Prepare the client certificate earlier

Move the preparation of the client certificate to be post processing work after reading the CertificateRequest message rather than pre processing work prior to writing the Certificate message. As part of preparing the client certificate we may discover that we do not have one available. If we are also talking SSLv3 then we won't send the Certificate message at all. However, if we don't discover this until we are about to send the Certificate message it is too late and we send an empty one anyway. This is wrong for SSLv3. Reviewed-by: Emilia Käsper <emilia@openssl.org>
2025-01-12 04:53:33 +08:00 · 2016-06-22 14:31:32 +01:00 · 2016-06-22 14:31:32 +01:00 · 05c4f1d563
commit 05c4f1d563
parent 3c49b2e0cd
1 changed files with 4 additions and 4 deletions
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@ -398,9 +398,6 @@ WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst)
        }
        break;

-    case TLS_ST_CW_CERT:
-        return tls_prepare_client_certificate(s, wst);
-
    case TLS_ST_CW_CHANGE:
        if (SSL_IS_DTLS(s)) {
            if (s->hit) {
@ -665,6 +662,9 @@ WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst)
    OSSL_STATEM *st = &s->statem;

    switch(st->hand_state) {
+    case TLS_ST_CR_CERT_REQ:
+        return tls_prepare_client_certificate(s, wst);
+
 #ifndef OPENSSL_NO_SCTP
    case TLS_ST_CR_SRVR_DONE:
        /* We only get here if we are using SCTP and we are renegotiating */
@ -1799,7 +1799,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
    s->s3->tmp.ca_names = ca_sk;
    ca_sk = NULL;

-    ret = MSG_PROCESS_CONTINUE_READING;
+    ret = MSG_PROCESS_CONTINUE_PROCESSING;
    goto done;
 err:
    ossl_statem_set_error(s);