_gnutls_server_select_cert: return error when no server cert is selectedtmp-auto-reauth

When a certificate callback is used and no certificate is provided
by it, return an error rather than trying to use it (and crashing)
later. Note that this affects only an "illegal" code path when
a server would have provided no certificate, something which must
not happen on a real-world server.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

1 files changed, 4 insertions, 3 deletions

diff --git a/lib/auth/cert.c b/lib/auth/cert.c
index 069968c5d3..61a55f0745 100644
--- a/lib/auth/cert.c
+++ b/lib/auth/cert.c
@@ -1338,12 +1338,14 @@ _gnutls_server_select_cert(gnutls_session_t session, const gnutls_cipher_suite_e
 	 * use it and leave. We make sure that this is called once.
 	 */
 	if (cred->get_cert_callback3) {
-
 		if (session->internals.selected_cert_list_length == 0) {
 			ret = call_get_cert_callback(session, NULL, 0, NULL, 0);
 			if (ret < 0)
 				return gnutls_assert_val(ret);
 
+			if (session->internals.selected_cert_list_length == 0)
+				return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
+
 			_gnutls_debug_log("Selected (%s) cert\n",
 					  gnutls_pk_get_name(session->internals.selected_cert_list[0].pubkey->params.algo));
 		}
@@ -1352,9 +1354,8 @@ _gnutls_server_select_cert(gnutls_session_t session, const gnutls_cipher_suite_e
 						 &session->internals.selected_cert_list[0],
 						 session->internals.selected_key,
 						 cs);
-		if (ret < 0) {
+		if (ret < 0)
 			return gnutls_assert_val(ret);
-		}
 
 		return 0;
 	}