Google Git
Sign in
boringssl/boringssl.git/ab8d87d2f5663b22b9cf39e77c475fb2596cdebc^!/.
commit
ab8d87d2f5663b22b9cf39e77c475fb2596cdebc
[log]
author
Adam Langley <agl@google.com>
Fri Jul 10 12:21:39 2015 -0700
committer
Adam Langley <agl@google.com>
Tue Jul 21 21:30:45 2015 +0000
tree
031da46e552ca0407bee20b181d54372270d9006
parent
209b2562235f7dab66b8260624e7b3c5b00d14a6 [diff]
Convert the SCT extension to the new system

Change-Id: I3b085cd13295e83c578c549763f0de82f39499a2
Reviewed-on: https://boringssl-review.googlesource.com/5460
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 3e4cc29..6adc874 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c

@@ -1509,6 +1509,61 @@
 }
 
 
+/* Signed certificate timestamps.
+ *
+ * https://tools.ietf.org/html/rfc6962#section-3.3.1 */
+
+static int ext_sct_add_clienthello(SSL *ssl, CBB *out) {
+  if (!ssl->signed_cert_timestamps_enabled) {
+    return 1;
+  }
+
+  if (!CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) ||
+      !CBB_add_u16(out, 0 /* length */)) {
+    return 0;
+  }
+
+  return 1;
+}
+
+static int ext_sct_parse_serverhello(SSL *ssl, uint8_t *out_alert,
+                                     CBS *contents) {
+  if (contents == NULL) {
+    return 1;
+  }
+
+  /* If this is false then we should never have sent the SCT extension in the
+   * ClientHello and thus this function should never have been called. */
+  assert(ssl->signed_cert_timestamps_enabled);
+
+  if (CBS_len(contents) == 0) {
+    *out_alert = SSL_AD_DECODE_ERROR;
+    return 0;
+  }
+
+  /* Session resumption uses the original session information. */
+  if (!ssl->hit &&
+      !CBS_stow(contents, &ssl->session->tlsext_signed_cert_timestamp_list,
+                &ssl->session->tlsext_signed_cert_timestamp_list_length)) {
+    *out_alert = SSL_AD_INTERNAL_ERROR;
+    return 0;
+  }
+
+  return 1;
+}
+
+static int ext_sct_parse_clienthello(SSL *ssl, uint8_t *out_alert,
+                                     CBS *contents) {
+  /* The SCT extension is not supported as a server. */
+  return 1;
+}
+
+static int ext_sct_add_serverhello(SSL *ssl, CBB *out) {
+  /* The SCT extension is not supported as a server. */
+  return 1;
+}
+
+
 /* kExtensions contains all the supported extensions. */
 static const struct tls_extension kExtensions[] = {
   {
@@ -1570,6 +1625,14 @@
     ext_npn_parse_clienthello,
     ext_npn_add_serverhello,
   },
+  {
+    TLSEXT_TYPE_certificate_timestamp,
+    NULL,
+    ext_sct_add_clienthello,
+    ext_sct_parse_serverhello,
+    ext_sct_parse_clienthello,
+    ext_sct_add_serverhello,
+  },
 };
 
 #define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
@@ -1666,16 +1729,6 @@
   ret += CBB_len(&cbb);
   CBB_cleanup(&cbb);
 
-  if (s->signed_cert_timestamps_enabled) {
-    /* The client advertises an empty extension to indicate its support for
-     * certificate timestamps. */
-    if (limit - ret - 4 < 0) {
-      return NULL;
-    }
-    s2n(TLSEXT_TYPE_certificate_timestamp, ret);
-    s2n(0, ret);
-  }
-
   if (s->alpn_client_proto_list && !s->s3->initial_handshake_complete) {
     if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) {
       return NULL;
@@ -2314,19 +2367,6 @@
 
       s->s3->tlsext_channel_id_valid = 1;
       s->s3->tlsext_channel_id_new = 1;
-    } else if (type == TLSEXT_TYPE_certificate_timestamp) {
-      if (CBS_len(&extension) == 0) {
-        *out_alert = SSL_AD_DECODE_ERROR;
-        return 0;
-      }
-
-      /* Session resumption uses the original session information. */
-      if (!s->hit &&
-          !CBS_stow(&extension, &s->session->tlsext_signed_cert_timestamp_list,
-                    &s->session->tlsext_signed_cert_timestamp_list_length)) {
-        *out_alert = SSL_AD_INTERNAL_ERROR;
-        return 0;
-      }
     } else if (type == TLSEXT_TYPE_use_srtp) {
       if (!ssl_parse_serverhello_use_srtp_ext(s, &extension, out_alert)) {
         return 0;