Add ssl_has_CA_names and ssl_add_CA_names
Change-Id: I22866c72e9cacbcceb48fc7c99dd22a5ff7edeae
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/71609
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
diff --git a/ssl/internal.h b/ssl/internal.h
index ccb66e0..c34e9d9 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -1629,13 +1629,21 @@
uint8_t *out_alert,
CBS *cbs);
-// ssl_has_client_CAs returns there are configured CAs.
+// ssl_has_client_CAs returns whether there are configured CAs.
bool ssl_has_client_CAs(const SSL_CONFIG *cfg);
// ssl_add_client_CA_list adds the configured CA list to |cbb| in the format
// used by a TLS CertificateRequest message. It returns true on success and
// false on error.
-bool ssl_add_client_CA_list(SSL_HANDSHAKE *hs, CBB *cbb);
+bool ssl_add_client_CA_list(const SSL_HANDSHAKE *hs, CBB *cbb);
+
+// ssl_has_CA_names returns whether there are configured CA names.
+bool ssl_has_CA_names(const SSL_CONFIG *cfg);
+
+// ssl_add_CA_names adds the configured CA_names list to |cbb| in the format
+// used by a TLS Certificate Authorities extension. It returns true on success
+// and false on error.
+bool ssl_add_CA_names(const SSL_HANDSHAKE *hs, CBB *cbb);
// ssl_check_leaf_certificate returns one if |pkey| and |leaf| are suitable as
// a server's leaf certificate for |hs|. Otherwise, it returns zero and pushes
diff --git a/ssl/ssl_cert.cc b/ssl/ssl_cert.cc
index 68e155c..541097c 100644
--- a/ssl/ssl_cert.cc
+++ b/ssl/ssl_cert.cc
@@ -513,28 +513,29 @@
return ret;
}
-bool ssl_has_client_CAs(const SSL_CONFIG *cfg) {
- const STACK_OF(CRYPTO_BUFFER) *names = cfg->client_CA.get();
- if (names == nullptr) {
- names = cfg->ssl->ctx->client_CA.get();
+static bool CA_names_non_empty(const STACK_OF(CRYPTO_BUFFER) *config_names,
+ const STACK_OF(CRYPTO_BUFFER) *ctx_names) {
+ if (config_names != nullptr) {
+ return sk_CRYPTO_BUFFER_num(config_names) > 0;
}
- if (names == nullptr) {
- return false;
+ if (ctx_names != nullptr) {
+ return sk_CRYPTO_BUFFER_num(ctx_names) > 0;
}
- return sk_CRYPTO_BUFFER_num(names) > 0;
+ return false;
}
-bool ssl_add_client_CA_list(SSL_HANDSHAKE *hs, CBB *cbb) {
+
+static bool marshal_CA_names(const STACK_OF(CRYPTO_BUFFER) *config_names,
+ const STACK_OF(CRYPTO_BUFFER) *ctx_names,
+ CBB *cbb) {
+ const STACK_OF(CRYPTO_BUFFER) *names = config_names == nullptr ? ctx_names : config_names;
CBB child, name_cbb;
+
if (!CBB_add_u16_length_prefixed(cbb, &child)) {
return false;
}
- const STACK_OF(CRYPTO_BUFFER) *names = hs->config->client_CA.get();
- if (names == NULL) {
- names = hs->ssl->ctx->client_CA.get();
- }
- if (names == NULL) {
+ if (names == nullptr) {
return CBB_flush(cbb);
}
@@ -549,6 +550,22 @@
return CBB_flush(cbb);
}
+bool ssl_has_client_CAs(const SSL_CONFIG *cfg) {
+ return CA_names_non_empty(cfg->client_CA.get(), cfg->ssl->ctx->client_CA.get());
+}
+
+bool ssl_has_CA_names(const SSL_CONFIG *cfg) {
+ return CA_names_non_empty(cfg->CA_names.get(), cfg->ssl->ctx->CA_names.get());
+}
+
+bool ssl_add_client_CA_list(const SSL_HANDSHAKE *hs, CBB *cbb) {
+ return marshal_CA_names(hs->config->client_CA.get(), hs->ssl->ctx->client_CA.get(), cbb);
+}
+
+bool ssl_add_CA_names(const SSL_HANDSHAKE *hs, CBB *cbb) {
+ return marshal_CA_names(hs->config->CA_names.get(), hs->ssl->ctx->CA_names.get(), cbb);
+}
+
bool ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
const CRYPTO_BUFFER *leaf) {
assert(ssl_protocol_version(hs->ssl) < TLS1_3_VERSION);
