From cd3053a3cc2e1dd751efc17a0e23b4d5a2b62341 Mon Sep 17 00:00:00 2001 From: cinap_lenrek Date: Wed, 28 Oct 2015 17:09:22 +0100 Subject: [PATCH] devtls: reject SHA2_256 mac for SSL, but TLS is fine sha256 is only defined for TLS1.2, however, technically, theres no reason not to use it in TLS1.0/TLS1.1. the choice is up to tlshand and pushtls, not the kernel. --- sys/src/9/port/devtls.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/sys/src/9/port/devtls.c b/sys/src/9/port/devtls.c index 57835d339..e2a806164 100644 --- a/sys/src/9/port/devtls.c +++ b/sys/src/9/port/devtls.c @@ -1421,12 +1421,9 @@ initsha1key(Hashalg *ha, int version, Secret *s, uchar *p) static void initsha2_256key(Hashalg *ha, int version, Secret *s, uchar *p) { + if(version == SSL3Version) + error("sha256 cannot be used with SSL"); s->maclen = ha->maclen; - - /* only TLS 1.2 has SHA256. */ - if(version != TLS12Version) - error("sha256 is TLS 1.2 only"); - s->mac = hmac_sha2_256; memmove(s->mackey, p, ha->maclen); }