Release handshake buffer when sending no certificate.

See also upstream's dab18ab596acb35eff2545643e25757e4f9cd777. This allows us to
add an assertion to the finished computation that the handshake buffer has
already been released.

BUG=492371

Change-Id: I8f15c618c8b2c70bfe583c81644d9dbea95519d4
Reviewed-on: https://boringssl-review.googlesource.com/4887
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 2e272b2..f1698b7 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2118,6 +2118,13 @@
         return 1;
       } else {
         s->s3->tmp.cert_req = 2;
+        /* There is no client certificate, so the handshake buffer may be
+         * released. */
+        if (s->s3->handshake_buffer &&
+            !ssl3_digest_cached_records(s, free_handshake_buffer)) {
+          ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+          return -1;
+        }
       }
     }
 
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 63c43b5..ac5c911 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -554,6 +554,11 @@
   int err = 0;
   int digests_len;
 
+  /* At this point, the handshake should have released the handshake buffer on
+   * its own.
+   * TODO(davidben): Apart from initialization, the handshake buffer should be
+   * orthogonal to the handshake digest. https://crbug.com/492371 */
+  assert(s->s3->handshake_buffer == NULL);
   if (s->s3->handshake_buffer &&
       !ssl3_digest_cached_records(s, free_handshake_buffer)) {
     return 0;