handshake: select a signature algorithm early

That is, select the signature algorithm at the point the certificate and ciphersuites are decided. Also ensure that a compatible signature algorithm with the ciphersuite and the key is selected. That prevents situations where a ciphersuite and a certificate are negotiated, but later on the handshake we figure that there are no common signature algorithms. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-07-11 11:55:52 +0200
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-08-04 13:54:42 +0200
commit: c63d58f962b0e2c3b522e49279516d713b3b5925 (patch)
tree: 453e9013f90b2155559f338b767d02c60883cbcc /lib/tls-sig.c
parent: b9f8a51fca7552be88efa8789ed504ae415106d1 (diff)
download: gnutls-c63d58f962b0e2c3b522e49279516d713b3b5925.tar.gz
1 files changed, 1 insertions, 3 deletions
diff --git a/lib/tls-sig.c b/lib/tls-sig.c
index 4ebab54f88..95a7b3ea64 100644
--- a/lib/tls-sig.c
+++ b/lib/tls-sig.c
@@ -175,14 +175,12 @@ _gnutls_handshake_sign_data(gnutls_session_t session,
 	unsigned key_usage = 0;
 	int ret;
 
-	*sign_algo = _gnutls_session_get_sign_algo(session, cert, 0);
+	*sign_algo = session->security_parameters.server_sign_algo;
 	if (*sign_algo == GNUTLS_SIGN_UNKNOWN) {
 		gnutls_assert();
 		return GNUTLS_E_UNWANTED_ALGORITHM;
 	}
 
-	gnutls_sign_algorithm_set_server(session, *sign_algo);
-
 	gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage);
 
 	ret = check_key_usage_for_sig(session, key_usage, 1);
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-07-11 11:55:52 +0200
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-08-04 13:54:42 +0200
commit	c63d58f962b0e2c3b522e49279516d713b3b5925 (patch)
tree	453e9013f90b2155559f338b767d02c60883cbcc /lib/tls-sig.c
parent	b9f8a51fca7552be88efa8789ed504ae415106d1 (diff)
download	gnutls-c63d58f962b0e2c3b522e49279516d713b3b5925.tar.gz