_gnutls_server_select_suite: don't set auth callbacks for TLS 1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-08-15 15:37:04 +0200
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-09-25 07:46:59 +0200
commit: b73421319e51d177ac64c3a767115357ac73ea41 (patch)
tree: 9f0a16eddfecad0150c12c61ec151771287d612f
parent: 53b3af52a8d4480f67df6d7cbdb2505d7ba72918 (diff)
download: gnutls-b73421319e51d177ac64c3a767115357ac73ea41.tar.gz
1 files changed, 41 insertions, 38 deletions
diff --git a/lib/handshake.c b/lib/handshake.c
index 1a868ab198..d4d20afa6c 100644
--- a/lib/handshake.c
+++ b/lib/handshake.c
@@ -861,6 +861,7 @@ _gnutls_server_select_suite(gnutls_session_t session, uint8_t * data,
 	ciphersuite_list_st peer_clist;
 	const gnutls_cipher_suite_entry_st *selected;
 	int retval;
+	const version_entry_st *vers = get_version(session);
 
 	peer_clist.size = 0;
 
@@ -885,7 +886,6 @@ _gnutls_server_select_suite(gnutls_session_t session, uint8_t * data,
 		/* TLS_FALLBACK_SCSV */
 		if (data[i] == GNUTLS_FALLBACK_SCSV_MAJOR &&
 		    data[i + 1] == GNUTLS_FALLBACK_SCSV_MINOR) {
-			const version_entry_st *vers = get_version(session);
 			const version_entry_st *max = _gnutls_version_max(session);
 
 			_gnutls_handshake_log
@@ -920,25 +920,26 @@ _gnutls_server_select_suite(gnutls_session_t session, uint8_t * data,
 		return ret;
 	}
 
-	/* check if the credentials (username, public key etc.) are ok
-	 */
-	if (_gnutls_get_kx_cred(session, selected->kx_algorithm) == NULL) {
-		gnutls_assert();
-		return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
-	}
-
+	if (!vers->tls13_sem) {
+		/* check if the credentials (username, public key etc.) are ok
+		 */
+		if (_gnutls_get_kx_cred(session, selected->kx_algorithm) == NULL) {
+			gnutls_assert();
+			return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
+		}
 
-	/* set the mod_auth_st to the appropriate struct
-	 * according to the KX algorithm. This is needed since all the
-	 * handshake functions are read from there;
-	 */
-	session->internals.auth_struct = _gnutls_kx_auth_struct(selected->kx_algorithm);
-	if (session->internals.auth_struct == NULL) {
-		_gnutls_handshake_log
-		    ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
-		     session);
-		gnutls_assert();
-		return GNUTLS_E_INTERNAL_ERROR;
+		/* set the mod_auth_st to the appropriate struct
+		 * according to the KX algorithm. This is needed since all the
+		 * handshake functions are read from there;
+		 */
+		session->internals.auth_struct = _gnutls_kx_auth_struct(selected->kx_algorithm);
+		if (session->internals.auth_struct == NULL) {
+			_gnutls_handshake_log
+			    ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
+			     session);
+			gnutls_assert();
+			return GNUTLS_E_INTERNAL_ERROR;
+		}
 	}
 
 	return 0;
@@ -1380,6 +1381,7 @@ set_client_ciphersuite(gnutls_session_t session, uint8_t suite[2])
 	unsigned j;
 	int ret;
 	const gnutls_cipher_suite_entry_st *selected = NULL;
+	const version_entry_st *vers = get_version(session);
 
 	for (j = 0; j < session->internals.priorities->cs.size; j++) {
 		if (suite[0] == session->internals.priorities->cs.entry[j]->id[0] &&
@@ -1409,28 +1411,29 @@ set_client_ciphersuite(gnutls_session_t session, uint8_t suite[2])
 	/* check if the credentials (username, public key etc.) are ok.
 	 * Actually checks if they exist.
 	 */
-	if (!session->internals.premaster_set &&
-	    _gnutls_get_kx_cred
-	    (session, selected->kx_algorithm) == NULL) {
-		gnutls_assert();
-		return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
-	}
-
+	if (!vers->tls13_sem) {
+		if (!session->internals.premaster_set &&
+		    _gnutls_get_kx_cred
+		    (session, selected->kx_algorithm) == NULL) {
+			gnutls_assert();
+			return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
+		}
 
-	/* set the mod_auth_st to the appropriate struct
-	 * according to the KX algorithm. This is needed since all the
-	 * handshake functions are read from there;
-	 */
-	session->internals.auth_struct =
-	    _gnutls_kx_auth_struct(selected->kx_algorithm);
 
-	if (session->internals.auth_struct == NULL) {
+		/* set the mod_auth_st to the appropriate struct
+		 * according to the KX algorithm. This is needed since all the
+		 * handshake functions are read from there;
+		 */
+		session->internals.auth_struct =
+		    _gnutls_kx_auth_struct(selected->kx_algorithm);
 
-		_gnutls_handshake_log
-		    ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
-		     session);
-		gnutls_assert();
-		return GNUTLS_E_INTERNAL_ERROR;
+		if (session->internals.auth_struct == NULL) {
+			_gnutls_handshake_log
+			    ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
+			     session);
+			gnutls_assert();
+			return GNUTLS_E_INTERNAL_ERROR;
+		}
 	}
 
 	return 0;
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-08-15 15:37:04 +0200
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-09-25 07:46:59 +0200
commit	b73421319e51d177ac64c3a767115357ac73ea41 (patch)
tree	9f0a16eddfecad0150c12c61ec151771287d612f
parent	53b3af52a8d4480f67df6d7cbdb2505d7ba72918 (diff)
download	gnutls-b73421319e51d177ac64c3a767115357ac73ea41.tar.gz