diff options
Diffstat (limited to 'lib/tls13/certificate_verify.c')
-rw-r--r-- | lib/tls13/certificate_verify.c | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/lib/tls13/certificate_verify.c b/lib/tls13/certificate_verify.c index 72b4488115..7300f88f5d 100644 --- a/lib/tls13/certificate_verify.c +++ b/lib/tls13/certificate_verify.c @@ -179,22 +179,27 @@ int _gnutls13_send_certificate_verify(gnutls_session_t session, unsigned again) if (server) { return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS); } else { - /* if we didn't get a cert request there will not be any */ - if (!(session->internals.hsk_flags & HSK_CRT_SENT)) - return 0; - else - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + /* for client, this means either we + * didn't get a cert request or we are + * declining authentication; in either + * case we don't send a cert verify */ + return 0; } } - algo = _gnutls_session_get_sign_algo(session, &apr_cert_list[0], apr_pkey, 0); - if (algo == GNUTLS_SIGN_UNKNOWN) - return gnutls_assert_val(GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY); + if (server) { + algo = _gnutls_session_get_sign_algo(session, &apr_cert_list[0], apr_pkey, 0); + if (algo == GNUTLS_SIGN_UNKNOWN) + return gnutls_assert_val(GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY); - if (server) gnutls_sign_algorithm_set_server(session, algo); - else - gnutls_sign_algorithm_set_client(session, algo); + } else { + /* for client, signature algorithm is already + * determined from Certificate Request */ + algo = gnutls_sign_algorithm_get_client(session); + if (unlikely(algo == GNUTLS_SIGN_UNKNOWN)) + return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + } se = _gnutls_sign_to_entry(algo); |