From 008c1cf31bca12db9b33827b93d14b1b87da7c67 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Tue, 30 May 2017 19:54:48 +0200
Subject: Only accept known public key algorithms in the GNUTLS_PRIVKEY_EXT
 private keys

The reason is that this API, assumes very low level primitives which
are not available for the newer RSA-PSS private keys.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 lib/privkey.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/privkey.c b/lib/privkey.c
index 1010cdff7a..c5d466dde6 100644
--- a/lib/privkey.c
+++ b/lib/privkey.c
@@ -689,6 +689,10 @@ gnutls_privkey_import_ext(gnutls_privkey_t pkey,
 					  decrypt_func, NULL, flags);
 }
 
+#define CHECK_EXT_PK(pk) \
+	if (pk != GNUTLS_PK_RSA && pk != GNUTLS_PK_ECDSA && pk != GNUTLS_PK_DSA) \
+		return gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR)
+
 /**
  * gnutls_privkey_import_ext2:
  * @pkey: The private key
@@ -733,6 +737,8 @@ gnutls_privkey_import_ext2(gnutls_privkey_t pkey,
 		return ret;
 	}
 
+	CHECK_EXT_PK(pk);
+
 	if (sign_fn == NULL && decrypt_fn == NULL)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
@@ -813,6 +819,8 @@ gnutls_privkey_import_ext3(gnutls_privkey_t pkey,
 
 	pkey->pk_algorithm = pkey->key.ext.info_func(pkey, GNUTLS_PRIVKEY_INFO_PK_ALGO, pkey->key.ext.userdata);
 
+	CHECK_EXT_PK(pkey->pk_algorithm);
+
 	/* Ensure gnutls_privkey_deinit() calls the deinit_func */
 	if (deinit_fn)
 		pkey->flags |= GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE;
-- 
cgit v1.2.1