]> git.ipfire.org Git - thirdparty/hostap.git/commitdiff
projects / thirdparty / hostap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ee76493)
ASN.1: Fix AlgorithmInfo parsing for signatures
authorJouni Malinen <j@w1.fi>
Sat, 13 Mar 2021 16:00:55 +0000 (18:00 +0200)
committerJouni Malinen <j@w1.fi>
Sun, 14 Mar 2021 09:37:58 +0000 (11:37 +0200)
Digest is within the DigestInfo SEQUENCE and as such, parsing for it
should use the end of that data instead of the end of the decrypted
signature as the end point. Fix this in the PKCS #1 and X.509
implementations to avoid accepting invalid digest data that is
constructed to get the hash value from after the actual DigestInfo
container.

Signed-off-by: Jouni Malinen <j@w1.fi>
src/tls/pkcs1.c patch | blob | blame | history
src/tls/x509v3.c patch | blob | blame | history

diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
index 654c01b76408fce7d1b7daf983f253cc03f108bd..bbdb0d72dd05f2d468a484c2251124edd48e2483 100644 (file)
--- a/src/tls/pkcs1.c
+++ b/src/tls/pkcs1.c
@@ -287,7 +287,6 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
 
        /* Digest ::= OCTET STRING */
        pos = da_end;
-       end = decrypted + decrypted_len;
 
        if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
            hdr.class != ASN1_CLASS_UNIVERSAL ||
@@ -310,13 +309,14 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
 
        os_free(decrypted);
 
-       if (hdr.payload + hdr.length != end) {
+       if (hdr.payload + hdr.length != decrypted + decrypted_len) {
                wpa_printf(MSG_INFO,
                           "PKCS #1: Extra data after signature - reject");
 
                wpa_hexdump(MSG_DEBUG, "PKCS #1: Extra data",
                            hdr.payload + hdr.length,
-                           end - hdr.payload - hdr.length);
+                           decrypted + decrypted_len - hdr.payload -
+                           hdr.length);
                return -1;
        }
 
diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
index d2e685cb39c382a6a9ecfb348b5499894f9045eb..a8944dd2fd76f3648941b81d58a46b4ee4f2251a 100644 (file)
--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
@@ -2070,7 +2070,6 @@ int x509_check_signature(struct x509_certificate *issuer,
 skip_digest_oid:
        /* Digest ::= OCTET STRING */
        pos = da_end;
-       end = data + data_len;
 
        if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
            hdr.class != ASN1_CLASS_UNIVERSAL ||
Unnamed repository; edit this file 'description' to name the repository.