dtls.c: support empty client certificate.

Use empty client certificate, if a certificate is requested but no certificate is available. Issue #186 Signed-off-by: Achim Kraus <[email protected]>
eclipse · Aug 28, 2024 · 11c5c53 · 11c5c53
1 parent f7ced4e
commit 11c5c53
Showing 1 changed file with 17 additions and 5 deletions.
diff --git a/dtls.c b/dtls.c
@@ -2607,6 +2607,18 @@ dtls_send_server_hello(dtls_context_t *ctx, dtls_peer_t *peer)
 #ifdef DTLS_ECC
 #define DTLS_EC_SUBJECTPUBLICKEY_SIZE (2 * DTLS_EC_KEY_SIZE + sizeof(cert_asn1_header))
 
+static int
+dtls_send_certificate_empty(dtls_context_t *ctx, dtls_peer_t *peer)
+{
+  uint8 buf[sizeof(uint24)];
+
+  /* length of this certificate */
+  dtls_int_to_uint24(buf, 0);
+
+  return dtls_send_handshake_msg(ctx, peer, DTLS_HT_CERTIFICATE,
+				 buf, sizeof(buf));
+}
+
 static int
 dtls_send_certificate_ecdsa(dtls_context_t *ctx, dtls_peer_t *peer,
 			    const dtls_ecdsa_key_t *key)
@@ -3699,12 +3711,12 @@ check_server_hellodone(dtls_context_t *ctx,
 
     res = CALL(ctx, get_ecdsa_key, &peer->session, &ecdsa_key);
     if (res < 0) {
-      dtls_crit("no ecdsa certificate to send in certificate\n");
-      return res;
+      dtls_warn("no ecdsa certificate to send in certificate\n");
+      res = dtls_send_certificate_empty(ctx, peer);
+      handshake->do_client_auth = 0;
+    } else {
+      res = dtls_send_certificate_ecdsa(ctx, peer, ecdsa_key);
     }
-
-    res = dtls_send_certificate_ecdsa(ctx, peer, ecdsa_key);
-
     if (res < 0) {
       dtls_debug("dtls_server_hello: cannot prepare Certificate record\n");
       return res;