1 files changed, 24 insertions, 2 deletions

diff --git a/src/pki_crypto.c b/src/pki_crypto.c
index 25507f83..0949bd96 100644
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -583,9 +583,13 @@ int pki_key_generate_ecdsa(ssh_key key, int parameter) {
             key->type = SSH_KEYTYPE_ECDSA_P521;
             break;
         case 256:
-        default:
             key->ecdsa_nid = NID_X9_62_prime256v1;
             key->type = SSH_KEYTYPE_ECDSA_P256;
+            break;
+        default:
+            SSH_LOG(SSH_LOG_WARN, "Invalid parameter %d for ECDSA key "
+                    "generation", parameter);
+            return SSH_ERROR;
     }
 
     key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid);
@@ -1922,6 +1926,12 @@ int pki_signature_verify(ssh_session session,
         return SSH_ERROR;
     }
 
+    /* Check if public key and hash type are compatible */
+    rc = pki_key_check_hash_compatible(key, sig->hash_type);
+    if (rc != SSH_OK) {
+        return SSH_ERROR;
+    }
+
     /* For ed25519 keys, verify using the input directly */
     if (key->type == SSH_KEYTYPE_ED25519 ||
         key->type == SSH_KEYTYPE_ED25519_CERT01)
@@ -1957,9 +1967,9 @@ static const EVP_MD *pki_digest_to_md(enum ssh_digest_e hash_type)
         md = EVP_sha512();
         break;
     case SSH_DIGEST_SHA1:
-    case SSH_DIGEST_AUTO:
         md = EVP_sha1();
         break;
+    case SSH_DIGEST_AUTO:
     default:
         SSH_LOG(SSH_LOG_TRACE, "Unknown hash algorithm for type: %d",
                 hash_type);
@@ -2063,6 +2073,12 @@ ssh_signature pki_sign_data(const ssh_key privkey,
         return NULL;
     }
 
+    /* Check if public key and hash type are compatible */
+    rc = pki_key_check_hash_compatible(privkey, hash_type);
+    if (rc != SSH_OK) {
+        return NULL;
+    }
+
     /* Set hash algorithm to be used */
     md = pki_digest_to_md(hash_type);
     if (md == NULL) {
@@ -2187,6 +2203,12 @@ int pki_verify_data_signature(ssh_signature signature,
         return SSH_ERROR;
     }
 
+    /* Check if public key and hash type are compatible */
+    rc = pki_key_check_hash_compatible(pubkey, signature->hash_type);
+    if (rc != SSH_OK) {
+        return SSH_ERROR;
+    }
+
     /* Get the signature to be verified */
     raw_sig_data = ssh_string_data(signature->raw_sig);
     raw_sig_len = ssh_string_len(signature->raw_sig);