cs: select certificate under TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/lib/algorithms/ciphersuites.c b/lib/algorithms/ciphersuites.c
index 2050150582447ecce7cec9b68c480789f4045b74..d417da3b25399fe3d4f5b7a8f6f458c52bc727bb 100644 (file)
--- a/lib/algorithms/ciphersuites.c
+++ b/lib/algorithms/ciphersuites.c
@@ -1446,7 +1446,7 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session,
        const version_entry_st *version = get_version(session);
        unsigned int is_dtls = IS_DTLS(session);
        gnutls_kx_algorithm_t kx;
-       gnutls_credentials_type_t cred_type;
+       gnutls_credentials_type_t cred_type = GNUTLS_CRD_CERTIFICATE; /* default for TLS1.3 */
        unsigned int no_cert_found = 0;
        const gnutls_group_entry_st *sgroup = NULL;
 
@@ -1472,7 +1472,9 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session,
                        VERSION_CHECK(peer_clist->entry[i]);
 
                        kx = peer_clist->entry[i]->kx_algorithm;
-                       cred_type = _gnutls_map_kx_get_cred(kx, 1);
+
+                       if (!version->tls13_sem)
+                               cred_type = _gnutls_map_kx_get_cred(kx, 1);
 
                        for (j = 0; j < session->internals.priorities->cs.size; j++) {
                                if (session->internals.priorities->cs.entry[j] == peer_clist->entry[i]) {
@@ -1511,7 +1513,9 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session,
                                if (session->internals.priorities->cs.entry[j] == peer_clist->entry[i]) {
                                        sgroup = NULL;
                                        kx = peer_clist->entry[i]->kx_algorithm;
-                                       cred_type = _gnutls_map_kx_get_cred(kx, 1);
+
+                                       if (!version->tls13_sem)
+                                               cred_type = _gnutls_map_kx_get_cred(kx, 1);
 
                                        if (!kx_is_ok(session, kx, cred_type, &sgroup))
                                                break;

diff --git a/lib/auth/cert.c b/lib/auth/cert.c
index 1025ac2f520b855b31b0ebc4fc2419ca7b9e75a4..820d66cbb3463e12cb274e2e386beceb7965265b 100644 (file)
--- a/lib/auth/cert.c
+++ b/lib/auth/cert.c
@@ -1418,6 +1418,7 @@ unsigned pubkey_is_compat_with_cs(gnutls_session_t session,
 {
        unsigned pk = pubkey->params.algo;
        unsigned key_usage;
+       const version_entry_st *ver = get_version(session);
 
        if (session->security_parameters.cert_type != cert_type) {
                return 0;
@@ -1429,7 +1430,7 @@ unsigned pubkey_is_compat_with_cs(gnutls_session_t session,
                key_usage = pubkey->key_usage;
        }
 
-       if (!_gnutls_kx_supports_pk_usage(cs->kx_algorithm, pk, key_usage)) {
+       if (!ver->tls13_sem && !_gnutls_kx_supports_pk_usage(cs->kx_algorithm, pk, key_usage)) {
                return 0;
        }