For TLS 1.3 retrieve previously set certificate index

Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2339)
author: Dr. Stephen Henson <steve@openssl.org> 2017-01-31 18:32:41 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2017-02-02 14:45:10 +0000
commit: c19b863e8194df2bbaea7b6e1b57b817297d10be (patch)
tree: 3fd27b5b3b19814950047f3ea6bea1fb7d439219 /ssl
parent: e10dbdbfea000765f336dac3c5e7e41cf7b78c14 (diff)
download: openssl-c19b863e8194df2bbaea7b6e1b57b817297d10be.tar.gz
1 files changed, 8 insertions, 5 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 42d49d0ca8..e4eec4a949 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2838,11 +2838,14 @@ static int ssl_get_server_cert_index(const SSL *s)
 {
     int idx;
 
-    /*
-     * TODO(TLS1.3): In TLS1.3 the selected certificate is not based on the
-     * ciphersuite. For now though it still is. Our only TLS1.3 ciphersuite
-     * forces the use of an RSA cert. This will need to change.
-     */
+    if (SSL_IS_TLS13(s)) {
+        if (s->s3->tmp.sigalg == NULL) {
+            SSLerr(SSL_F_SSL_GET_SERVER_CERT_INDEX, ERR_R_INTERNAL_ERROR);
+            return -1;
+        }
+        return s->s3->tmp.cert_idx;
+    }
+
     idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
     if (idx == SSL_PKEY_RSA_ENC && !s->cert->pkeys[SSL_PKEY_RSA_ENC].x509)
         idx = SSL_PKEY_RSA_SIGN;
author	Dr. Stephen Henson <steve@openssl.org>	2017-01-31 18:32:41 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2017-02-02 14:45:10 +0000
commit	c19b863e8194df2bbaea7b6e1b57b817297d10be (patch)
tree	3fd27b5b3b19814950047f3ea6bea1fb7d439219 /ssl
parent	e10dbdbfea000765f336dac3c5e7e41cf7b78c14 (diff)
download	openssl-c19b863e8194df2bbaea7b6e1b57b817297d10be.tar.gz