fix issue between certificate fragmentation and secure renegotiation

src/internal.c

@@ -7523,12 +7523,14 @@ int SendCertificate(WOLFSSL* ssl)
         if (ssl->fragOffset == 0) {
             if (!ssl->options.dtls) {
                 AddFragHeaders(output, fragSz, 0, payloadSz, certificate, ssl);
+                if (!ssl->keys.encryptionOn)
                     HashOutputRaw(ssl, output + RECORD_HEADER_SZ,
                                   HANDSHAKE_HEADER_SZ);
             }
             else {
             #ifdef WOLFSSL_DTLS
                 AddHeaders(output, payloadSz, certificate, ssl);
+                if (!ssl->keys.encryptionOn)
                     HashOutputRaw(ssl,
                                   output + RECORD_HEADER_SZ + DTLS_RECORD_EXTRA,
                                   HANDSHAKE_HEADER_SZ + DTLS_HANDSHAKE_EXTRA);
@@ -7543,21 +7545,24 @@ int SendCertificate(WOLFSSL* ssl)
 
             /* list total */
             c32to24(listSz, output + i);
+            if (!ssl->keys.encryptionOn)
                 HashOutputRaw(ssl, output + i, CERT_HEADER_SZ);
             i += CERT_HEADER_SZ;
             length -= CERT_HEADER_SZ;
             fragSz -= CERT_HEADER_SZ;
             if (certSz) {
                 c32to24(certSz, output + i);
+                if (!ssl->keys.encryptionOn)
                     HashOutputRaw(ssl, output + i, CERT_HEADER_SZ);
                 i += CERT_HEADER_SZ;
                 length -= CERT_HEADER_SZ;
                 fragSz -= CERT_HEADER_SZ;
 
+                if (!ssl->keys.encryptionOn) {
                     HashOutputRaw(ssl, ssl->buffers.certificate.buffer, certSz);
-                if (certChainSz) {
+                    if (certChainSz)
-                    HashOutputRaw(ssl,
+                        HashOutputRaw(ssl, ssl->buffers.certChain.buffer,
-                                  ssl->buffers.certChain.buffer, certChainSz);
+                                      certChainSz);
                 }
             }
         }