Merge branch 'sign-spurious-message' into 'master'

pubkey: avoid spurious audit messages from _gnutls_pubkey_compatible_with_sig()

See merge request gnutls/gnutls!1301

1 files changed, 7 insertions, 4 deletions

diff --git a/lib/pubkey.c b/lib/pubkey.c
index de95a04c37..6f9d54f119 100644
--- a/lib/pubkey.c
+++ b/lib/pubkey.c
@@ -2092,10 +2092,16 @@ int _gnutls_pubkey_compatible_with_sig(gnutls_session_t session,
 	unsigned int sig_hash_size;
 	const mac_entry_st *me;
 	const gnutls_sign_entry_st *se;
+	int ret;
 
 	se = _gnutls_sign_to_entry(sign);
-	if (se == NULL && _gnutls_version_has_selectable_sighash(ver))
+	if (se != NULL) {
+		ret = pubkey_supports_sig(pubkey, se);
+		if (ret < 0)
+			return gnutls_assert_val(ret);
+	} else if (_gnutls_version_has_selectable_sighash(ver)) {
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+	}
 
 	if (pubkey->params.algo == GNUTLS_PK_DSA) {
 		me = _gnutls_dsa_q_to_hash(&pubkey->params, &hash_size);
@@ -2158,9 +2164,6 @@ int _gnutls_pubkey_compatible_with_sig(gnutls_session_t session,
 		}
 	}
 
-	if (se != NULL)
-		return pubkey_supports_sig(pubkey, se);
-
 	return 0;
 }