_gnutls_figure_common_ciphersuite: ignore certificate check if PSK is negotiated

That is, if we are performing PSK under TLS1.3, don't bother
checking whether the certificate is compatible with the ciphersuite;
there isn't any.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

1 files changed, 2 insertions, 6 deletions

diff --git a/lib/algorithms/ciphersuites.c b/lib/algorithms/ciphersuites.c
index ef31a05afd..dbfcbb0c90 100644
--- a/lib/algorithms/ciphersuites.c
+++ b/lib/algorithms/ciphersuites.c
@@ -1487,9 +1487,7 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session,
 					if (session->internals.hsk_flags & HSK_PSK_SELECTED) {
 						if (session->key.proto.tls13.binder_prf->id != session->internals.priorities->cs.entry[j]->prf)
 							continue;
-					}
-
-					if (cred_type == GNUTLS_CRD_CERTIFICATE) {
+					} else if (cred_type == GNUTLS_CRD_CERTIFICATE) {
 						ret = _gnutls_server_select_cert(session, peer_clist->entry[i]);
 						if (ret < 0) {
 							/* couldn't select cert with this ciphersuite */
@@ -1532,9 +1530,7 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session,
 					if (session->internals.hsk_flags & HSK_PSK_SELECTED) {
 						if (session->key.proto.tls13.binder_prf->id != session->internals.priorities->cs.entry[j]->prf)
 							break;
-					}
-
-					if (cred_type == GNUTLS_CRD_CERTIFICATE) {
+					} else if (cred_type == GNUTLS_CRD_CERTIFICATE) {
 						ret = _gnutls_server_select_cert(session, peer_clist->entry[i]);
 						if (ret < 0) {
 							/* couldn't select cert with this ciphersuite */