devtls: reject SHA2_256 mac for SSL, but TLS is fine

sha256 is only defined for TLS1.2, however, technically, theres no reason not to use it in TLS1.0/TLS1.1. the choice is up to tlshand and pushtls, not the kernel.
author: cinap_lenrek <cinap_lenrek@felloff.net> 2015-10-28 17:09:22 +0100
committer: cinap_lenrek <cinap_lenrek@felloff.net> 2015-10-28 17:09:22 +0100
commit: cd3053a3cc2e1dd751efc17a0e23b4d5a2b62341 (patch)
tree: 21640c05953b17e2233401d1b8c4cf465b72c175 /sys/src/9
parent: 93d63dc1f3fc6d70b338c3d60ca00b21faa85eff (diff)
1 files changed, 2 insertions, 5 deletions
diff --git a/sys/src/9/port/devtls.c b/sys/src/9/port/devtls.c
index 57835d339..e2a806164 100644
--- a/sys/src/9/port/devtls.c
+++ b/sys/src/9/port/devtls.c
@@ -1421,12 +1421,9 @@ initsha1key(Hashalg *ha, int version, Secret *s, uchar *p)
 static void
 initsha2_256key(Hashalg *ha, int version, Secret *s, uchar *p)
 {
+	if(version == SSL3Version)
+		error("sha256 cannot be used with SSL");
 	s->maclen = ha->maclen;
-
-	/* only TLS 1.2 has SHA256. */
-	if(version != TLS12Version)
-		error("sha256 is TLS 1.2 only");
-
 	s->mac = hmac_sha2_256;
 	memmove(s->mackey, p, ha->maclen);
 }
author	cinap_lenrek <cinap_lenrek@felloff.net>	2015-10-28 17:09:22 +0100
committer	cinap_lenrek <cinap_lenrek@felloff.net>	2015-10-28 17:09:22 +0100
commit	cd3053a3cc2e1dd751efc17a0e23b4d5a2b62341 (patch)
tree	21640c05953b17e2233401d1b8c4cf465b72c175 /sys/src/9
parent	93d63dc1f3fc6d70b338c3d60ca00b21faa85eff (diff)