From 02e4f994ecadd4f2fa2858d01b0530be45e9794d Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Mon, 4 Oct 2021 12:10:37 +0200 Subject: [PATCH] signature-params: Reject schemes other than RSASSA-PSS with parameters NULL parameters (for classic PKCS#1 signature schemes) are explicitly allowed (for any schemes for now), but we only expect parameters for RSASSA-PSS. Before enforcing this, it was possible to modify the parameters in the signatureAlgorithm field of the outer X.509 Certificate structure to something different than the signature field of the signed, inner tbsCertificate structure, allowing generating infinite versions of valid certificates with different binary encodings. Now we accept at most two (NULL and absent parameters). --- src/libstrongswan/credentials/keys/signature_params.c | 9 ++++++++- src/libstrongswan/tests/suites/test_signature_params.c | 2 ++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c index 837de8443d..0916bd4993 100644 --- a/src/libstrongswan/credentials/keys/signature_params.c +++ b/src/libstrongswan/credentials/keys/signature_params.c @@ -190,6 +190,7 @@ bool signature_params_parse(chunk_t asn1, int level0, oid = asn1_parse_algorithmIdentifier(asn1, level0, ¶meters); params->scheme = signature_scheme_from_oid(oid); + params->params = NULL; switch (params->scheme) { case SIGN_UNKNOWN: @@ -208,7 +209,13 @@ bool signature_params_parse(chunk_t asn1, int level0, break; } default: - params->params = NULL; + if (parameters.len && + !chunk_equals(parameters, chunk_from_chars(0x05, 0x00))) + { + DBG1(DBG_IKE, "unexpected parameters for %N", + signature_scheme_names, params->scheme); + return FALSE; + } break; } return TRUE; diff --git a/src/libstrongswan/tests/suites/test_signature_params.c b/src/libstrongswan/tests/suites/test_signature_params.c index 3b946a4e18..d9ac84ea52 100644 --- a/src/libstrongswan/tests/suites/test_signature_params.c +++ b/src/libstrongswan/tests/suites/test_signature_params.c @@ -393,6 +393,8 @@ static struct { { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, }}, { TRUE, chunk_from_chars(0x30,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x04,0x03,0x02), { .scheme = SIGN_ECDSA_WITH_SHA256_DER, }}, + { FALSE, chunk_from_chars(0x30,0x0d,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x04,0x03,0x02,0x02,0x01,0x01), + { .scheme = SIGN_ECDSA_WITH_SHA256_DER, }}, { FALSE, chunk_from_chars(0x30,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x04,0x03,0xff), }, }; -- 2.47.2