jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

TLS: Only allow 0xff value as TRUE for ASN.1 DER encoded BOOLEAN

Browse source 
While BER encoding allows any nonzero value to be used for TRUE, DER is
explicitly allowing only the value 0xff. Enforce this constraint in
X.509 parsing to be more strict with what is acceptable.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2019-06-22 18:27:36 +03:00
parent 5e6ab36df8
commit 34c1b75c82
1 changed files with 12 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
src/tls/x509v3.c
View file

@ -852,6 +852,12 @@ static int x509_parse_ext_basic_constraints(struct x509_certificate *cert,
hdr.length);
return -1;
}
if (hdr.payload[0] != 0 && hdr.payload[0] != 0xff) {
wpa_printf(MSG_DEBUG,
"X509: Invalid cA BOOLEAN value 0x%x in BasicConstraints (DER requires 0 or 0xff)",
hdr.payload[0]);
return -1;
}
cert->ca = hdr.payload[0];
pos = hdr.payload + hdr.length;
@ -1312,6 +1318,12 @@ static int x509_parse_extension(struct x509_certificate *cert,
"Boolean length (%u)", hdr.length);
return -1;
}
if (hdr.payload[0] != 0 && hdr.payload[0] != 0xff) {
wpa_printf(MSG_DEBUG,
"X509: Invalid critical BOOLEAN value 0x%x in Extension (DER requires 0 or 0xff)",
hdr.payload[0]);
return -1;
}
critical_ext = hdr.payload[0];
pos = hdr.payload;
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||