Use SHA256 for ticket HMAC if possible.

3 files changed, 8 insertions, 3 deletions

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 1246cd227f..17ee4da35e 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2792,7 +2792,7 @@ int ssl3_send_newsession_ticket(SSL *s)
 
 		HMAC_CTX_init(&hctx);
 		HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,
-				EVP_sha1(), NULL);
+				tlsext_tick_md(), NULL);
 		HMAC_Update(&hctx, macstart, p - macstart);
 		HMAC_Final(&hctx, p, &hlen);
 		HMAC_CTX_cleanup(&hctx);
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index e6990dc2a1..5bed3974ce 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -987,6 +987,11 @@ int ssl_prepare_clienthello_tlsext(SSL *s);
 int ssl_prepare_serverhello_tlsext(SSL *s);
 int ssl_check_clienthello_tlsext(SSL *s);
 int ssl_check_serverhello_tlsext(SSL *s);
+#ifdef OPENSSL_NO_SHA256
+#define tlsext_tick_md	EVP_sha1
+#else
+#define tlsext_tick_md	EVP_sha256
+#endif
 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
 				const unsigned char *limit, SSL_SESSION **ret);
 #endif
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 232ab4ea57..b5eab2cb68 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -985,7 +985,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
 	/* Attempt to process session ticket, first conduct sanity and
  	 * integrity checks on ticket.
  	 */
-	mlen = EVP_MD_size(EVP_sha1());
+	mlen = EVP_MD_size(tlsext_tick_md());
 	eticklen -= mlen;
 	/* Need at least keyname + iv + some encrypted data */
 	if (eticklen < 48)
@@ -996,7 +996,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
 	/* Check HMAC of encrypted ticket */
 	HMAC_CTX_init(&hctx);
 	HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,
-				EVP_sha1(), NULL);
+				tlsext_tick_md(), NULL);
 	HMAC_Update(&hctx, etick, eticklen);
 	HMAC_Final(&hctx, tick_hmac, NULL);
 	HMAC_CTX_cleanup(&hctx);