Call Certificate writing generic handler only if necessary

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2025-04-01 04:20:45 +00:00 · 2022-03-09 07:00:13 +01:00 · 2022-03-09 07:00:13 +01:00 · 5bb8fc830a
commit 5bb8fc830a
parent 3f20b77517
2 changed files with 24 additions and 79 deletions
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@ -1928,10 +1928,15 @@ static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl )
    mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_handshake );
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-    return( mbedtls_ssl_tls13_write_certificate( ssl ) );
+    if( ssl->handshake->client_auth )
-#else
+        return( mbedtls_ssl_tls13_write_certificate( ssl ) );
-    return( 0 );
+
    mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "No certificate message to send." ) );
 #endif
    return( 0 );
 }
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@ -847,54 +847,6 @@ cleanup:
    return( ret );
 }
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
 /*
 * STATE HANDLING: Output Certificate
 */
 /* Check if a certificate should be written, and if yes,
 * if it is available.
 * Returns a negative error code on failure ( such as no certificate
 * being available on the server ), and otherwise
 * SSL_WRITE_CERTIFICATE_SEND or
 * SSL_WRITE_CERTIFICATE_SKIP
 * indicating that a Certificate message should be written based
 * on the configured certificate, or whether it should be silently skipped.
 */
 #define SSL_WRITE_CERTIFICATE_SEND  0
 #define SSL_WRITE_CERTIFICATE_SKIP  1
 static int ssl_tls13_write_certificate_coordinate( mbedtls_ssl_context *ssl )
 {
    /* For PSK and ECDHE-PSK ciphersuites there is no certificate to exchange. */
    if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
    {
        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
        return( SSL_WRITE_CERTIFICATE_SKIP );
    }
 #if defined(MBEDTLS_SSL_CLI_C)
    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
    {
        /* The client MUST send a Certificate message if and only
         * if the server has requested client authentication via a
         * CertificateRequest message.
         *
         * client_auth indicates whether the server had requested
         * client authentication.
         */
        if( ssl->handshake->client_auth == 0 )
        {
            MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
            return( SSL_WRITE_CERTIFICATE_SKIP );
        }
    }
 #endif /* MBEDTLS_SSL_CLI_C */
    return( SSL_WRITE_CERTIFICATE_SEND );
 }
 /*
 *  enum {
 *        X509(0),
@ -1006,39 +958,27 @@ static int ssl_tls13_finalize_write_certificate( mbedtls_ssl_context *ssl )
 int mbedtls_ssl_tls13_write_certificate( mbedtls_ssl_context *ssl )
 {
    int ret;
    unsigned char *buf;
    size_t buf_len, msg_len;
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
-    /* Coordination: Check if we need to send a certificate. */
+    MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl,
-    MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_certificate_coordinate( ssl ) );
+                          MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len ) );
-    if( ret == SSL_WRITE_CERTIFICATE_SEND )
+    MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_body( ssl,
-    {
+                                                            buf,
-        unsigned char *buf;
+                                                            buf + buf_len,
-        size_t buf_len, msg_len;
+                                                            &msg_len ) );
-        MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl,
+    mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl,
-                   MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len ) );
+                                              MBEDTLS_SSL_HS_CERTIFICATE,
-
+                                              buf,
-        MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_body( ssl,
+                                              msg_len );
                                                                buf,
                                                                buf + buf_len,
                                                                &msg_len ) );
        mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl,
                                                  MBEDTLS_SSL_HS_CERTIFICATE,
                                                  buf,
                                                  msg_len );
        MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_write_certificate( ssl ) );
        MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg(
                                  ssl, buf_len, msg_len ) );
    }
    else
    {
        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
        MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_write_certificate( ssl ) );
    }
    MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_write_certificate( ssl ) );
    MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg(
                              ssl, buf_len, msg_len ) );
 cleanup:
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );