runner: Parse the status_request extension more strictly.

Noticed this while I was in the area. We currently use an extremely lax parse that even tolerates syntax errors. Instead use a strict parse that ensures our client only sends what we expect. Change-Id: Ifb0e1e1698489ff217db0c7a0317caa885e20759 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47966 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
4 years ago · 1f54fd9864
parent 00bccd6eef
commit 1f54fd9864
1 changed files with 16 additions and 1 deletions
--- a/ssl/test/runner/handshake_messages.go
+++ b/ssl/test/runner/handshake_messages.go
@ -936,7 +936,22 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool {
 			}
 			m.nextProtoNeg = true
 		case extensionStatusRequest:
-			m.ocspStapling = len(body) > 0 && body[0] == statusTypeOCSP
+			// This parse is stricter than a production implementation would
+			// use. The status_request extension has many layers of interior
+			// extensibility, but we expect our client to only send empty
+			// requests of type OCSP.
+			var statusType uint8
+			var responderIDList, innerExtensions byteReader
+			if !body.readU8(&statusType) ||
+				statusType != statusTypeOCSP ||
+				!body.readU16LengthPrefixed(&responderIDList) ||
+				!body.readU16LengthPrefixed(&innerExtensions) ||
+				len(responderIDList) != 0 ||
+				len(innerExtensions) != 0 ||
+				len(body) != 0 {
+				return false
+			}
+			m.ocspStapling = true
 		case extensionSupportedCurves:
 			// http://tools.ietf.org/html/rfc4492#section-5.5.1
 			var curves byteReader