- if (custom_ext_parse(s, 0, TLSEXT_TYPE_signed_certificate_timestamp,
- PACKET_data(pkt), PACKET_remaining(pkt), al) <= 0)
+ ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
+ ? ENDPOINT_CLIENT : ENDPOINT_BOTH;
+
+ /*
+ * If we didn't ask for it then there must be a custom extension,
+ * otherwise this is unsolicited.
+ */
+ if (custom_ext_find(&s->cert->custext, role,
+ TLSEXT_TYPE_signed_certificate_timestamp,
+ NULL) == NULL) {
+ *al = TLS1_AD_UNSUPPORTED_EXTENSION;
+ return 0;
+ }
+
+ if (custom_ext_parse(s, context,
+ TLSEXT_TYPE_signed_certificate_timestamp,
+ PACKET_data(pkt), PACKET_remaining(pkt),
+ x, chainidx, al) <= 0)