kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Avoid SCT/OCSP extensions in SH on {Omit|Empty}Extensions

Browse Source 
They were causing a "panic: ServerHello unexpectedly contained extensions"
if the client unconditionally signals support for OCSP or SCTs.

Change-Id: Ia60639431daf78679b269dfe337c1af171fd7d8b
Reviewed-on: https://boringssl-review.googlesource.com/c/34644
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
This commit is contained in:
Filippo Valsorda 2019-01-28 18:22:26 -05:00 committed by CQ bot account: commit-bot@chromium.org
parent 23e1a1f2d3
commit 73308b6606
2 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ssl/test/runner/handshake_server.go
View File

@ -881,10 +881,10 @@ ResendHelloRetryRequest:
data: certData, data: certData,
} }
if i == 0 { if i == 0 {
if hs.clientHello.ocspStapling { if hs.clientHello.ocspStapling && !c.config.Bugs.NoOCSPStapling {
cert.ocspResponse = hs.cert.OCSPStaple cert.ocspResponse = hs.cert.OCSPStaple
} }
if hs.clientHello.sctListSupported { if hs.clientHello.sctListSupported && !c.config.Bugs.NoSignedCertificateTimestamps {
cert.sctList = hs.cert.SignedCertificateTimestampList cert.sctList = hs.cert.SignedCertificateTimestampList
} }
cert.duplicateExtensions = config.Bugs.SendDuplicateCertExtensions cert.duplicateExtensions = config.Bugs.SendDuplicateCertExtensions
@ -1577,11 +1577,11 @@ func (hs *serverHandshakeState) doFullHandshake() error {
c := hs.c c := hs.c
isPSK := hs.suite.flags&suitePSK != 0 isPSK := hs.suite.flags&suitePSK != 0
if !isPSK && hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 { if !isPSK && hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 && !c.config.Bugs.NoOCSPStapling {
hs.hello.extensions.ocspStapling = true hs.hello.extensions.ocspStapling = true
} }
if hs.clientHello.sctListSupported && len(hs.cert.SignedCertificateTimestampList) > 0 { if hs.clientHello.sctListSupported && len(hs.cert.SignedCertificateTimestampList) > 0 && !c.config.Bugs.NoSignedCertificateTimestamps {
hs.hello.extensions.sctList = hs.cert.SignedCertificateTimestampList hs.hello.extensions.sctList = hs.cert.SignedCertificateTimestampList
} }

12
ssl/test/runner/runner.go
View File

@ -14321,8 +14321,10 @@ func addOmitExtensionsTests() {
OmitExtensions: true, OmitExtensions: true,
// Disable all ServerHello extensions so // Disable all ServerHello extensions so
// OmitExtensions works. // OmitExtensions works.
NoExtendedMasterSecret: true, NoExtendedMasterSecret: true,
NoRenegotiationInfo: true, NoRenegotiationInfo: true,
NoOCSPStapling: true,
NoSignedCertificateTimestamps: true,
}, },
}, },
}) })
@ -14338,8 +14340,10 @@ func addOmitExtensionsTests() {
EmptyExtensions: true, EmptyExtensions: true,
// Disable all ServerHello extensions so // Disable all ServerHello extensions so
// EmptyExtensions works. // EmptyExtensions works.
NoExtendedMasterSecret: true, NoExtendedMasterSecret: true,
NoRenegotiationInfo: true, NoRenegotiationInfo: true,
NoOCSPStapling: true,
NoSignedCertificateTimestamps: true,
}, },
}, },
}) })