select_sign_algorithm: check KX type only on pre-TLS1.3

That, when selecting a certificate under TLS1.3, considers
the negotiated signature algorithms for compatibility with the
certificate to be selected.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/lib/auth/cert.c b/lib/auth/cert.c
index a82a43d3b42498b9c5f53d32173697528395c684..9b9cd39c3ca0babf8eeb435a379252812447d810 100644 (file)
--- a/lib/auth/cert.c
+++ b/lib/auth/cert.c
@@ -1254,7 +1254,7 @@ int select_sign_algorithm(gnutls_session_t session,
        gnutls_sign_algorithm_t algo;
        const version_entry_st *ver = get_version(session);
 
-       if (_gnutls_kx_encipher_type(cs->kx_algorithm) != CIPHER_SIGN)
+       if (!ver->tls13_sem && _gnutls_kx_encipher_type(cs->kx_algorithm) != CIPHER_SIGN)
                return 0;
 
        if (!_gnutls_version_has_selectable_sighash(ver)) {