From af511c871e54181417990a19f6e8ba054a9557ab Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 31 May 2017 10:12:31 +0200
Subject: gnutls_pubkey_verify_hash2: do not allow GNUTLS_VERIFY_USE_TLS1_RSA
 with non-RSA keys

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 lib/pubkey.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/pubkey.c b/lib/pubkey.c
index 67263e831c..feb99a14b7 100644
--- a/lib/pubkey.c
+++ b/lib/pubkey.c
@@ -1709,6 +1709,8 @@ gnutls_pubkey_verify_hash2(gnutls_pubkey_t key,
 	memcpy(&params, &key->params.sign, sizeof(gnutls_x509_spki_st));
 
 	if (flags & OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA || flags & GNUTLS_VERIFY_USE_TLS1_RSA) {
+		if (!GNUTLS_PK_IS_RSA(key->pk_algorithm))
+			return gnutls_assert_val(GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY);
 		params.pk = GNUTLS_PK_RSA;
 		/* we do not check for insecure algorithms with this flag */
 		return _gnutls_pk_verify(params.pk, hash, signature,
-- 
cgit v1.2.1