3 files changed, 23 insertions, 13 deletions
diff --git a/lib/pubkey.c b/lib/pubkey.c
index f1a0302fca..2dfe5d56ec 100644
--- a/lib/pubkey.c
+++ b/lib/pubkey.c
@@ -1678,8 +1678,6 @@ gnutls_pubkey_import_dsa_raw(gnutls_pubkey_t key,
 
 }
 
-#define OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA 1
-
 /* Updates the gnutls_x509_spki_st parameters based on the signature
  * information, and reports any incompatibilities between the existing
  * parameters (if any) with the signature algorithm */
@@ -1758,7 +1756,7 @@ gnutls_pubkey_verify_data2(gnutls_pubkey_t pubkey,
 		return GNUTLS_E_INVALID_REQUEST;
 	}
 
-	if (flags & OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA || flags & GNUTLS_VERIFY_USE_TLS1_RSA)
+	if (flags & GNUTLS_VERIFY_USE_TLS1_RSA)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
 	memcpy(&params, &pubkey->params.spki, sizeof(gnutls_x509_spki_st));
@@ -1830,7 +1828,7 @@ gnutls_pubkey_verify_hash2(gnutls_pubkey_t key,
 
 	memcpy(&params, &key->params.spki, sizeof(gnutls_x509_spki_st));
 
-	if (flags & OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA || flags & GNUTLS_VERIFY_USE_TLS1_RSA) {
+	if (flags & GNUTLS_VERIFY_USE_TLS1_RSA) {
 		if (!GNUTLS_PK_IS_RSA(key->params.algo))
 			return gnutls_assert_val(GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY);
 		params.pk = GNUTLS_PK_RSA;
diff --git a/tests/sign-verify-data-newapi.c b/tests/sign-verify-data-newapi.c
index 5bc3f3088b..eca18974ee 100644
--- a/tests/sign-verify-data-newapi.c
+++ b/tests/sign-verify-data-newapi.c
@@ -15,9 +15,9 @@
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  * General Public License for more details.
  *
- * You should have received a copy of the GNU General Public License
- * along with GnuTLS; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
+ *
  */
 
 #ifdef HAVE_CONFIG_H
@@ -126,6 +126,13 @@ void doit(void)
 		if (ret < 0)
 			testfail("gnutls_x509_pubkey_verify_data2\n");
 
+		/* Test functionality of GNUTLS_VERIFY_DISABLE_CA_SIGN flag (see issue #754) */
+		ret =
+		    gnutls_pubkey_verify_data2(pubkey, tests[i].sigalgo, GNUTLS_VERIFY_DISABLE_CA_SIGN, &raw_data,
+					      &signature);
+		if (ret < 0)
+			testfail("gnutls_x509_pubkey_verify_data2\n");
+
 		/* should fail */
 		ret =
 		    gnutls_pubkey_verify_data2(pubkey, tests[i].sigalgo, 0,
diff --git a/tests/sign-verify-newapi.c b/tests/sign-verify-newapi.c
index 47ac3d983d..aa284006aa 100644
--- a/tests/sign-verify-newapi.c
+++ b/tests/sign-verify-newapi.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004-2012 Free Software Foundation, Inc.
- * Copyright (C) 2017 Red Hat, Inc.
+ * Copyright (C) 2017-2019 Red Hat, Inc.
  *
  * Author: Nikos Mavrogiannopoulos, Simon Josefsson
  *
@@ -16,13 +16,11 @@
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  * General Public License for more details.
  *
- * You should have received a copy of the GNU General Public License
- * along with GnuTLS; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
+ *
  */
 
-/* Parts copied from GnuTLS example programs. */
-
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
@@ -172,6 +170,13 @@ void doit(void)
 		if (ret < 0)
 			testfail("gnutls_x509_pubkey_verify_hash2\n");
 
+		/* Test functionality of GNUTLS_VERIFY_DISABLE_CA_SIGN (see issue #754) */
+		ret =
+		    gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, GNUTLS_VERIFY_DISABLE_CA_SIGN, hash_data,
+					      &signature);
+		if (ret < 0)
+			testfail("gnutls_x509_pubkey_verify_hash2 with GNUTLS_VERIFY_DISABLE_CA_SIGN\n");
+
 		ret =
 		    gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, hash_data,
 					      &signature2);