Move some client/server special-cases out of tls13_process_certificate.

Where we can move uncommon logic to the caller, we probably ought to.

Change-Id: I54a09fffffc20290be05295137ccb605d562cad0
Reviewed-on: https://boringssl-review.googlesource.com/9069
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/tls13_both.c

@@ -235,12 +235,6 @@ int tls13_process_certificate(SSL *ssl) {
     ssl->s3->new_session->peer_sha256_valid = 1;
   }
 
-  X509 *leaf = sk_X509_value(chain, 0);
-  if (!ssl->server && !ssl_check_leaf_certificate(ssl, leaf)) {
-    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
-    goto err;
-  }
-
   int verify_ret = ssl_verify_cert_chain(ssl, chain);
   /* If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. */
   if (ssl->verify_mode != SSL_VERIFY_NONE && verify_ret <= 0) {
@@ -254,13 +248,7 @@ int tls13_process_certificate(SSL *ssl) {
   ssl->s3->new_session->verify_result = ssl->verify_result;
 
   X509_free(ssl->s3->new_session->peer);
-  /* For historical reasons, the client and server differ on whether the chain
+  ssl->s3->new_session->peer = X509_up_ref(sk_X509_value(chain, 0));
-   * includes the leaf. */
-  if (ssl->server) {
-    ssl->s3->new_session->peer = sk_X509_shift(chain);
-  } else {
-    ssl->s3->new_session->peer = X509_up_ref(leaf);
-  }
 
   sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free);
   ssl->s3->new_session->cert_chain = chain;

ssl/tls13_client.c

@@ -366,6 +366,15 @@ static enum ssl_hs_wait_t do_process_server_certificate(SSL *ssl,
     return ssl_hs_error;
   }
 
+  /* Check the certificate matches the cipher suite.
+   *
+   * TODO(davidben): Remove this check when switching to the new TLS 1.3 cipher
+   * suite negotiation. */
+  if (!ssl_check_leaf_certificate(ssl, ssl->s3->new_session->peer)) {
+    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+    return ssl_hs_error;
+  }
+
   hs->state = state_process_server_certificate_verify;
   return ssl_hs_read_message;
 }

ssl/tls13_server.c

@@ -464,6 +464,12 @@ static enum ssl_hs_wait_t do_process_client_certificate(SSL *ssl,
     return ssl_hs_error;
   }
 
+  /* For historical reasons, the server's copy of the chain does not include the
+   * leaf while the client's does. */
+  if (sk_X509_num(ssl->s3->new_session->cert_chain) > 0) {
+    X509_free(sk_X509_shift(ssl->s3->new_session->cert_chain));
+  }
+
   hs->state = state_process_client_certificate_verify;
   return ssl_hs_read_message;
 }