Put SCTs and OCSP responses in CRYPTO_BUFFERs.
They both can be moderately large. This should hopefully relieve a little
memory pressure from both connections to hosts which serve SCTs and
TLS 1.3's single-use tickets.
Change-Id: I034bbf057fe5a064015a0f554b3ae9ea7797cd4e
Reviewed-on: https://boringssl-review.googlesource.com/19584
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc
index bbe6401..e50710a 100644
--- a/ssl/t1_lib.cc
+++ b/ssl/t1_lib.cc
@@ -1327,11 +1327,14 @@
* requirement, so tolerate this.
*
* TODO(davidben): Enforce this anyway. */
- if (!ssl->s3->session_reused &&
- !CBS_stow(contents, &hs->new_session->tlsext_signed_cert_timestamp_list,
- &hs->new_session->tlsext_signed_cert_timestamp_list_length)) {
- *out_alert = SSL_AD_INTERNAL_ERROR;
- return 0;
+ if (!ssl->s3->session_reused) {
+ CRYPTO_BUFFER_free(hs->new_session->signed_cert_timestamp_list);
+ hs->new_session->signed_cert_timestamp_list =
+ CRYPTO_BUFFER_new_from_CBS(contents, ssl->ctx->pool);
+ if (hs->new_session->signed_cert_timestamp_list == nullptr) {
+ *out_alert = SSL_AD_INTERNAL_ERROR;
+ return 0;
+ }
}
return 1;
