Hold CA names as |CRYPTO_BUFFER|s.
This change converts the CA names that are parsed from a server's
CertificateRequest, as well as the CA names that are configured for
sending to clients in the same, to use |CRYPTO_BUFFER|.
The |X509_NAME|-based interfaces are turned into compatibility wrappers.
Change-Id: I95304ecc988ee39320499739a0866c7f8ff5ed98
Reviewed-on: https://boringssl-review.googlesource.com/13585
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c
index c4f5e8e..fcc65bc 100644
--- a/ssl/handshake_client.c
+++ b/ssl/handshake_client.c
@@ -1403,22 +1403,24 @@
}
uint8_t alert = SSL_AD_DECODE_ERROR;
- STACK_OF(X509_NAME) *ca_sk = ssl_parse_client_CA_list(ssl, &alert, &cbs);
- if (ca_sk == NULL) {
+ STACK_OF(CRYPTO_BUFFER) *ca_names =
+ ssl_parse_client_CA_list(ssl, &alert, &cbs);
+ if (ca_names == NULL) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
return -1;
}
if (CBS_len(&cbs) != 0) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
+ sk_CRYPTO_BUFFER_pop_free(ca_names, CRYPTO_BUFFER_free);
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
return -1;
}
hs->cert_request = 1;
- sk_X509_NAME_pop_free(hs->ca_names, X509_NAME_free);
- hs->ca_names = ca_sk;
+ sk_CRYPTO_BUFFER_pop_free(hs->ca_names, CRYPTO_BUFFER_free);
+ hs->ca_names = ca_names;
+ ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);
return 1;
}