Delay decision on supported certs
diff --git a/lib/picotls.c b/lib/picotls.c
index 94944a8..ba4d74c 100644
--- a/lib/picotls.c
+++ b/lib/picotls.c
@@ -2434,6 +2434,7 @@
static const ptls_raw_extension_t no_unknown_extensions = {UINT16_MAX};
ptls_raw_extension_t *unknown_extensions = (ptls_raw_extension_t *)&no_unknown_extensions;
int ret, skip_early_data = 1;
+ const uint8_t *server_offered_cert_type = NULL;
decode_extensions(src, end, PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS, &type, {
if (tls->ctx->on_extension != NULL &&
@@ -2493,11 +2494,7 @@
ret = PTLS_ALERT_DECODE_ERROR;
goto Exit;
}
- if ((tls->ctx->use_raw_public_keys && *src != PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY) &&
- *src != PTLS_CERTIFICATE_TYPE_X509) {
- ret = PTLS_ALERT_UNSUPPORTED_CERTIFICATE;
- goto Exit;
- }
+ server_offered_cert_type = src;
src = end;
break;
default:
@@ -2517,6 +2514,18 @@
src = end;
});
+ if (tls->ctx->use_raw_public_keys) {
+ if (server_offered_cert_type == NULL || *server_offered_cert_type != PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY) {
+ ret = PTLS_ALERT_UNSUPPORTED_CERTIFICATE;
+ goto Exit;
+ }
+ } else {
+ if (server_offered_cert_type != NULL && *server_offered_cert_type != PTLS_CERTIFICATE_TYPE_X509) {
+ ret = PTLS_ALERT_UNSUPPORTED_CERTIFICATE;
+ goto Exit;
+ }
+ }
+
if (tls->esni != NULL) {
if (esni_nonce == NULL || !ptls_mem_equal(esni_nonce, tls->esni->nonce, PTLS_ESNI_NONCE_SIZE)) {
ret = PTLS_ALERT_ILLEGAL_PARAMETER;
