From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Tue, 17 Oct 2017 06:32:09 +0000 (+0200)
Subject: select_sign_algorithm: check KX type only on pre-TLS1.3
X-Git-Tag: gnutls_3_6_3~264
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e4e81da862e90920f70cfb4a5cd49883a6848452;p=thirdparty%2Fgnutls.git

select_sign_algorithm: check KX type only on pre-TLS1.3

That, when selecting a certificate under TLS1.3, considers
the negotiated signature algorithms for compatibility with the
certificate to be selected.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---

diff --git a/lib/auth/cert.c b/lib/auth/cert.c
index a82a43d3b4..9b9cd39c3c 100644
--- a/lib/auth/cert.c
+++ b/lib/auth/cert.c
@@ -1254,7 +1254,7 @@ int select_sign_algorithm(gnutls_session_t session,
 	gnutls_sign_algorithm_t algo;
 	const version_entry_st *ver = get_version(session);
 
-	if (_gnutls_kx_encipher_type(cs->kx_algorithm) != CIPHER_SIGN)
+	if (!ver->tls13_sem && _gnutls_kx_encipher_type(cs->kx_algorithm) != CIPHER_SIGN)
 		return 0;
 
 	if (!_gnutls_version_has_selectable_sighash(ver)) {