From: Matt Caswell Date: Thu, 6 Sep 2018 14:53:25 +0000 (+0100) Subject: Ensure certificate callbacks work correctly in TLSv1.3 X-Git-Tag: OpenSSL_1_1_1~22 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=cd3b53b8f85ad66336936073d822b3315e0ddd4f;p=openssl Ensure certificate callbacks work correctly in TLSv1.3 The is_tls13_capable() function should not return 0 if no certificates are configured directly because a certificate callback is present. Fixes #7140 Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7141) --- diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index adc8b98144..508bb88767 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1489,7 +1489,8 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method) /* * Only called by servers. Returns 1 if the server has a TLSv1.3 capable - * certificate type, or has PSK configured. Otherwise returns 0. + * certificate type, or has PSK or a certificate callback configured. Otherwise + * returns 0. */ static int is_tls13_capable(const SSL *s) { @@ -1500,7 +1501,7 @@ static int is_tls13_capable(const SSL *s) return 1; #endif - if (s->psk_find_session_cb != NULL) + if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL) return 1; for (i = 0; i < SSL_PKEY_NUM; i++) {