From 0ea9163253e411edb12a3ae8ce07d46921b7fdb7 Mon Sep 17 00:00:00 2001
From: Jake Hicks <hicksjacobp@users.noreply.github.com>
Date: Mon, 29 Mar 2021 09:37:53 -0500
Subject: [PATCH] fix: call CBClientCert for TLS 1.3 certificate requests

---
 src/tls13.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/src/tls13.c b/src/tls13.c
index 2fd6e18ba..1097cf385 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -5034,6 +5034,11 @@ static int SendTls13Certificate(WOLFSSL* ssl)
     byte   certReqCtxLen = 0;
     byte*  certReqCtx = NULL;
 
+#ifdef OPENSSL_EXTRA
+    WOLFSSL_X509* x509 = NULL;
+    WOLFSSL_EVP_PKEY* pkey = NULL;
+#endif
+
     WOLFSSL_START(WC_FUNC_CERTIFICATE_SEND);
     WOLFSSL_ENTER("SendTls13Certificate");
 
@@ -5044,6 +5049,22 @@ static int SendTls13Certificate(WOLFSSL* ssl)
     }
 #endif
 
+#ifdef OPENSSL_EXTRA
+    /* call client cert callback if no cert has been loaded */
+    if ((ssl->ctx->CBClientCert != NULL) &&
+        (!ssl->buffers.certificate || !ssl->buffers.certificate->buffer)) {
+        ret = ssl->ctx->CBClientCert(ssl, &x509, &pkey);
+        if (ret == 1) {
+            if ((wolfSSL_CTX_use_certificate(ssl->ctx, x509) == WOLFSSL_SUCCESS) &&
+                (wolfSSL_CTX_use_PrivateKey(ssl->ctx, pkey) == WOLFSSL_SUCCESS)) {
+                ssl->options.sendVerify = SEND_CERT;
+            }
+            wolfSSL_X509_free(x509);
+            wolfSSL_EVP_PKEY_free(pkey);
+        }
+    }
+#endif
+
     if (ssl->options.sendVerify == SEND_BLANK_CERT) {
         certSz = 0;
         certChainSz = 0;