commit d6c22ee93831c93833db6edbcc2d33b047120f6b
author Adam Langley <agl@google.com> Thu Mar 02 12:56:32 2017 -0800
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Thu Mar 02 21:04:53 2017 +0000
tree c970343847edf3921e2b1282b36c5f960d74c34d
parent 919d8cf94e47bde8a4ff6ddc0fb927682cb966a3

Add |SSL_get0_server_requested_CAs|.

This function is a |CRYPTO_BUFFER|-based method for getting the X.509
names from a CertificateRequest.

Change-Id: Ife26f726d3c1a055b332656678c2bc560b5a66ec
Reviewed-on: https://boringssl-review.googlesource.com/14013
Commit-Queue: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

include/openssl/ssl.h

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 2e0c808..e1a8840 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2338,6 +2338,16 @@
  * when the handshake is paused because of them. */
 OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl);
 
+/* SSL_get0_server_requested_CAs returns the CAs sent by a server to guide a
+ * client in certificate selection. They are a series of DER-encoded X.509
+ * names. This function may only be called during a callback set by
+ * |SSL_CTX_set_cert_cb| or when the handshake is paused because of it.
+ *
+ * The returned stack is owned by |ssl|, as are its contents. It should not be
+ * used past the point where the handshake is restarted after the callback. */
+OPENSSL_EXPORT STACK_OF(CRYPTO_BUFFER) *SSL_get0_server_requested_CAs(
+    const SSL *ssl);
+
 /* SSL_CTX_get_client_CA_list returns |ctx|'s client certificate CA list. */
 OPENSSL_EXPORT STACK_OF(X509_NAME) *
     SSL_CTX_get_client_CA_list(const SSL_CTX *ctx);

ssl/ssl_cert.c

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 2a77188..4459a66 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -705,6 +705,13 @@
   ssl_cert_set_cert_cb(ssl->cert, cb, arg);
 }
 
+STACK_OF(CRYPTO_BUFFER) *SSL_get0_server_requested_CAs(const SSL *ssl) {
+  if (ssl->s3->hs == NULL) {
+    return NULL;
+  }
+  return ssl->s3->hs->ca_names;
+}
+
 int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
                                const CRYPTO_BUFFER *leaf) {
   SSL *const ssl = hs->ssl;

ssl/test/bssl_shim.cc

diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc
index 440e281..02b7558 100644
--- a/ssl/test/bssl_shim.cc
+++ b/ssl/test/bssl_shim.cc
@@ -626,6 +626,14 @@
         return false;
       }
     }
+
+    STACK_OF(CRYPTO_BUFFER) *buffers = SSL_get0_server_requested_CAs(ssl);
+    if (sk_CRYPTO_BUFFER_num(buffers) != num_received) {
+      fprintf(stderr,
+              "Mismatch between SSL_get_server_requested_CAs and "
+              "SSL_get_client_CA_list.\n");
+      return false;
+    }
   }
 
   return true;