For more than 160 bits of security disable SHA1 HMAC

commit: f8dd55bb5b1ed9fe7e1a3974329fdb4adbd786de [log] [tgz]
author: Dr. Stephen Henson <steve@openssl.org> Sat Apr 05 13:39:35 2014 +0100
committer: Dr. Stephen Henson <steve@openssl.org> Sat Apr 05 13:39:35 2014 +0100
tree: d30839ff88a1d653f22570007c8918411fd89fc8
parent: b7e46a9bce052d2d5b134bdfe0b5e34c90e000d6 [diff] [blame]
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index d56b2c5..385d25f 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c

@@ -1411,6 +1411,9 @@
 		/* No MD5 mac ciphersuites */
 		if (c->algorithm_mac & SSL_MD5)
 			return 0;
+		/* SHA1 HMAC is 160 bits of security */
+		if (minbits > 160 && c->algorithm_mac & SSL_SHA1)
+			return 0;
 		/* Level 2: no RC4 */
 		if (level >= 2 && c->algorithm_enc == SSL_RC4)
 			return 0;
commit	f8dd55bb5b1ed9fe7e1a3974329fdb4adbd786de	[log] [tgz]
author	Dr. Stephen Henson <steve@openssl.org>	Sat Apr 05 13:39:35 2014 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	Sat Apr 05 13:39:35 2014 +0100
tree	d30839ff88a1d653f22570007c8918411fd89fc8
parent	b7e46a9bce052d2d5b134bdfe0b5e34c90e000d6 [diff] [blame]