diff options
| author | Jouni Malinen <jouni@qca.qualcomm.com> | 2014-05-19 23:25:38 +0300 |
|---|---|---|
| committer | Steve Kondik <shade@chemlab.org> | 2014-10-13 19:52:49 -0700 |
| commit | 34633459ab748a7e12224e47c30d673ac74b97c3 (patch) | |
| tree | 07d779fdfe29e9bb3d000a4d8249f2ce28258b1e | |
| parent | d16e18d1946ce59763cf99eb35d7102e0de07c10 (diff) | |
| download | android_external_wpa_supplicant_8-34633459ab748a7e12224e47c30d673ac74b97c3.tar.gz android_external_wpa_supplicant_8-34633459ab748a7e12224e47c30d673ac74b97c3.tar.bz2 android_external_wpa_supplicant_8-34633459ab748a7e12224e47c30d673ac74b97c3.zip | |
X.509: Fix internal TLS/X.509 validation of PKCS#1 signature
Verify that there is no extra data after the hash field. This is needed
to avoid potential attacks using additional data to construct a value
that passes the RSA operation and allows the hash value to be forged.
CRs-Fixed: 654804
Change-Id: Iee0a8de08fd0f7d66b3bfd0c4396637d9b70e92f
Git-commit: 9c29d48725fd40a82407a89f193cf009aeef9745
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
| -rw-r--r-- | src/tls/x509v3.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c index 9b498292..7e79420f 100644 --- a/src/tls/x509v3.c +++ b/src/tls/x509v3.c @@ -1790,6 +1790,15 @@ skip_digest_oid: return -1; } + if (hdr.payload + hdr.length < data + data_len) { + wpa_hexdump(MSG_INFO, + "X509: Extra data after certificate signature hash", + hdr.payload + hdr.length, + data + data_len - hdr.payload - hdr.length); + os_free(data); + return -1; + } + os_free(data); wpa_printf(MSG_DEBUG, "X509: Certificate Digest matches with " |