From 2f28a301dcda092626833b58ba95ebc2187bebb6 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Thu, 21 Mar 2013 16:46:30 +0100
Subject: correct issue with the (deprecated) external key signing and TLS 1.2

---
 NEWS             | 3 +++
 lib/gnutls_sig.c | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 9cd4ab5de2..d3a8dcd713 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,9 @@ modules, and not only the ones loaded via p11-kit.
 
 ** libgnutls: Load CA certificates in android 4.x systems.
 
+** libgnutls: Corrected issue in the (deprecated) external key
+signing interface, when used with TLS 1.2. Reported by Bjorn H. Christensen.
+
 ** libgnutls: PKCS #11 slots are scanned only when needed, not
 on initialization. This speeds up gnutls initialization when smart
 cards are present.
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index c6a0f166c3..b9a26bfc0f 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -244,7 +244,7 @@ sign_tls_hash (gnutls_session_t session, gnutls_digest_algorithm_t hash_algo,
               if (ret < 0)
                 return gnutls_assert_val(ret);
               
-              ret = pk_prepare_hash (gnutls_privkey_get_pk_algorithm(pkey, NULL), hash_algo, &digest);
+              ret = pk_prepare_hash (gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL), hash_algo, &digest);
               if (ret < 0)
                 {
                   gnutls_assert ();
-- 
cgit v1.2.1