nts: don't include compliant-128gcm record for other AEADs

If the client included the NTS-KE record requesting compliant key
exporter context for AES-128-GCM-SIV, but the server doesn't select this
AEAD algorithm (it's not supported by the crypto library or it is
disabled by the ntsaeads directive), don't include the NTS-KE record in
the response. It's not relevant to the other AEAD algorithms.

diff --git a/nts_ke_server.c b/nts_ke_server.c
index 5f10bc17d8176abbe51b13ee6dd8b8a9504c8836..dfdebb8660dbfcf2f3b0470bc46fc95569856eda 100644 (file)
--- a/nts_ke_server.c
+++ b/nts_ke_server.c
@@ -373,7 +373,7 @@ prepare_response(NKSN_Instance session, int error, int next_protocol, int aead_a
     if (!NKSN_AddRecord(session, 1, NKE_RECORD_AEAD_ALGORITHM, &datum, sizeof (datum)))
       return 0;
 
-    if (compliant_128gcm) {
+    if (aead_algorithm == AEAD_AES_128_GCM_SIV && compliant_128gcm) {
       if (!NKSN_AddRecord(session, 0, NKE_RECORD_COMPLIANT_128GCM_EXPORT, NULL, 0))
         return 0;
     }