Only accept known public key algorithms in the GNUTLS_PRIVKEY_EXT private keys

The reason is that this API, assumes very low level primitives which
are not available for the newer RSA-PSS private keys.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

1 files changed, 8 insertions, 0 deletions

diff --git a/lib/privkey.c b/lib/privkey.c
index 1010cdff7a..c5d466dde6 100644
--- a/lib/privkey.c
+++ b/lib/privkey.c
@@ -689,6 +689,10 @@ gnutls_privkey_import_ext(gnutls_privkey_t pkey,
 					  decrypt_func, NULL, flags);
 }
 
+#define CHECK_EXT_PK(pk) \
+	if (pk != GNUTLS_PK_RSA && pk != GNUTLS_PK_ECDSA && pk != GNUTLS_PK_DSA) \
+		return gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR)
+
 /**
  * gnutls_privkey_import_ext2:
  * @pkey: The private key
@@ -733,6 +737,8 @@ gnutls_privkey_import_ext2(gnutls_privkey_t pkey,
 		return ret;
 	}
 
+	CHECK_EXT_PK(pk);
+
 	if (sign_fn == NULL && decrypt_fn == NULL)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
@@ -813,6 +819,8 @@ gnutls_privkey_import_ext3(gnutls_privkey_t pkey,
 
 	pkey->pk_algorithm = pkey->key.ext.info_func(pkey, GNUTLS_PRIVKEY_INFO_PK_ALGO, pkey->key.ext.userdata);
 
+	CHECK_EXT_PK(pkey->pk_algorithm);
+
 	/* Ensure gnutls_privkey_deinit() calls the deinit_func */
 	if (deinit_fn)
 		pkey->flags |= GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE;