From: Nikos Mavrogiannopoulos Date: Mon, 28 Feb 2011 16:29:56 +0000 (+0100) Subject: Restrict the signature algorithms we advertize to SHA1 and SHA256. X-Git-Tag: gnutls_2_99_0~164 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d4e5ced875ea07d7542bbceba1ea3636849f9b83;p=thirdparty%2Fgnutls.git Restrict the signature algorithms we advertize to SHA1 and SHA256. --- diff --git a/lib/ext_signature.c b/lib/ext_signature.c index 35178292e1..a6a456d9de 100644 --- a/lib/ext_signature.c +++ b/lib/ext_signature.c @@ -73,7 +73,7 @@ _gnutls_sign_algorithm_write_params (gnutls_session_t session, opaque * data, size_t max_data_size) { opaque *p = data, *len_p; - int len, i, j; + int len, i, j, hash; const sign_algorithm_st *aid; if (max_data_size < (session->internals.priorities.sign_algo.algorithms*2) + 2) @@ -89,6 +89,13 @@ _gnutls_sign_algorithm_write_params (gnutls_session_t session, opaque * data, for (i = j = 0; j < session->internals.priorities.sign_algo.algorithms; i += 2, j++) { + /* In gnutls we keep a state of SHA1 and SHA256 and thus cannot + * use anything else. + */ + hash = _gnutls_sign_get_hash_algorithm(session->internals.priorities.sign_algo.priority[j]); + if (hash != GNUTLS_DIG_SHA1 && hash != GNUTLS_DIG_SHA256) + continue; + aid = _gnutls_sign_to_tls_aid (session->internals.priorities. sign_algo.priority[j]);