Put SCTs and OCSP responses in CRYPTO_BUFFERs. They both can be moderately large. This should hopefully relieve a little memory pressure from both connections to hosts which serve SCTs and TLS 1.3's single-use tickets. Change-Id: I034bbf057fe5a064015a0f554b3ae9ea7797cd4e Reviewed-on: https://boringssl-review.googlesource.com/19584 Commit-Queue: Steven Valdez <svaldez@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

commit: 8fc2dc07d868efafe0f4db5a5df238e2576deb13 [log] [tgz]
author: David Benjamin <davidben@google.com> Tue Aug 22 15:07:51 2017 -0700
committer: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Wed Aug 23 15:58:52 2017 +0000
tree: 3a412d0b87b78349d79deec6bec9c482c3bcc88d
parent: e7848220a241e5bbb6b98a6f1f65e4d4f1cef308 [diff] [blame]
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index dd09797..e3c4641 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc

@@ -1162,9 +1162,10 @@
     return -1;
   }
 
-  if (!CBS_stow(&ocsp_response, &hs->new_session->ocsp_response,
-                &hs->new_session->ocsp_response_length)) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+  CRYPTO_BUFFER_free(hs->new_session->ocsp_response);
+  hs->new_session->ocsp_response =
+      CRYPTO_BUFFER_new_from_CBS(&ocsp_response, ssl->ctx->pool);
+  if (hs->new_session->ocsp_response == nullptr) {
     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
     return -1;
   }
commit	8fc2dc07d868efafe0f4db5a5df238e2576deb13	[log] [tgz]
author	David Benjamin <davidben@google.com>	Tue Aug 22 15:07:51 2017 -0700
committer	CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>	Wed Aug 23 15:58:52 2017 +0000
tree	3a412d0b87b78349d79deec6bec9c482c3bcc88d
parent	e7848220a241e5bbb6b98a6f1f65e4d4f1cef308 [diff] [blame]