From: Dr. Stephen Henson <steve@openssl.org>
Date: Sat, 5 Apr 2014 12:39:35 +0000 (+0100)
Subject: For more than 160 bits of security disable SHA1 HMAC
X-Git-Tag: master-pre-reformat~824
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f8dd55bb5b1ed9fe7e1a3974329fdb4adbd786de;p=thirdparty%2Fopenssl.git

For more than 160 bits of security disable SHA1 HMAC
---

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index d56b2c5dd58..385d25f3f11 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1411,6 +1411,9 @@ static int ssl_security_default_callback(SSL *s, SSL_CTX *ctx, int op, int bits,
 		/* No MD5 mac ciphersuites */
 		if (c->algorithm_mac & SSL_MD5)
 			return 0;
+		/* SHA1 HMAC is 160 bits of security */
+		if (minbits > 160 && c->algorithm_mac & SSL_SHA1)
+			return 0;
 		/* Level 2: no RC4 */
 		if (level >= 2 && c->algorithm_enc == SSL_RC4)
 			return 0;