Google Git
Sign in
boringssl / boringssl / 73308b6606c02ad201fadd350da6474ee3d779ed^! / .
commit73308b6606c02ad201fadd350da6474ee3d779ed[log] [tgz]
authorFilippo Valsorda <valsorda@google.com>Mon Jan 28 18:22:26 2019 -0500
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Tue Jan 29 00:51:31 2019 +0000
tree27a70a4e7b591fa672b793ab5496f127c21d17aa
parent23e1a1f2d3c4ca0121eb93eb7d210501f9702317 [diff]
Avoid SCT/OCSP extensions in SH on {Omit|Empty}Extensions

They were causing a "panic: ServerHello unexpectedly contained extensions"
if the client unconditionally signals support for OCSP or SCTs.

Change-Id: Ia60639431daf78679b269dfe337c1af171fd7d8b
Reviewed-on: https://boringssl-review.googlesource.com/c/34644
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index 5486342..d2ef9b4 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go

@@ -881,10 +881,10 @@
 					data: certData,
 				}
 				if i == 0 {
-					if hs.clientHello.ocspStapling {
+					if hs.clientHello.ocspStapling && !c.config.Bugs.NoOCSPStapling {
 						cert.ocspResponse = hs.cert.OCSPStaple
 					}
-					if hs.clientHello.sctListSupported {
+					if hs.clientHello.sctListSupported && !c.config.Bugs.NoSignedCertificateTimestamps {
 						cert.sctList = hs.cert.SignedCertificateTimestampList
 					}
 					cert.duplicateExtensions = config.Bugs.SendDuplicateCertExtensions
@@ -1577,11 +1577,11 @@
 	c := hs.c
 
 	isPSK := hs.suite.flags&suitePSK != 0
-	if !isPSK && hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
+	if !isPSK && hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 && !c.config.Bugs.NoOCSPStapling {
 		hs.hello.extensions.ocspStapling = true
 	}
 
-	if hs.clientHello.sctListSupported && len(hs.cert.SignedCertificateTimestampList) > 0 {
+	if hs.clientHello.sctListSupported && len(hs.cert.SignedCertificateTimestampList) > 0 && !c.config.Bugs.NoSignedCertificateTimestamps {
 		hs.hello.extensions.sctList = hs.cert.SignedCertificateTimestampList
 	}
 

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index f0587f4..34cb109 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go

@@ -14321,8 +14321,10 @@
 					OmitExtensions: true,
 					// Disable all ServerHello extensions so
 					// OmitExtensions works.
-					NoExtendedMasterSecret: true,
-					NoRenegotiationInfo:    true,
+					NoExtendedMasterSecret:        true,
+					NoRenegotiationInfo:           true,
+					NoOCSPStapling:                true,
+					NoSignedCertificateTimestamps: true,
 				},
 			},
 		})
@@ -14338,8 +14340,10 @@
 					EmptyExtensions: true,
 					// Disable all ServerHello extensions so
 					// EmptyExtensions works.
-					NoExtendedMasterSecret: true,
-					NoRenegotiationInfo:    true,
+					NoExtendedMasterSecret:        true,
+					NoRenegotiationInfo:           true,
+					NoOCSPStapling:                true,
+					NoSignedCertificateTimestamps: true,
 				},
 			},
 		})