commit 5edfc8cc170abd47a3da6184546db0b791a3e9e5
author David Benjamin <davidben@google.com> Sat Dec 10 15:46:58 2016 -0500
committer Adam Langley <agl@google.com> Mon Dec 12 21:58:24 2016 +0000
tree a7f625a35467a73a49025640f5f9e9d7b0e23e56
parent 5888946777265ca06726961f7fc9b7faf4effcab

Emulate the client_cert_cb with cert_cb.

This avoids needing a extra state around client certificates to avoid
calling the callbacks twice. This does, however, come with a behavior
change: configuring both callbacks won't work. No consumer does this.

(Except bssl_shim which needed slight tweaks.)

Change-Id: Ia5426ed2620e40eecdcf352216c4a46764e31a9a
Reviewed-on: https://boringssl-review.googlesource.com/12690
Reviewed-by: Adam Langley <agl@google.com>

ssl/tls13_client.c

diff --git a/ssl/tls13_client.c b/ssl/tls13_client.c
index ba1589f..b9c3c68 100644
--- a/ssl/tls13_client.c
+++ b/ssl/tls13_client.c
@@ -38,7 +38,6 @@
   state_process_server_certificate,
   state_process_server_certificate_verify,
   state_process_server_finished,
-  state_certificate_callback,
   state_send_client_certificate,
   state_send_client_certificate_verify,
   state_complete_client_certificate_verify,
@@ -439,11 +438,11 @@
   }
 
   ssl->method->received_flight(ssl);
-  hs->tls13_state = state_certificate_callback;
+  hs->tls13_state = state_send_client_certificate;
   return ssl_hs_ok;
 }
 
-static enum ssl_hs_wait_t do_certificate_callback(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
   /* The peer didn't request a certificate. */
   if (!hs->cert_request) {
@@ -460,25 +459,9 @@
       return ssl_hs_error;
     }
     if (rv < 0) {
-      hs->tls13_state = state_certificate_callback;
-      return ssl_hs_x509_lookup;
-    }
-  }
-
-  hs->tls13_state = state_send_client_certificate;
-  return ssl_hs_ok;
-}
-
-static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
-  SSL *const ssl = hs->ssl;
-  /* Call client_cert_cb to update the certificate. */
-  int should_retry;
-  if (!ssl_do_client_cert_cb(ssl, &should_retry)) {
-    if (should_retry) {
       hs->tls13_state = state_send_client_certificate;
       return ssl_hs_x509_lookup;
     }
-    return ssl_hs_error;
   }
 
   if (!tls13_prepare_certificate(hs)) {
@@ -597,9 +580,6 @@
       case state_process_server_finished:
         ret = do_process_server_finished(hs);
         break;
-      case state_certificate_callback:
-        ret = do_certificate_callback(hs);
-        break;
       case state_send_client_certificate:
         ret = do_send_client_certificate(hs);
         break;