Test NULL client CA lists.

The preceding client CA bug is actually almost unreachable since the
list is initialized to a non-NULL empty list. But if one tries hard
enough, a NULL one is possible.

Change-Id: I49e69511bf65b0178c4e0acdb887f8ba7d85faff
Reviewed-on: https://boringssl-review.googlesource.com/8769
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/test/bssl_shim.cc

@@ -873,6 +873,10 @@ static ScopedSSL_CTX SetupCtx(const TestConfig *config) {
     return nullptr;
   }
 
+  if (config->use_null_client_ca_list) {
+    SSL_CTX_set_client_CA_list(ssl_ctx.get(), nullptr);
+  }
+
   return ssl_ctx;
 }
 

ssl/test/runner/runner.go

@@ -2681,6 +2681,21 @@ func addClientAuthTests() {
 		shouldFail:    true,
 		expectedError: ":UNEXPECTED_MESSAGE:",
 	})
+
+	// Regression test for a bug where the client CA list, if explicitly
+	// set to NULL, was mis-encoded.
+	testCases = append(testCases, testCase{
+		testType: serverTest,
+		name:     "Null-Client-CA-List",
+		config: Config{
+			MaxVersion:   VersionTLS12,
+			Certificates: []Certificate{rsaCertificate},
+		},
+		flags: []string{
+			"-require-any-client-certificate",
+			"-use-null-client-ca-list",
+		},
+	})
 }
 
 func addExtendedMasterSecretTests() {

ssl/test/test_config.cc

@@ -102,6 +102,7 @@ const Flag<bool> kBoolFlags[] = {
   { "-use-sparse-dh-prime", &TestConfig::use_sparse_dh_prime },
   { "-use-old-client-cert-callback",
     &TestConfig::use_old_client_cert_callback },
+  { "-use-null-client-ca-list", &TestConfig::use_null_client_ca_list },
 };
 
 const Flag<std::string> kStringFlags[] = {

ssl/test/test_config.h

@@ -107,6 +107,7 @@ struct TestConfig {
   int expect_dhe_group_size = 0;
   bool use_old_client_cert_callback = false;
   int initial_timeout_duration_ms = 0;
+  bool use_null_client_ca_list = false;
 };
 
 bool ParseConfig(int argc, char **argv, TestConfig *out_config);