ASN.1: Fix AlgorithmInfo parsing for signatures

Digest is within the DigestInfo SEQUENCE and as such, parsing for it should use the end of that data instead of the end of the decrypted signature as the end point. Fix this in the PKCS #1 and X.509 implementations to avoid accepting invalid digest data that is constructed to get the hash value from after the actual DigestInfo container. Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-13 18:00:55 +02:00 · 2021-03-13 18:00:55 +02:00 · 94beb8e367
commit 94beb8e367
parent ee76493bbd
2 changed files with 3 additions and 4 deletions
--- a/src/tls/pkcs1.c
+++ b/src/tls/pkcs1.c
@ -287,7 +287,6 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
 	/* Digest ::= OCTET STRING */
 	pos = da_end;
 	end = decrypted + decrypted_len;
 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
 	    hdr.class != ASN1_CLASS_UNIVERSAL ||
@ -310,13 +309,14 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
 	os_free(decrypted);
-	if (hdr.payload + hdr.length != end) {
+	if (hdr.payload + hdr.length != decrypted + decrypted_len) {
 		wpa_printf(MSG_INFO,
 			   "PKCS #1: Extra data after signature - reject");
 		wpa_hexdump(MSG_DEBUG, "PKCS #1: Extra data",
 			    hdr.payload + hdr.length,
-			    end - hdr.payload - hdr.length);
+			    decrypted + decrypted_len - hdr.payload -
 			    hdr.length);
 		return -1;
 	}
--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
@ -2070,7 +2070,6 @@ int x509_check_signature(struct x509_certificate *issuer,
 skip_digest_oid:
 	/* Digest ::= OCTET STRING */
 	pos = da_end;
 	end = data + data_len;
 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
 	    hdr.class != ASN1_CLASS_UNIVERSAL ||