Fix TLS 1.3 handshake

Add the signature_algorithms_cert to the list of allowed algorithms if
present, and fallback to the signature_algorithms otherwise.

This better fit [RFC8446 section 4.2.3][1]:

> If no "signature_algorithms_cert" extension is present, then the
> "signature_algorithms" extension also applies to signatures appearing
> in certificates.

This fix TLS 1.3 handshake with Java after [JDK-8349583][2].

[1]: https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3
[2]: https://bugs.openjdk.org/browse/JDK-8349583

Signed-off-by: Romain Tartière <romain@blogreen.org>

diff --git a/lib/tls13/certificate_request.c b/lib/tls13/certificate_request.c
index 8a8a1499af0c8c08bbe4619006d2753d307f6ae8..3c298cca72df42c05465bbdd2a20438d487069e1 100644 (file)
--- a/lib/tls13/certificate_request.c
+++ b/lib/tls13/certificate_request.c
@@ -108,15 +108,21 @@ static int parse_cert_extension(void *_ctx, unsigned tls_id,
                        if (se == NULL)
                                continue;
 
+                       gnutls_pk_algorithm_t algo;
+                       if (se->cert_pk != GNUTLS_PK_UNKNOWN)
+                               algo = se->cert_pk;
+                       else
+                               algo = se->pk;
+
                        if (ctx->pk_algos_length >=
                            sizeof(ctx->pk_algos) / sizeof(ctx->pk_algos[0]))
                                break;
 
-                       if (is_algo_in_list(se->pk, ctx->pk_algos,
+                       if (is_algo_in_list(algo, ctx->pk_algos,
                                            ctx->pk_algos_length))
                                continue;
 
-                       ctx->pk_algos[ctx->pk_algos_length++] = se->pk;
+                       ctx->pk_algos[ctx->pk_algos_length++] = algo;
                }
 #ifdef ENABLE_OCSP
        } else if (tls_id == ext_mod_status_request.tls_id) {