ASN.1: Fix AlgorithmInfo parsing for signatures

Digest is within the DigestInfo SEQUENCE and as such, parsing for it should use the end of that data instead of the end of the decrypted signature as the end point. Fix this in the PKCS #1 and X.509 implementations to avoid accepting invalid digest data that is constructed to get the hash value from after the actual DigestInfo container. Signed-off-by: Jouni Malinen <j@w1.fi>
3 years ago · 94beb8e367
parent ee76493bbd
commit 94beb8e367
2 changed files with 3 additions and 4 deletions
--- a/src/tls/pkcs1.c
+++ b/src/tls/pkcs1.c
@ -287,7 +287,6 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,

 	/* Digest ::= OCTET STRING */
 	pos = da_end;
-	end = decrypted + decrypted_len;

 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
 	    hdr.class != ASN1_CLASS_UNIVERSAL ||
@ -310,13 +309,14 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,

 	os_free(decrypted);

-	if (hdr.payload + hdr.length != end) {
+	if (hdr.payload + hdr.length != decrypted + decrypted_len) {
 		wpa_printf(MSG_INFO,
 			   "PKCS #1: Extra data after signature - reject");

 		wpa_hexdump(MSG_DEBUG, "PKCS #1: Extra data",
 			    hdr.payload + hdr.length,
-			    end - hdr.payload - hdr.length);
+			    decrypted + decrypted_len - hdr.payload -
+			    hdr.length);
 		return -1;
 	}

--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
@ -2070,7 +2070,6 @@ int x509_check_signature(struct x509_certificate *issuer,
 skip_digest_oid:
 	/* Digest ::= OCTET STRING */
 	pos = da_end;
-	end = data + data_len;

 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
 	    hdr.class != ASN1_CLASS_UNIVERSAL ||