gnutls_certificate_type_get*: ensure that the default type is returned

That is, ensure that unless we negotiate something else than
X509, the default certificate type is returned to applications.
Previously we wouldn't do that for TLS1.3 resumed sessions, and
we would return zero (invalid type) instead.

That addresses issues with applications checking explicitly
for X509 certificate type being present.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

4 files changed, 20 insertions, 10 deletions

diff --git a/lib/session_pack.c b/lib/session_pack.c
index 1869f7740b..eec594e38e 100644
--- a/lib/session_pack.c
+++ b/lib/session_pack.c
@@ -905,14 +905,14 @@ pack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps)
 
 	BUFFER_APPEND_NUM(ps, session->security_parameters.pversion->id);
 
+	BUFFER_APPEND_NUM(ps, session->security_parameters.client_ctype);
+	BUFFER_APPEND_NUM(ps, session->security_parameters.server_ctype);
+
 	/* if we are under TLS 1.3 do not pack keys or params negotiated using an extension
 	 * they are not necessary */
 	if (!session->security_parameters.pversion->tls13_sem) {
 		BUFFER_APPEND(ps, session->security_parameters.cs->id, 2);
 
-		BUFFER_APPEND_NUM(ps, session->security_parameters.client_ctype);
-		BUFFER_APPEND_NUM(ps, session->security_parameters.server_ctype);
-
 		BUFFER_APPEND_PFX1(ps, session->security_parameters.master_secret,
 			      GNUTLS_MASTER_SIZE);
 		BUFFER_APPEND_PFX1(ps, session->security_parameters.client_random,
@@ -1005,19 +1005,19 @@ unpack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps)
 	    NULL)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
+	BUFFER_POP_NUM(ps,
+		       session->internals.resumed_security_parameters.
+		       client_ctype);
+	BUFFER_POP_NUM(ps,
+		       session->internals.resumed_security_parameters.
+		       server_ctype);
+
 	if (!session->internals.resumed_security_parameters.pversion->tls13_sem) {
 		BUFFER_POP(ps, cs, 2);
 		session->internals.resumed_security_parameters.cs = ciphersuite_to_entry(cs);
 		if (session->internals.resumed_security_parameters.cs == NULL)
 			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
-		BUFFER_POP_NUM(ps,
-				session->internals.resumed_security_parameters.
-				client_ctype);
-		BUFFER_POP_NUM(ps,
-				session->internals.resumed_security_parameters.
-				server_ctype);
-
 		/* master secret */
 		ret = _gnutls_buffer_pop_datum_prefix8(ps, &t);
 		if (ret < 0) {
diff --git a/tests/mini-x509-2.c b/tests/mini-x509-2.c
index 8badfc1ecb..e20d45b7ff 100644
--- a/tests/mini-x509-2.c
+++ b/tests/mini-x509-2.c
@@ -303,6 +303,8 @@ void start(const char *prio)
 			exit(1);
 		}
 		gnutls_free(scert.data);
+
+		assert(gnutls_certificate_type_get(server)==GNUTLS_CRT_X509);
 	}
 
 	/* check gnutls_certificate_get_ours() - client side */
@@ -336,6 +338,8 @@ void start(const char *prio)
 			exit(1);
 		}
 		gnutls_free(ccert.data);
+
+		assert(gnutls_certificate_type_get(client)==GNUTLS_CRT_X509);
 	}
 
 	/* check the number of certificates received */
diff --git a/tests/mini-x509.c b/tests/mini-x509.c
index 52c650aa7f..c26b13f716 100644
--- a/tests/mini-x509.c
+++ b/tests/mini-x509.c
@@ -124,6 +124,9 @@ void start(const char *prio, unsigned expect_max)
 		}
 	}
 
+	assert(gnutls_certificate_type_get(server)==GNUTLS_CRT_X509);
+	assert(gnutls_certificate_type_get(client)==GNUTLS_CRT_X509);
+
 	/* check the number of certificates received and verify */
 	{
 		unsigned cert_list_size = 0;
diff --git a/tests/resume.c b/tests/resume.c
index 5e545cc658..3ce3e293c1 100644
--- a/tests/resume.c
+++ b/tests/resume.c
@@ -391,6 +391,9 @@ static void verify_server_params(gnutls_session_t session, unsigned counter, str
 #if defined(USE_X509)
 	unsigned int l;
 
+	if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509)
+		fail("did not find the expected X509 certificate type! (%d)\n", gnutls_certificate_type_get(session));
+
 	if (counter == 0 && gnutls_certificate_get_ours(session) == NULL)
 		fail("no certificate returned on server side (%s)\n", counter?"resumed session":"first session");
 	else if (counter != 0 && gnutls_certificate_get_ours(session) != NULL)