1 files changed, 44 insertions, 1 deletions
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 950b5a4019..2a13e8f773 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.30 2020/01/25 13:11:20 tb Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.31 2020/01/26 02:45:27 beck Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -607,3 +607,46 @@ tls13_legacy_shutdown(SSL *ssl)
        return 0;
 }
+/*
+ * Certificate Verify padding - RFC 8446 section 4.4.3.
+ */
+uint8_t tls13_cert_verify_pad[64] = {
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+};
+uint8_t tls13_cert_client_verify_context[] = "TLS 1.3, client CertificateVerify";
+uint8_t tls13_cert_server_verify_context[] = "TLS 1.3, server CertificateVerify";
+int
+tls13_cert_add(CBB *cbb, X509 *cert)
+{
+        CBB cert_data, cert_exts;
+        uint8_t *data;
+        int cert_len;
+        if ((cert_len = i2d_X509(cert, NULL)) < 0)
+                return 0;
+        if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
+                return 0;
+        if (!CBB_add_space(&cert_data, &data, cert_len))
+                return 0;
+        if (i2d_X509(cert, &data) != cert_len)
+                return 0;
+        if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
+                return 0;
+        if (!CBB_flush(cbb))
+                return 0;
+        return 1;
+}

diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c index 950b5a4019..2a13e8f773 100644 --- a/src/lib/libssl/tls13_lib.c +++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_lib.c,v 1.30 2020/01/25 13:11:20 tb Exp $ */	1	/* $OpenBSD: tls13_lib.c,v 1.31 2020/01/26 02:45:27 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -607,3 +607,46 @@ tls13_legacy_shutdown(SSL *ssl)
607		607
608	return 0;	608	return 0;
609	}	609	}
		610
		611	/*
		612	* Certificate Verify padding - RFC 8446 section 4.4.3.
		613	*/
		614	uint8_t tls13_cert_verify_pad[64] = {
		615	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
		616	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
		617	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
		618	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
		619	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
		620	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
		621	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
		622	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
		623	};
		624
		625	uint8_t tls13_cert_client_verify_context[] = "TLS 1.3, client CertificateVerify";
		626	uint8_t tls13_cert_server_verify_context[] = "TLS 1.3, server CertificateVerify";
		627
		628	int
		629	tls13_cert_add(CBB cbb, X509 cert)
		630	{
		631	CBB cert_data, cert_exts;
		632	uint8_t *data;
		633	int cert_len;
		634
		635	if ((cert_len = i2d_X509(cert, NULL)) < 0)
		636	return 0;
		637
		638	if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
		639	return 0;
		640	if (!CBB_add_space(&cert_data, &data, cert_len))
		641	return 0;
		642	if (i2d_X509(cert, &data) != cert_len)
		643	return 0;
		644
		645	if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
		646	return 0;
		647
		648	if (!CBB_flush(cbb))
		649	return 0;
		650
		651	return 1;
		652	}