priority: reflect system wide config when constructing sigalgs

Otherwise the client would advertise signature algorithms which it cannot use and cause handshake to fail. Reported by Philip Schaten in: https://lists.gnupg.org/pipermail/gnutls-help/2021-June/004711.html Signed-off-by: Daiki Ueno <ueno@gnu.org>
author: Daiki Ueno <ueno@gnu.org> 2021-06-11 06:58:43 +0200
committer: Daiki Ueno <ueno@gnu.org> 2021-06-11 16:25:21 +0200
commit: 4af2969d5015ce15437fd9d604337fc9529d7c8c (patch)
tree: 9f3f5d6e748fccf1552a34a3f7a07782d1833490 /lib
parent: 1b83d881938b4e37d2bb6475ade716b22364b6cb (diff)
download: gnutls-4af2969d5015ce15437fd9d604337fc9529d7c8c.tar.gz
1 files changed, 6 insertions, 3 deletions
diff --git a/lib/priority.c b/lib/priority.c
index 8cd8a1b260..f043e9dd6f 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -1737,10 +1737,13 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache)
 	for (i = 0; i < priority_cache->_sign_algo.num_priorities; i++) {
 		se = _gnutls_sign_to_entry(priority_cache->_sign_algo.priorities[i]);
 		if (se != NULL && priority_cache->sigalg.size < sizeof(priority_cache->sigalg.entry)/sizeof(priority_cache->sigalg.entry[0])) {
-			/* if the signature algorithm semantics are not compatible with
-			 * the protocol's, then skip. */
-			if ((se->aid.tls_sem & tls_sig_sem) == 0)
+			/* if the signature algorithm semantics is not
+			 * compatible with the protocol's, or the algorithm is
+			 * marked as insecure, then skip. */
+			if ((se->aid.tls_sem & tls_sig_sem) == 0 ||
+			    !_gnutls_sign_is_secure2(se, 0)) {
 				continue;
+			}
 			priority_cache->sigalg.entry[priority_cache->sigalg.size++] = se;
 		}
 	}
author	Daiki Ueno <ueno@gnu.org>	2021-06-11 06:58:43 +0200
committer	Daiki Ueno <ueno@gnu.org>	2021-06-11 16:25:21 +0200
commit	4af2969d5015ce15437fd9d604337fc9529d7c8c (patch)
tree	9f3f5d6e748fccf1552a34a3f7a07782d1833490 /lib
parent	1b83d881938b4e37d2bb6475ade716b22364b6cb (diff)
download	gnutls-4af2969d5015ce15437fd9d604337fc9529d7c8c.tar.gz