Call Certificate writing generic handler only if necessary
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 22e8aa4..dbaa70c 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1928,10 +1928,15 @@
mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_handshake );
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
- return( mbedtls_ssl_tls13_write_certificate( ssl ) );
-#else
- return( 0 );
+ if( ssl->handshake->client_auth )
+ return( mbedtls_ssl_tls13_write_certificate( ssl ) );
+
+ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
+
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "No certificate message to send." ) );
#endif
+
+ return( 0 );
}
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 330d1cc..d054d4d 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -847,54 +847,6 @@
return( ret );
}
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-
-/*
- * STATE HANDLING: Output Certificate
- */
-/* Check if a certificate should be written, and if yes,
- * if it is available.
- * Returns a negative error code on failure ( such as no certificate
- * being available on the server ), and otherwise
- * SSL_WRITE_CERTIFICATE_SEND or
- * SSL_WRITE_CERTIFICATE_SKIP
- * indicating that a Certificate message should be written based
- * on the configured certificate, or whether it should be silently skipped.
- */
-#define SSL_WRITE_CERTIFICATE_SEND 0
-#define SSL_WRITE_CERTIFICATE_SKIP 1
-
-static int ssl_tls13_write_certificate_coordinate( mbedtls_ssl_context *ssl )
-{
-
- /* For PSK and ECDHE-PSK ciphersuites there is no certificate to exchange. */
- if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
- {
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
- return( SSL_WRITE_CERTIFICATE_SKIP );
- }
-
-#if defined(MBEDTLS_SSL_CLI_C)
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
- {
- /* The client MUST send a Certificate message if and only
- * if the server has requested client authentication via a
- * CertificateRequest message.
- *
- * client_auth indicates whether the server had requested
- * client authentication.
- */
- if( ssl->handshake->client_auth == 0 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
- return( SSL_WRITE_CERTIFICATE_SKIP );
- }
- }
-#endif /* MBEDTLS_SSL_CLI_C */
-
- return( SSL_WRITE_CERTIFICATE_SEND );
-
-}
-
/*
* enum {
* X509(0),
@@ -1006,39 +958,27 @@
int mbedtls_ssl_tls13_write_certificate( mbedtls_ssl_context *ssl )
{
int ret;
+ unsigned char *buf;
+ size_t buf_len, msg_len;
+
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
- /* Coordination: Check if we need to send a certificate. */
- MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_certificate_coordinate( ssl ) );
+ MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl,
+ MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len ) );
- if( ret == SSL_WRITE_CERTIFICATE_SEND )
- {
- unsigned char *buf;
- size_t buf_len, msg_len;
+ MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_body( ssl,
+ buf,
+ buf + buf_len,
+ &msg_len ) );
- MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl,
- MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len ) );
+ mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl,
+ MBEDTLS_SSL_HS_CERTIFICATE,
+ buf,
+ msg_len );
- MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_body( ssl,
- buf,
- buf + buf_len,
- &msg_len ) );
-
- mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl,
- MBEDTLS_SSL_HS_CERTIFICATE,
- buf,
- msg_len );
-
- MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_write_certificate( ssl ) );
- MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg(
- ssl, buf_len, msg_len ) );
- }
- else
- {
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
- MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_write_certificate( ssl ) );
- }
-
+ MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_write_certificate( ssl ) );
+ MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg(
+ ssl, buf_len, msg_len ) );
cleanup:
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );