Merge pull request #3929 from hicksjacobp/tls13-cbclientcert

fix: call CBClientCert for TLS 1.3 certificate requests
2021-04-12 09:25:22 +10:00 · 2021-04-12 09:25:22 +10:00 · 0197e133b1
commit 0197e133b1
parent 04cc48b810 0ea9163253
1 changed files with 21 additions and 0 deletions
--- a/src/tls13.c
+++ b/src/tls13.c
@ -5034,6 +5034,11 @@ static int SendTls13Certificate(WOLFSSL* ssl)
    byte   certReqCtxLen = 0;
    byte*  certReqCtx = NULL;

+#ifdef OPENSSL_EXTRA
+    WOLFSSL_X509* x509 = NULL;
+    WOLFSSL_EVP_PKEY* pkey = NULL;
+#endif
+
    WOLFSSL_START(WC_FUNC_CERTIFICATE_SEND);
    WOLFSSL_ENTER("SendTls13Certificate");

@ -5044,6 +5049,22 @@ static int SendTls13Certificate(WOLFSSL* ssl)
    }
 #endif

+#ifdef OPENSSL_EXTRA
+    /* call client cert callback if no cert has been loaded */
+    if ((ssl->ctx->CBClientCert != NULL) &&
+        (!ssl->buffers.certificate || !ssl->buffers.certificate->buffer)) {
+        ret = ssl->ctx->CBClientCert(ssl, &x509, &pkey);
+        if (ret == 1) {
+            if ((wolfSSL_CTX_use_certificate(ssl->ctx, x509) == WOLFSSL_SUCCESS) &&
+                (wolfSSL_CTX_use_PrivateKey(ssl->ctx, pkey) == WOLFSSL_SUCCESS)) {
+                ssl->options.sendVerify = SEND_CERT;
+            }
+            wolfSSL_X509_free(x509);
+            wolfSSL_EVP_PKEY_free(pkey);
+        }
+    }
+#endif
+
    if (ssl->options.sendVerify == SEND_BLANK_CERT) {
        certSz = 0;
        certChainSz = 0;