Abandon client auth hashing earlier

rustls/src/client/common.rs

@@ -173,4 +173,8 @@ impl ClientAuthDetails {
             None => (None, None),
         }
     }
+
+    pub fn is_enabled(&self) -> bool {
+        self.0.is_some()
+    }
 }

rustls/src/client/tls12.rs

@@ -284,13 +284,7 @@ fn emit_certverify(
     sess: &mut ClientSessionImpl,
 ) -> Result<(), TLSError> {
     let signer = match signer {
-        None => {
+        None => return Ok(()),
-            trace!("Not sending CertificateVerify, no key");
-            handshake
-                .transcript
-                .abandon_client_auth();
-            return Ok(());
-        },
         Some(signer) => {
             signer
         }
@@ -393,6 +387,10 @@ impl hs::State for ExpectCertificateRequest {
             .resolve(&canames, &certreq.sigschemes);
 
         let client_auth = ClientAuthDetails::from_key(maybe_certkey, &certreq.sigschemes);
+        if !client_auth.is_enabled() {
+            self.handshake.transcript.abandon_client_auth();
+        }
+
         Ok(Box::new(ExpectServerDone {
             handshake: self.handshake,
             suite: self.suite,

rustls/src/client/tls13.rs

@@ -786,6 +786,10 @@ impl hs::State for ExpectCertificateRequest {
             .resolve(&canames, &compat_sigschemes);
 
         let client_auth = ClientAuthDetails::from_key(maybe_certkey, &compat_sigschemes);
+        if !client_auth.is_enabled() {
+            self.handshake.transcript.abandon_client_auth();
+        }
+
         Ok(Box::new(ExpectCertificate {
             handshake: self.handshake,
             key_schedule: self.key_schedule,