ASN.1: Fix AlgorithmInfo parsing for signatures

Digest is within the DigestInfo SEQUENCE and as such, parsing for it
should use the end of that data instead of the end of the decrypted
signature as the end point. Fix this in the PKCS #1 and X.509
implementations to avoid accepting invalid digest data that is
constructed to get the hash value from after the actual DigestInfo
container.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2021-03-13 18:00:55 +02:00
parent ee76493bbd
commit 94beb8e367
2 changed files with 3 additions and 4 deletions

View file

@ -287,7 +287,6 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
/* Digest ::= OCTET STRING */
pos = da_end;
end = decrypted + decrypted_len;
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
@ -310,13 +309,14 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
os_free(decrypted);
if (hdr.payload + hdr.length != end) {
if (hdr.payload + hdr.length != decrypted + decrypted_len) {
wpa_printf(MSG_INFO,
"PKCS #1: Extra data after signature - reject");
wpa_hexdump(MSG_DEBUG, "PKCS #1: Extra data",
hdr.payload + hdr.length,
end - hdr.payload - hdr.length);
decrypted + decrypted_len - hdr.payload -
hdr.length);
return -1;
}

View file

@ -2070,7 +2070,6 @@ int x509_check_signature(struct x509_certificate *issuer,
skip_digest_oid:
/* Digest ::= OCTET STRING */
pos = da_end;
end = data + data_len;
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||