From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 4 Oct 2021 10:10:37 +0000 (+0200)
Subject: signature-params: Reject schemes other than RSASSA-PSS with parameters
X-Git-Tag: 5.9.4~4
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=02e4f994ecadd4f2fa2858d01b0530be45e9794d;p=thirdparty%2Fstrongswan.git

signature-params: Reject schemes other than RSASSA-PSS with parameters

NULL parameters (for classic PKCS#1 signature schemes) are explicitly
allowed (for any schemes for now), but we only expect parameters for
RSASSA-PSS.  Before enforcing this, it was possible to modify the
parameters in the signatureAlgorithm field of the outer X.509 Certificate
structure to something different than the signature field of the signed,
inner tbsCertificate structure, allowing generating infinite versions
of valid certificates with different binary encodings.  Now we accept at
most two (NULL and absent parameters).
---

diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c
index 837de8443d..0916bd4993 100644
--- a/src/libstrongswan/credentials/keys/signature_params.c
+++ b/src/libstrongswan/credentials/keys/signature_params.c
@@ -190,6 +190,7 @@ bool signature_params_parse(chunk_t asn1, int level0,
 
 	oid = asn1_parse_algorithmIdentifier(asn1, level0, &parameters);
 	params->scheme = signature_scheme_from_oid(oid);
+	params->params = NULL;
 	switch (params->scheme)
 	{
 		case SIGN_UNKNOWN:
@@ -208,7 +209,13 @@ bool signature_params_parse(chunk_t asn1, int level0,
 			break;
 		}
 		default:
-			params->params = NULL;
+			if (parameters.len &&
+				!chunk_equals(parameters, chunk_from_chars(0x05, 0x00)))
+			{
+				DBG1(DBG_IKE, "unexpected parameters for %N",
+					 signature_scheme_names, params->scheme);
+				return FALSE;
+			}
 			break;
 	}
 	return TRUE;
diff --git a/src/libstrongswan/tests/suites/test_signature_params.c b/src/libstrongswan/tests/suites/test_signature_params.c
index 3b946a4e18..d9ac84ea52 100644
--- a/src/libstrongswan/tests/suites/test_signature_params.c
+++ b/src/libstrongswan/tests/suites/test_signature_params.c
@@ -393,6 +393,8 @@ static struct {
 	  { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, }},
 	{ TRUE, chunk_from_chars(0x30,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x04,0x03,0x02),
 	  { .scheme = SIGN_ECDSA_WITH_SHA256_DER, }},
+	{ FALSE, chunk_from_chars(0x30,0x0d,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x04,0x03,0x02,0x02,0x01,0x01),
+	  { .scheme = SIGN_ECDSA_WITH_SHA256_DER, }},
 	{ FALSE, chunk_from_chars(0x30,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x04,0x03,0xff), },
 };