Restrict the signature algorithms we advertize to SHA1 and SHA256.

author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2011-02-28 17:29:56 +0100
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2011-02-28 17:29:56 +0100
commit: cd50caff722fe17454770446bd5aaef59f3d50d7 (patch)
tree: 7318962692f3ad8aad40fef5e58106fecac0bc54
parent: 3b717f9be88799d139dce2c7800f8d49cdf086d9 (diff)
download: gnutls-cd50caff722fe17454770446bd5aaef59f3d50d7.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/lib/ext_signature.c b/lib/ext_signature.c
index 4b5f4e27bd..5e62f5c599 100644
--- a/lib/ext_signature.c
+++ b/lib/ext_signature.c
@@ -73,7 +73,7 @@ _gnutls_sign_algorithm_write_params (gnutls_session_t session, opaque * data,
                                      size_t max_data_size)
 {
   opaque *p = data, *len_p;
-  int len, i, j;
+  int len, i, j, hash;
   const sign_algorithm_st *aid;
 
   if (max_data_size < (session->internals.priorities.sign_algo.algorithms*2) + 2)
@@ -89,6 +89,13 @@ _gnutls_sign_algorithm_write_params (gnutls_session_t session, opaque * data,
 
   for (i = j = 0; j < session->internals.priorities.sign_algo.algorithms; i += 2, j++)
     {
+      /* In gnutls we keep a state of SHA1 and SHA256 and thus cannot
+       * use anything else.
+       */
+      hash = _gnutls_sign_get_hash_algorithm(session->internals.priorities.sign_algo.priority[j]);
+      if (hash != GNUTLS_DIG_SHA1 && hash != GNUTLS_DIG_SHA256)
+        continue;
+      
       aid =
         _gnutls_sign_to_tls_aid (session->internals.priorities.
                                  sign_algo.priority[j]);
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2011-02-28 17:29:56 +0100
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2011-02-28 17:29:56 +0100
commit	cd50caff722fe17454770446bd5aaef59f3d50d7 (patch)
tree	7318962692f3ad8aad40fef5e58106fecac0bc54
parent	3b717f9be88799d139dce2c7800f8d49cdf086d9 (diff)
download	gnutls-cd50caff722fe17454770446bd5aaef59f3d50d7.tar.gz