39d1717efd
Add upstream patches fixing internal TLS validation of X.509 certificates. See http://lists.shmoo.com/pipermail/hostap/2014-May/030273.html for details. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
39 lines
1.1 KiB
Diff
39 lines
1.1 KiB
Diff
From 9c29d48725fd40a82407a89f193cf009aeef9745 Mon Sep 17 00:00:00 2001
|
|
From: Jouni Malinen <jouni@qca.qualcomm.com>
|
|
Date: Mon, 19 May 2014 23:25:38 +0300
|
|
Subject: [PATCH] X.509: Fix internal TLS/X.509 validation of PKCS#1
|
|
signature
|
|
|
|
Verify that there is no extra data after the hash field. This is needed
|
|
to avoid potential attacks using additional data to construct a value
|
|
that passes the RSA operation and allows the hash value to be forged.
|
|
|
|
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
|
|
---
|
|
src/tls/x509v3.c | 9 +++++++++
|
|
1 file changed, 9 insertions(+)
|
|
|
|
diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
|
|
index a9483cb7fc2f..751a268e1caf 100644
|
|
--- a/src/tls/x509v3.c
|
|
+++ b/src/tls/x509v3.c
|
|
@@ -1783,6 +1783,15 @@ skip_digest_oid:
|
|
return -1;
|
|
}
|
|
|
|
+ if (hdr.payload + hdr.length < data + data_len) {
|
|
+ wpa_hexdump(MSG_INFO,
|
|
+ "X509: Extra data after certificate signature hash",
|
|
+ hdr.payload + hdr.length,
|
|
+ data + data_len - hdr.payload - hdr.length);
|
|
+ os_free(data);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
os_free(data);
|
|
|
|
wpa_printf(MSG_DEBUG, "X509: Certificate Digest matches with "
|
|
--
|
|
2.0.0.rc2
|
|
|