Ensure certificate callbacks work correctly in TLSv1.3

The is_tls13_capable() function should not return 0 if no certificates
are configured directly because a certificate callback is present.

Fixes #7140

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7141)

diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index adc8b98144b6e14406a440b719a658de64798520..508bb88767a73092901f46b5d28886eb632f09b8 100644 (file)
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1489,7 +1489,8 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
 
 /*
  * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
 
 /*
  * Only called by servers. Returns 1 if the server has a TLSv1.3 capable

- * certificate type, or has PSK configured. Otherwise returns 0.
+ * certificate type, or has PSK or a certificate callback configured. Otherwise
+ * returns 0.

  */
 static int is_tls13_capable(const SSL *s)
 {
  */
 static int is_tls13_capable(const SSL *s)
 {


@@ -1500,7 +1501,7 @@ static int is_tls13_capable(const SSL *s)
         return 1;
 #endif
 
         return 1;
 #endif
 

-    if (s->psk_find_session_cb != NULL)
+    if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)

         return 1;
 
     for (i = 0; i < SSL_PKEY_NUM; i++) {
         return 1;
 
     for (i = 0; i < SSL_PKEY_NUM; i++) {