Move more side-specific code out of tls13_process_certificate. tls13_process_certificate can take a boolean for whether anonymous is allowed. This does change the error on the client slightly, but I think this is correct anyway. It is not a syntax error for the server to send no certificates in so far as the Certificate message allows it. It's just illegal. Change-Id: I1af80dacf23f50aad0b1fbd884bc068a40714399 Reviewed-on: https://boringssl-review.googlesource.com/9072 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

commit: 4087df92f489e3f8bb09439d85aa8edad92ad7fa [log] [tgz]
author: David Benjamin <davidben@google.com> Mon Aug 01 20:16:31 2016 -0400
committer: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Thu Aug 04 16:58:46 2016 +0000
tree: f1aad0dff11da83d4d68eabb5a877e1c086c9ce1
parent: bb9e36e0051e15b633616067d71e95010e841dfa [diff] [blame]
diff --git a/ssl/tls13_server.c b/ssl/tls13_server.c
index 1b99ff6..71c716d 100644
--- a/ssl/tls13_server.c
+++ b/ssl/tls13_server.c

@@ -458,8 +458,11 @@
     return ssl_hs_ok;
   }
 
+  const int allow_anonymous =
+      (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0;
+
   if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||
-      !tls13_process_certificate(ssl) ||
+      !tls13_process_certificate(ssl, allow_anonymous) ||
       !ssl->method->hash_current_message(ssl)) {
     return ssl_hs_error;
   }
commit	4087df92f489e3f8bb09439d85aa8edad92ad7fa	[log] [tgz]
author	David Benjamin <davidben@google.com>	Mon Aug 01 20:16:31 2016 -0400
committer	CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>	Thu Aug 04 16:58:46 2016 +0000
tree	f1aad0dff11da83d4d68eabb5a877e1c086c9ce1
parent	bb9e36e0051e15b633616067d71e95010e841dfa [diff] [blame]