1 files changed, 23 insertions, 7 deletions

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 9c422e4752..26c37c73d0 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2448,12 +2448,21 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
     int i;
     STACK_OF(X509_NAME) *sk = NULL;
 
-    /* get the list of acceptable cert types */
-    if (!WPACKET_start_sub_packet_u8(pkt)
-            || !ssl3_get_req_cert_type(s, pkt)
-            || !WPACKET_close(pkt)) {
-        SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
-        goto err;
+    if (SSL_IS_TLS13(s)) {
+        /* TODO(TLS1.3) for now send empty request context */
+        if (!WPACKET_put_bytes_u8(pkt, 0)) {
+            SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
+                   ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
+    } else {
+        /* get the list of acceptable cert types */
+        if (!WPACKET_start_sub_packet_u8(pkt)
+            || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) {
+            SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
+                   ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
     }
 
     if (SSL_USE_SIGALGS(s)) {
@@ -2494,11 +2503,18 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
         }
     }
     /* else no CA names */
-
     if (!WPACKET_close(pkt)) {
         SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
         goto err;
     }
+    /*
+     * TODO(TLS1.3) implement configurable certificate_extensions
+     * For now just send zero length extensions.
+     */
+    if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u16(pkt, 0)) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
+        goto err;
+    }
 
     s->s3->tmp.cert_request = 1;