From 34c1b75c8203cf552ca8c1d0f2c89cdbf45dd7ed Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 22 Jun 2019 18:27:36 +0300
Subject: [PATCH] TLS: Only allow 0xff value as TRUE for ASN.1 DER encoded
 BOOLEAN

While BER encoding allows any nonzero value to be used for TRUE, DER is
explicitly allowing only the value 0xff. Enforce this constraint in
X.509 parsing to be more strict with what is acceptable.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/tls/x509v3.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
index 71ac6b95b..76b6ba159 100644
--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
@@ -852,6 +852,12 @@ static int x509_parse_ext_basic_constraints(struct x509_certificate *cert,
 				   hdr.length);
 			return -1;
 		}
+		if (hdr.payload[0] != 0 && hdr.payload[0] != 0xff) {
+			wpa_printf(MSG_DEBUG,
+				   "X509: Invalid cA BOOLEAN value 0x%x in BasicConstraints (DER requires 0 or 0xff)",
+				   hdr.payload[0]);
+			return -1;
+		}
 		cert->ca = hdr.payload[0];
 
 		pos = hdr.payload + hdr.length;
@@ -1312,6 +1318,12 @@ static int x509_parse_extension(struct x509_certificate *cert,
 				   "Boolean length (%u)", hdr.length);
 			return -1;
 		}
+		if (hdr.payload[0] != 0 && hdr.payload[0] != 0xff) {
+			wpa_printf(MSG_DEBUG,
+				   "X509: Invalid critical BOOLEAN value 0x%x in Extension (DER requires 0 or 0xff)",
+				   hdr.payload[0]);
+			return -1;
+		}
 		critical_ext = hdr.payload[0];
 		pos = hdr.payload;
 		if (asn1_get_next(pos, end - pos, &hdr) < 0 ||