TLS: Only allow 0xff value as TRUE for ASN.1 DER encoded BOOLEAN

While BER encoding allows any nonzero value to be used for TRUE, DER is
explicitly allowing only the value 0xff. Enforce this constraint in
X.509 parsing to be more strict with what is acceptable.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
index 71ac6b95b0faba669d9d1958a499eaea243b5dc1..76b6ba159a4b8af30ba3357f5bfbd50eae06f918 100644 (file)
--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
@@ -852,6 +852,12 @@ static int x509_parse_ext_basic_constraints(struct x509_certificate *cert,
                                   hdr.length);
                        return -1;
                }
+               if (hdr.payload[0] != 0 && hdr.payload[0] != 0xff) {
+                       wpa_printf(MSG_DEBUG,
+                                  "X509: Invalid cA BOOLEAN value 0x%x in BasicConstraints (DER requires 0 or 0xff)",
+                                  hdr.payload[0]);
+                       return -1;
+               }
                cert->ca = hdr.payload[0];
 
                pos = hdr.payload + hdr.length;
@@ -1312,6 +1318,12 @@ static int x509_parse_extension(struct x509_certificate *cert,
                                   "Boolean length (%u)", hdr.length);
                        return -1;
                }
+               if (hdr.payload[0] != 0 && hdr.payload[0] != 0xff) {
+                       wpa_printf(MSG_DEBUG,
+                                  "X509: Invalid critical BOOLEAN value 0x%x in Extension (DER requires 0 or 0xff)",
+                                  hdr.payload[0]);
+                       return -1;
+               }
                critical_ext = hdr.payload[0];
                pos = hdr.payload;
                if (asn1_get_next(pos, end - pos, &hdr) < 0 ||