From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Thu, 25 May 2017 09:13:23 +0000 (+0200)
Subject: ext/signature: accept compatible algorithms with PK
X-Git-Tag: gnutls_3_6_0~531
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0569802b35fc97fbd02a76e8e2ce1ac663a3f2cd;p=thirdparty%2Fgnutls.git

ext/signature: accept compatible algorithms with PK

That is instead of using a 1-1 mapping of signature algorithms
to public key algorithms, use gnutls_sign_supports_pk_algorithm()
to determine whether algorithms match. That way we can allow
GNUTLS_SIGN_RSA_PSS_SHA256 under GNUTLS_PK_RSA and GNUTLS_PK_RSA_PSS
keys.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---

diff --git a/lib/ext/signature.c b/lib/ext/signature.c
index e5f1874fd0..e546dccb67 100644
--- a/lib/ext/signature.c
+++ b/lib/ext/signature.c
@@ -299,8 +299,7 @@ _gnutls_session_get_sign_algo(gnutls_session_t session,
 	}
 
 	for (i = 0; i < priv->sign_algorithms_size; i++) {
-		if (gnutls_sign_get_pk_algorithm(priv->sign_algorithms[i])
-		    == cert_algo) {
+		if (gnutls_sign_supports_pk_algorithm(priv->sign_algorithms[i], cert_algo) != 0) {
 			if (_gnutls_pubkey_compatible_with_sig
 			    (session, cert->pubkey, ver,
 			     priv->sign_algorithms[i]) < 0)