s2n_cert_chain_and_key_get_pkey_type can dereferences NULL pointer

[phillipberndt]

Problem:

In some cases, a call to s2n_cert_chain_and_key_get_pkey_type during preparation of the client certificate to be offered in the handshake dereferences a NULL pointer on the client side.

I believe the trigger is to have a self-signed client certificate; I have a local reproducer, but it's not minimal, so I won't paste it here - it's a unit test of an unrelated project using S2N that used to pass in the past. Ping me in Slack if it's needed.

Backtrace:

(gdb) bt
#0  0x000000000043b057 in s2n_cert_chain_and_key_get_pkey_type (chain_and_key=0x7ffff3fe3cc0) at s2n_certificate.c:622
#1  0x000000000044f6ed in s2n_set_cert_chain_as_client (conn=0x7ffff7fef4b0) at s2n_server_cert_request.c:93
#2  0x000000000044f898 in s2n_cert_req_recv (conn=0x7ffff7fef4b0) at s2n_server_cert_request.c:139
#3  0x0000000000424166 in s2n_handshake_read_io (conn=conn@entry=0x7ffff7fef4b0) at s2n_handshake_io.c:1273
#4  0x0000000000424e83 in s2n_negotiate (conn=0x7ffff7fef4b0, blocked=0x7fffffffd734) at s2n_handshake_io.c:1382
...
(gdb) p *chain_and_key->cert_chain
$5 = {chain_size = 0, head = 0x0}

Solution:

s2n_cert_chain_and_key_get_pkey_type should check if the certificate chain is empty, or the function should not be called by s2n_set_cert_chain_as_client if it is. #3064 proposes the former.