]> git.ipfire.org Git - thirdparty/strongswan.git/blobdiff - src/libtls/tls_crypto.c
projects / thirdparty / strongswan.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
tls-crypto: Filter signature schemes when signing and selecting private keys
[thirdparty/strongswan.git] / src / libtls / tls_crypto.c
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index 04fc8201ac0fa95bb0ead7ded04f8e199cf813cc..91a6f446d9c36174ad895b0dc2d317f91c6d7abe 100644 (file)
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -1869,7 +1869,8 @@ METHOD(tls_crypto_t, sign, bool,
                                 */
                                if (params && (scheme == hashsig_scheme ||
                                   (!scheme &&
-                                   type == key_type_from_signature_scheme(params->scheme))))
+                                   type == key_type_from_signature_scheme(params->scheme) &&
+                                   filter_signature_scheme_config(hashsig_scheme))))
                                {
                                    if (key->sign(key, params->scheme, params->params, data, &sig))
                                        {
@@ -2711,7 +2712,8 @@ static enumerator_t *get_supported_key_types(tls_version_t min_version,
        for (i = 0; i < countof(schemes); i++)
        {
                if (schemes[i].min_version <= max_version &&
-                       schemes[i].max_version >= min_version)
+                       schemes[i].max_version >= min_version &&
+                       filter_signature_scheme_config(schemes[i].sig))
                {
                        lookup = key_type_from_signature_scheme(schemes[i].params.scheme);
                        if (!ht->get(ht, &lookup))
Unnamed repository; edit this file 'description' to name the repository.