don't allow other NSEC3 hash algorithms other than SHA1 (for now)

diff --git a/dnssec.c b/dnssec.c
index fdd1a5089c67d21d32934284623473f7b39319d9..04d83b620b8211d06de464b430dbc996dc3239bb 100644 (file)
--- a/dnssec.c
+++ b/dnssec.c
@@ -968,6 +968,11 @@ ldns_nsec3_hash_name(ldns_rdf *name,
        unsigned char hash[LDNS_SHA1_DIGEST_LENGTH];
        ldns_status status;
 
+       /* TODO: mnemonic list for hash algs SHA-1, default to 1 now (sha1) */
+       if (algorithm != LDNS_SHA1) {
+               return NULL;
+        }
+
        /* prepare the owner name according to the draft section bla */
        cann = ldns_rdf_clone(name);
        if(!cann) {
@@ -976,9 +981,6 @@ ldns_nsec3_hash_name(ldns_rdf *name,
        }
        ldns_dname2canonical(cann);
 
-       /* TODO: mnemonic list for hash algs SHA-1, default to 1 now (sha1) */
-       algorithm = algorithm;
-
        hashed_owner_str_len = salt_length + ldns_rdf_size(cann);
        hashed_owner_str = LDNS_XMALLOC(unsigned char, hashed_owner_str_len);
         if(!hashed_owner_str) {