When setting up TLS with cert-type OpenPGP from a client,

the server verifies if it supports the extension’s contents
in _gnutls_session_cert_type_supported().  This function
checks for cred->get_cert_callback but not cred->get_cert_callback2.
As a result, servers setup for OpenPGP certificate credential
callback with gnutls_certificate_set_retrieve_function2() are
unable to use the OpenPGP certificate type.

The solution is to consider cred->get_cert_callback2 alongside
cred->get_cert_callback in _gnutls_session_cert_type_supported().

Patch by Rick van Rein.

diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index 623e9cfd5e2aa6dbbad1bde21b8226e38cfb03aa..849a36a0651e84f94153f6ca95e18992d00707f9 100644 (file)
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -189,7 +189,7 @@ _gnutls_session_cert_type_supported(gnutls_session_t session,
                if (cred == NULL)
                        return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
 
-               if (cred->get_cert_callback == NULL) {
+               if (cred->get_cert_callback == NULL && cred->get_cert_callback2 == NULL) {
                        for (i = 0; i < cred->ncerts; i++) {
                                if (cred->certs[i].cert_list[0].type ==
                                    cert_type) {