From 111533049d3fcd847d3a9e57b5f083c34967d94f Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Wed, 13 Jul 2016 17:58:07 -0400
Subject: [PATCH] Always include the CA list in CertificateRequest.

We must have mistranscribed this to CBB at some point. If the CA list is
empty, we must still include that field.

Change-Id: I341224d85c9073b09758517cdfa14893793ea0ec
Reviewed-on: https://boringssl-review.googlesource.com/8767
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Nick Harper <nharper@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
---
 ssl/handshake_server.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ssl/handshake_server.c b/ssl/handshake_server.c
index 8bc490ee..c6be07e8 100644
--- a/ssl/handshake_server.c
+++ b/ssl/handshake_server.c
@@ -1210,12 +1210,12 @@ static int ssl3_send_certificate_request(SSL *ssl) {
     }
   }
 
+  if (!CBB_add_u16_length_prefixed(&body, &names_cbb)) {
+    goto err;
+  }
+
   STACK_OF(X509_NAME) *sk = SSL_get_client_CA_list(ssl);
   if (sk != NULL) {
-    if (!CBB_add_u16_length_prefixed(&body, &names_cbb)) {
-      goto err;
-    }
-
     size_t i;
     for (i = 0; i < sk_X509_NAME_num(sk); i++) {
       X509_NAME *name = sk_X509_NAME_value(sk, i);