]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Restrict the signature algorithms we advertize to SHA1 and SHA256.
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Mon, 28 Feb 2011 16:29:56 +0000 (17:29 +0100)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Mon, 28 Feb 2011 16:30:43 +0000 (17:30 +0100)
lib/ext_signature.c

index 35178292e1455bee67ce61f26a8878d91458fe10..a6a456d9de6e892dd2eb4151e0401ede775c9e81 100644 (file)
@@ -73,7 +73,7 @@ _gnutls_sign_algorithm_write_params (gnutls_session_t session, opaque * data,
                                      size_t max_data_size)
 {
   opaque *p = data, *len_p;
-  int len, i, j;
+  int len, i, j, hash;
   const sign_algorithm_st *aid;
 
   if (max_data_size < (session->internals.priorities.sign_algo.algorithms*2) + 2)
@@ -89,6 +89,13 @@ _gnutls_sign_algorithm_write_params (gnutls_session_t session, opaque * data,
 
   for (i = j = 0; j < session->internals.priorities.sign_algo.algorithms; i += 2, j++)
     {
+      /* In gnutls we keep a state of SHA1 and SHA256 and thus cannot
+       * use anything else.
+       */
+      hash = _gnutls_sign_get_hash_algorithm(session->internals.priorities.sign_algo.priority[j]);
+      if (hash != GNUTLS_DIG_SHA1 && hash != GNUTLS_DIG_SHA256)
+        continue;
+      
       aid =
         _gnutls_sign_to_tls_aid (session->internals.priorities.
                                  sign_algo.priority[j]);