Always include the CA list in CertificateRequest.

We must have mistranscribed this to CBB at some point. If the CA list is
empty, we must still include that field.

Change-Id: I341224d85c9073b09758517cdfa14893793ea0ec
Reviewed-on: https://boringssl-review.googlesource.com/8767
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Nick Harper <nharper@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>

ssl/handshake_server.c

@@ -1210,12 +1210,12 @@ static int ssl3_send_certificate_request(SSL *ssl) {
     }
   }
 
-  STACK_OF(X509_NAME) *sk = SSL_get_client_CA_list(ssl);
-  if (sk != NULL) {
   if (!CBB_add_u16_length_prefixed(&body, &names_cbb)) {
     goto err;
   }
 
+  STACK_OF(X509_NAME) *sk = SSL_get_client_CA_list(ssl);
+  if (sk != NULL) {
     size_t i;
     for (i = 0; i < sk_X509_NAME_num(sk); i++) {
       X509_NAME *name = sk_X509_NAME_value(sk, i);