlsext_sigalg(TLSEXT_hash_sha512)
tlsext_sigalg(TLSEXT_hash_sha384)
tlsext_sigalg(TLSEXT_hash_sha256)
- tlsext_sigalg(TLSEXT_hash_sha224)
tlsext_sigalg(TLSEXT_hash_sha1)
};
@@ -2564,12 +2563,12 @@
int id;
} tls12_lookup;
-static const tls12_lookup tls12_md[] = {{NID_md5, TLSEXT_hash_md5},
- {NID_sha1, TLSEXT_hash_sha1},
- {NID_sha224, TLSEXT_hash_sha224},
- {NID_sha256, TLSEXT_hash_sha256},
- {NID_sha384, TLSEXT_hash_sha384},
- {NID_sha512, TLSEXT_hash_sha512}};
+static const tls12_lookup tls12_md[] = {
+ {NID_sha1, TLSEXT_hash_sha1},
+ {NID_sha256, TLSEXT_hash_sha256},
+ {NID_sha384, TLSEXT_hash_sha384},
+ {NID_sha512, TLSEXT_hash_sha512},
+};
static const tls12_lookup tls12_sig[] = {{EVP_PKEY_RSA, TLSEXT_signature_rsa},
{EVP_PKEY_EC, TLSEXT_signature_ecdsa}};
@@ -2603,15 +2602,9 @@
const EVP_MD *tls12_get_hash(uint8_t hash_alg) {
switch (hash_alg) {
- case TLSEXT_hash_md5:
- return EVP_md5();
-
case TLSEXT_hash_sha1:
return EVP_sha1();
- case TLSEXT_hash_sha224:
- return EVP_sha224();
-
case TLSEXT_hash_sha256:
return EVP_sha256();
@@ -2697,7 +2690,7 @@
size_t i, j;
static const int kDefaultDigestList[] = {NID_sha256, NID_sha384, NID_sha512,
- NID_sha224, NID_sha1};
+ NID_sha1};
const int *digest_nids = kDefaultDigestList;
size_t num_digest_nids =
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 75f56ce..b74f66b 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -4109,7 +4109,6 @@
id uint8
}{
{"SHA1", hashSHA1},
- {"SHA224", hashSHA224},
{"SHA256", hashSHA256},
{"SHA384", hashSHA384},
{"SHA512", hashSHA512},