kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Avoid SCT/OCSP extensions in SH on {Omit|Empty}Extensions 

They were causing a "panic: ServerHello unexpectedly contained extensions"
if the client unconditionally signals support for OCSP or SCTs.

Change-Id: Ia60639431daf78679b269dfe337c1af171fd7d8b
Reviewed-on: https://boringssl-review.googlesource.com/c/34644
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
kris/onging/CECPQ3_patch15
Filippo Valsorda 5 years ago
committed by CQ bot account: commit-bot@chromium.org
parent
23e1a1f2d3
commit
73308b6606
2 changed files with 12 additions and 8 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +4
    -4
      ssl/test/runner/handshake_server.go
  2. +8
    -4
      ssl/test/runner/runner.go

+ 4
- 4
ssl/test/runner/handshake_server.go View File

@@ -881,10 +881,10 @@ ResendHelloRetryRequest:
data: certData,
}
if i == 0 {
if hs.clientHello.ocspStapling {
if hs.clientHello.ocspStapling && !c.config.Bugs.NoOCSPStapling {
cert.ocspResponse = hs.cert.OCSPStaple
}
if hs.clientHello.sctListSupported {
if hs.clientHello.sctListSupported && !c.config.Bugs.NoSignedCertificateTimestamps {
cert.sctList = hs.cert.SignedCertificateTimestampList
}
cert.duplicateExtensions = config.Bugs.SendDuplicateCertExtensions
@@ -1577,11 +1577,11 @@ func (hs *serverHandshakeState) doFullHandshake() error {
c := hs.c

isPSK := hs.suite.flags&suitePSK != 0
if !isPSK && hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
if !isPSK && hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 && !c.config.Bugs.NoOCSPStapling {
hs.hello.extensions.ocspStapling = true
}

if hs.clientHello.sctListSupported && len(hs.cert.SignedCertificateTimestampList) > 0 {
if hs.clientHello.sctListSupported && len(hs.cert.SignedCertificateTimestampList) > 0 && !c.config.Bugs.NoSignedCertificateTimestamps {
hs.hello.extensions.sctList = hs.cert.SignedCertificateTimestampList
}



+ 8
- 4
ssl/test/runner/runner.go View File

@@ -14321,8 +14321,10 @@ func addOmitExtensionsTests() {
OmitExtensions: true,
// Disable all ServerHello extensions so
// OmitExtensions works.
NoExtendedMasterSecret: true,
NoRenegotiationInfo: true,
NoExtendedMasterSecret: true,
NoRenegotiationInfo: true,
NoOCSPStapling: true,
NoSignedCertificateTimestamps: true,
},
},
})
@@ -14338,8 +14340,10 @@ func addOmitExtensionsTests() {
EmptyExtensions: true,
// Disable all ServerHello extensions so
// EmptyExtensions works.
NoExtendedMasterSecret: true,
NoRenegotiationInfo: true,
NoExtendedMasterSecret: true,
NoRenegotiationInfo: true,
NoOCSPStapling: true,
NoSignedCertificateTimestamps: true,
},
},
})


Write Preview
Loading…
Cancel
Save