From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Thu, 21 Sep 2017 08:21:26 +0000 (+0200)
Subject: cs: select certificate under TLS1.3
X-Git-Tag: gnutls_3_6_3~377
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=cf912582bba30fa9e8563cf7a7e1d19819615a49;p=thirdparty%2Fgnutls.git

cs: select certificate under TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---

diff --git a/lib/algorithms/ciphersuites.c b/lib/algorithms/ciphersuites.c
index 2050150582..d417da3b25 100644
--- a/lib/algorithms/ciphersuites.c
+++ b/lib/algorithms/ciphersuites.c
@@ -1446,7 +1446,7 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session,
 	const version_entry_st *version = get_version(session);
 	unsigned int is_dtls = IS_DTLS(session);
 	gnutls_kx_algorithm_t kx;
-	gnutls_credentials_type_t cred_type;
+	gnutls_credentials_type_t cred_type = GNUTLS_CRD_CERTIFICATE; /* default for TLS1.3 */
 	unsigned int no_cert_found = 0;
 	const gnutls_group_entry_st *sgroup = NULL;
 
@@ -1472,7 +1472,9 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session,
 			VERSION_CHECK(peer_clist->entry[i]);
 
 			kx = peer_clist->entry[i]->kx_algorithm;
-			cred_type = _gnutls_map_kx_get_cred(kx, 1);
+
+			if (!version->tls13_sem)
+				cred_type = _gnutls_map_kx_get_cred(kx, 1);
 
 			for (j = 0; j < session->internals.priorities->cs.size; j++) {
 				if (session->internals.priorities->cs.entry[j] == peer_clist->entry[i]) {
@@ -1511,7 +1513,9 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session,
 				if (session->internals.priorities->cs.entry[j] == peer_clist->entry[i]) {
 					sgroup = NULL;
 					kx = peer_clist->entry[i]->kx_algorithm;
-					cred_type = _gnutls_map_kx_get_cred(kx, 1);
+
+					if (!version->tls13_sem)
+						cred_type = _gnutls_map_kx_get_cred(kx, 1);
 
 					if (!kx_is_ok(session, kx, cred_type, &sgroup))
 						break;
diff --git a/lib/auth/cert.c b/lib/auth/cert.c
index 1025ac2f52..820d66cbb3 100644
--- a/lib/auth/cert.c
+++ b/lib/auth/cert.c
@@ -1418,6 +1418,7 @@ unsigned pubkey_is_compat_with_cs(gnutls_session_t session,
 {
 	unsigned pk = pubkey->params.algo;
 	unsigned key_usage;
+	const version_entry_st *ver = get_version(session);
 
 	if (session->security_parameters.cert_type != cert_type) {
 		return 0;
@@ -1429,7 +1430,7 @@ unsigned pubkey_is_compat_with_cs(gnutls_session_t session,
 		key_usage = pubkey->key_usage;
 	}
 
-	if (!_gnutls_kx_supports_pk_usage(cs->kx_algorithm, pk, key_usage)) {
+	if (!ver->tls13_sem && !_gnutls_kx_supports_pk_usage(cs->kx_algorithm, pk, key_usage)) {
 		return 0;
 	}