From 5ffe695c3cc624bde2fc88ecb72483ada2b4aa06 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 26 Nov 2018 15:27:53 +0100
Subject: [PATCH] pki: Sanity-check signature matches base key type

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit c79c33e22431065e2ec2f8e5dfcbada9d849cfe8)
---
 src/pki.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/pki.c b/src/pki.c
index 05e99399..19c77339 100644
--- a/src/pki.c
+++ b/src/pki.c
@@ -1928,6 +1928,12 @@ int ssh_pki_signature_verify(ssh_session session,
             "Going to verify a %s type signature",
             sig->type_c);
 
+    if (key->type != sig->type) {
+        SSH_LOG(SSH_LOG_WARN,
+                "Can not verify %s signature with %s key",
+                sig->type_c, key->type_c);
+        return SSH_ERROR;
+    }
 
     if (key->type == SSH_KEYTYPE_ECDSA) {
 #if HAVE_ECC