Avoid SCT/OCSP extensions in SH on {Omit|Empty}Extensions
They were causing a "panic: ServerHello unexpectedly contained extensions"
if the client unconditionally signals support for OCSP or SCTs.
Change-Id: Ia60639431daf78679b269dfe337c1af171fd7d8b
Reviewed-on: https://boringssl-review.googlesource.com/c/34644
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index 5486342..d2ef9b4 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -881,10 +881,10 @@
data: certData,
}
if i == 0 {
- if hs.clientHello.ocspStapling {
+ if hs.clientHello.ocspStapling && !c.config.Bugs.NoOCSPStapling {
cert.ocspResponse = hs.cert.OCSPStaple
}
- if hs.clientHello.sctListSupported {
+ if hs.clientHello.sctListSupported && !c.config.Bugs.NoSignedCertificateTimestamps {
cert.sctList = hs.cert.SignedCertificateTimestampList
}
cert.duplicateExtensions = config.Bugs.SendDuplicateCertExtensions
@@ -1577,11 +1577,11 @@
c := hs.c
isPSK := hs.suite.flags&suitePSK != 0
- if !isPSK && hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
+ if !isPSK && hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 && !c.config.Bugs.NoOCSPStapling {
hs.hello.extensions.ocspStapling = true
}
- if hs.clientHello.sctListSupported && len(hs.cert.SignedCertificateTimestampList) > 0 {
+ if hs.clientHello.sctListSupported && len(hs.cert.SignedCertificateTimestampList) > 0 && !c.config.Bugs.NoSignedCertificateTimestamps {
hs.hello.extensions.sctList = hs.cert.SignedCertificateTimestampList
}
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index f0587f4..34cb109 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -14321,8 +14321,10 @@
OmitExtensions: true,
// Disable all ServerHello extensions so
// OmitExtensions works.
- NoExtendedMasterSecret: true,
- NoRenegotiationInfo: true,
+ NoExtendedMasterSecret: true,
+ NoRenegotiationInfo: true,
+ NoOCSPStapling: true,
+ NoSignedCertificateTimestamps: true,
},
},
})
@@ -14338,8 +14340,10 @@
EmptyExtensions: true,
// Disable all ServerHello extensions so
// EmptyExtensions works.
- NoExtendedMasterSecret: true,
- NoRenegotiationInfo: true,
+ NoExtendedMasterSecret: true,
+ NoRenegotiationInfo: true,
+ NoOCSPStapling: true,
+ NoSignedCertificateTimestamps: true,
},
},
})