From: Dr. Stephen Henson Date: Tue, 31 Jan 2017 18:32:41 +0000 (+0000) Subject: For TLS 1.3 retrieve previously set certificate index X-Git-Tag: OpenSSL_1_1_1-pre1~2491 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=c19b863e8194df2bbaea7b6e1b57b817297d10be;p=oweals%2Fopenssl.git For TLS 1.3 retrieve previously set certificate index Reviewed-by: Rich Salz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/2339) --- diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 42d49d0ca8..e4eec4a949 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2838,11 +2838,14 @@ static int ssl_get_server_cert_index(const SSL *s) { int idx; - /* - * TODO(TLS1.3): In TLS1.3 the selected certificate is not based on the - * ciphersuite. For now though it still is. Our only TLS1.3 ciphersuite - * forces the use of an RSA cert. This will need to change. - */ + if (SSL_IS_TLS13(s)) { + if (s->s3->tmp.sigalg == NULL) { + SSLerr(SSL_F_SSL_GET_SERVER_CERT_INDEX, ERR_R_INTERNAL_ERROR); + return -1; + } + return s->s3->tmp.cert_idx; + } + idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher); if (idx == SSL_PKEY_RSA_ENC && !s->cert->pkeys[SSL_PKEY_RSA_ENC].x509) idx = SSL_PKEY_RSA_SIGN;