gnutls_certificate_type_get*: ensure that the default type is returned

That is, ensure that unless we negotiate something else than
X509, the default certificate type is returned to applications.
Previously we wouldn't do that for TLS1.3 resumed sessions, and
we would return zero (invalid type) instead.

That addresses issues with applications checking explicitly
for X509 certificate type being present.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/lib/session_pack.c b/lib/session_pack.c
index 1869f7740b7c2f87c0d29c412dbde978662a992f..eec594e38e8e10e6f641d32aadc7645887fe9c6f 100644 (file)
--- a/lib/session_pack.c
+++ b/lib/session_pack.c
@@ -905,14 +905,14 @@ pack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps)
 
        BUFFER_APPEND_NUM(ps, session->security_parameters.pversion->id);
 
+       BUFFER_APPEND_NUM(ps, session->security_parameters.client_ctype);
+       BUFFER_APPEND_NUM(ps, session->security_parameters.server_ctype);
+
        /* if we are under TLS 1.3 do not pack keys or params negotiated using an extension
         * they are not necessary */
        if (!session->security_parameters.pversion->tls13_sem) {
                BUFFER_APPEND(ps, session->security_parameters.cs->id, 2);
 
-               BUFFER_APPEND_NUM(ps, session->security_parameters.client_ctype);
-               BUFFER_APPEND_NUM(ps, session->security_parameters.server_ctype);
-
                BUFFER_APPEND_PFX1(ps, session->security_parameters.master_secret,
                              GNUTLS_MASTER_SIZE);
                BUFFER_APPEND_PFX1(ps, session->security_parameters.client_random,
@@ -1005,19 +1005,19 @@ unpack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps)
            NULL)
                return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
+       BUFFER_POP_NUM(ps,
+                      session->internals.resumed_security_parameters.
+                      client_ctype);
+       BUFFER_POP_NUM(ps,
+                      session->internals.resumed_security_parameters.
+                      server_ctype);
+
        if (!session->internals.resumed_security_parameters.pversion->tls13_sem) {
                BUFFER_POP(ps, cs, 2);
                session->internals.resumed_security_parameters.cs = ciphersuite_to_entry(cs);
                if (session->internals.resumed_security_parameters.cs == NULL)
                        return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
-               BUFFER_POP_NUM(ps,
-                               session->internals.resumed_security_parameters.
-                               client_ctype);
-               BUFFER_POP_NUM(ps,
-                               session->internals.resumed_security_parameters.
-                               server_ctype);
-
                /* master secret */
                ret = _gnutls_buffer_pop_datum_prefix8(ps, &t);
                if (ret < 0) {

diff --git a/tests/mini-x509-2.c b/tests/mini-x509-2.c
index 8badfc1ecb79658524d022488b08d7f151f11f56..e20d45b7ff41f4a683b4d70181669ec21a3c1927 100644 (file)
--- a/tests/mini-x509-2.c
+++ b/tests/mini-x509-2.c
@@ -303,6 +303,8 @@ void start(const char *prio)
                        exit(1);
                }
                gnutls_free(scert.data);
+
+               assert(gnutls_certificate_type_get(server)==GNUTLS_CRT_X509);
        }
 
        /* check gnutls_certificate_get_ours() - client side */
@@ -336,6 +338,8 @@ void start(const char *prio)
                        exit(1);
                }
                gnutls_free(ccert.data);
+
+               assert(gnutls_certificate_type_get(client)==GNUTLS_CRT_X509);
        }
 
        /* check the number of certificates received */

diff --git a/tests/mini-x509.c b/tests/mini-x509.c
index 52c650aa7f5bbdbb2ac4f907db82409774315b09..c26b13f71638b7e5dbe2f0d009bb92c4007d1355 100644 (file)
--- a/tests/mini-x509.c
+++ b/tests/mini-x509.c
@@ -124,6 +124,9 @@ void start(const char *prio, unsigned expect_max)
                }
        }
 
+       assert(gnutls_certificate_type_get(server)==GNUTLS_CRT_X509);
+       assert(gnutls_certificate_type_get(client)==GNUTLS_CRT_X509);
+
        /* check the number of certificates received and verify */
        {
                unsigned cert_list_size = 0;

diff --git a/tests/resume.c b/tests/resume.c
index 5e545cc658e7c35d1d538fdd4c7fbc07853686f9..3ce3e293c11abb7b045e7ab63b32575f81774e9d 100644 (file)
--- a/tests/resume.c
+++ b/tests/resume.c
@@ -391,6 +391,9 @@ static void verify_server_params(gnutls_session_t session, unsigned counter, str
 #if defined(USE_X509)
        unsigned int l;
 
+       if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509)
+               fail("did not find the expected X509 certificate type! (%d)\n", gnutls_certificate_type_get(session));
+
        if (counter == 0 && gnutls_certificate_get_ours(session) == NULL)
                fail("no certificate returned on server side (%s)\n", counter?"resumed session":"first session");
        else if (counter != 0 && gnutls_certificate_get_ours(session) != NULL)