diff options
| author | Matt Caswell <matt@openssl.org> | 2018-09-06 16:53:25 +0200 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-09-07 12:20:37 +0200 |
| commit | cd3b53b8f85ad66336936073d822b3315e0ddd4f (patch) | |
| tree | ae66ead21b98b4c7d16d12cafdff469704d7d9dd /ssl | |
| parent | Remove a reference to SSL_force_post_handshake_auth() (diff) | |
| download | openssl-cd3b53b8f85ad66336936073d822b3315e0ddd4f.tar.xz openssl-cd3b53b8f85ad66336936073d822b3315e0ddd4f.zip | |
Ensure certificate callbacks work correctly in TLSv1.3
The is_tls13_capable() function should not return 0 if no certificates
are configured directly because a certificate callback is present.
Fixes #7140
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7141)
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/statem/statem_lib.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index adc8b98144..508bb88767 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1489,7 +1489,8 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method) /* * Only called by servers. Returns 1 if the server has a TLSv1.3 capable - * certificate type, or has PSK configured. Otherwise returns 0. + * certificate type, or has PSK or a certificate callback configured. Otherwise + * returns 0. */ static int is_tls13_capable(const SSL *s) { @@ -1500,7 +1501,7 @@ static int is_tls13_capable(const SSL *s) return 1; #endif - if (s->psk_find_session_cb != NULL) + if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL) return 1; for (i = 0; i < SSL_PKEY_NUM; i++) { |