1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
diff --git a/lib/cert-cred.c b/lib/cert-cred.c
index d3777e51f..2150e903f 100644
--- a/lib/cert-cred.c
+++ b/lib/cert-cred.c
@@ -387,6 +387,13 @@ static int call_legacy_cert_cb1(gnutls_session_t session,
if (ret < 0)
return gnutls_assert_val(ret);
+ if (st2.ncerts == 0) {
+ *pcert_length = 0;
+ *ocsp_length = 0;
+ *privkey = NULL;
+ return 0;
+ }
+
if (st2.cert_type != GNUTLS_CRT_X509) {
gnutls_assert();
ret = GNUTLS_E_INVALID_REQUEST;
@@ -503,7 +510,10 @@ void gnutls_certificate_set_retrieve_function
gnutls_certificate_retrieve_function * func)
{
cred->legacy_cert_cb1 = func;
- cred->get_cert_callback3 = call_legacy_cert_cb1;
+ if (!func)
+ cred->get_cert_callback3 = NULL;
+ else
+ cred->get_cert_callback3 = call_legacy_cert_cb1;
}
static int call_legacy_cert_cb2(gnutls_session_t session,
@@ -578,7 +588,10 @@ void gnutls_certificate_set_retrieve_function2
gnutls_certificate_retrieve_function2 * func)
{
cred->legacy_cert_cb2 = func;
- cred->get_cert_callback3 = call_legacy_cert_cb2;
+ if (!func)
+ cred->get_cert_callback3 = NULL;
+ else
+ cred->get_cert_callback3 = call_legacy_cert_cb2;
}
/**
diff --git a/lib/hello_ext.c b/lib/hello_ext.c
index a3027130a..f72afe77f 100644
--- a/lib/hello_ext.c
+++ b/lib/hello_ext.c
@@ -208,7 +208,7 @@ int hello_ext_parse(void *_ctx, unsigned tls_id, const uint8_t *data, unsigned d
if (tls_id == PRE_SHARED_KEY_TLS_ID) {
ctx->seen_pre_shared_key = 1;
- } else if (ctx->seen_pre_shared_key) {
+ } else if (ctx->seen_pre_shared_key && session->security_parameters.entity == GNUTLS_SERVER) {
/* the pre-shared key extension must always be the last one,
* draft-ietf-tls-tls13-28: 4.2.11 */
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
|
