runner: Parse the status_request extension more strictly.
Noticed this while I was in the area. We currently use an extremely lax
parse that even tolerates syntax errors. Instead use a strict parse that
ensures our client only sends what we expect.
Change-Id: Ifb0e1e1698489ff217db0c7a0317caa885e20759
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47966
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/ssl/test/runner/handshake_messages.go b/ssl/test/runner/handshake_messages.go
index 9f283ea..41a4532 100644
--- a/ssl/test/runner/handshake_messages.go
+++ b/ssl/test/runner/handshake_messages.go
@@ -936,7 +936,22 @@
}
m.nextProtoNeg = true
case extensionStatusRequest:
- m.ocspStapling = len(body) > 0 && body[0] == statusTypeOCSP
+ // This parse is stricter than a production implementation would
+ // use. The status_request extension has many layers of interior
+ // extensibility, but we expect our client to only send empty
+ // requests of type OCSP.
+ var statusType uint8
+ var responderIDList, innerExtensions byteReader
+ if !body.readU8(&statusType) ||
+ statusType != statusTypeOCSP ||
+ !body.readU16LengthPrefixed(&responderIDList) ||
+ !body.readU16LengthPrefixed(&innerExtensions) ||
+ len(responderIDList) != 0 ||
+ len(innerExtensions) != 0 ||
+ len(body) != 0 {
+ return false
+ }
+ m.ocspStapling = true
case extensionSupportedCurves:
// http://tools.ietf.org/html/rfc4492#section-5.5.1
var curves byteReader