Revert previous - DTLSv1 uses MD5+SHA1 for RSA signature verification.

Discussed with beck@
author: jsing <jsing@openbsd.org> 2018-11-19 15:07:29 +0000
committer: jsing <jsing@openbsd.org> 2018-11-19 15:07:29 +0000
commit: 056778451372a8af7059de9c54f4e245000e5171 (patch)
tree: e48d7ebf90389aa21918530f61341b6c79972424 /lib/libssl/ssl_lib.c
parent: Revert previous - the default sigalg for RSA key exchange is {sha1,rsa}. (diff)
download: wireguard-openbsd-056778451372a8af7059de9c54f4e245000e5171.tar.xz
wireguard-openbsd-056778451372a8af7059de9c54f4e245000e5171.zip
1 files changed, 2 insertions, 5 deletions
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index 4ed6a954143..37db478b057 100644
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.195 2018/11/17 11:22:43 beck Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.196 2018/11/19 15:07:29 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2209,10 +2209,7 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd,
 	sigalg = c->pkeys[idx].sigalg;
 	if (!SSL_USE_SIGALGS(s)) {
 		if (pkey->type == EVP_PKEY_RSA) {
-			if (SSL_IS_DTLS(s))
-			    sigalg = ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
-			else
-			    sigalg = ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
+			sigalg = ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
 		} else if (pkey->type == EVP_PKEY_EC) {
 			sigalg = ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
 		} else {
author	jsing <jsing@openbsd.org>	2018-11-19 15:07:29 +0000
committer	jsing <jsing@openbsd.org>	2018-11-19 15:07:29 +0000
commit	056778451372a8af7059de9c54f4e245000e5171 (patch)
tree	e48d7ebf90389aa21918530f61341b6c79972424 /lib/libssl/ssl_lib.c
parent	Revert previous - the default sigalg for RSA key exchange is {sha1,rsa}. (diff)
download	wireguard-openbsd-056778451372a8af7059de9c54f4e245000e5171.tar.xz wireguard-openbsd-056778451372a8af7059de9c54f4e245000e5171.zip