crypto/tls: reject zero-length SCTs.

The SignedCertificateTimestampList[1] specifies that both the list and each element must not be empty. Checking that the list is not empty was handled in [2] and this change checks that the SCTs themselves are not zero-length. [1] https://tools.ietf.org/html/rfc6962#section-3.3 [2] https://golang.org/cl/33265 Change-Id: Iabaae7a15f6d111eb079e5086e0bd2005fae9e48 Reviewed-on: https://go-review.googlesource.com/33355 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2024-11-12 04:00:23 -07:00 · 2016-11-17 12:15:19 -08:00 · 2016-11-17 12:15:19 -08:00 · b21743c6d0
commit b21743c6d0
parent c09945980a
2 changed files with 19 additions and 1 deletions
--- a/src/crypto/tls/handshake_messages.go
+++ b/src/crypto/tls/handshake_messages.go
@ -813,7 +813,7 @@ func (m *serverHelloMsg) unmarshal(data []byte) bool {
 				}
 				sctLen := int(d[0])<<8 | int(d[1])
 				d = d[2:]
-				if len(d) < sctLen {
+				if sctLen == 0 || len(d) < sctLen {
 					return false
 				}
 				m.scts = append(m.scts, d[:sctLen])
--- a/src/crypto/tls/handshake_messages_test.go
+++ b/src/crypto/tls/handshake_messages_test.go
@ -305,3 +305,21 @@ func TestRejectEmptySCTList(t *testing.T) {
 		t.Fatal("Unmarshaled ServerHello with empty SCT list")
 	}
 }
+
+func TestRejectEmptySCT(t *testing.T) {
+	// Not only must the SCT list be non-empty, but the SCT elements must
+	// not be zero length.
+
+	var random [32]byte
+	serverHello := serverHelloMsg{
+		vers:   VersionTLS12,
+		random: random[:],
+		scts:   [][]byte{nil},
+	}
+	serverHelloBytes := serverHello.marshal()
+
+	var serverHelloCopy serverHelloMsg
+	if serverHelloCopy.unmarshal(serverHelloBytes) {
+		t.Fatal("Unmarshaled ServerHello with zero-length SCT")
+	}
+}