PKCS #1: Allow only BT=01 for signature in internal TLS
Based on PKCS #1, v1.5, 10.1.3, the block type shall be 01 for a signature. This avoids a potential attack vector for internal TLS/X.509 implementation. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
parent
9c29d48725
commit
e6d83cc7ba
1 changed files with 10 additions and 19 deletions
|
@ -142,26 +142,18 @@ int pkcs1_decrypt_public_key(struct crypto_rsa_key *key,
|
|||
* BT = 00 or 01
|
||||
* PS = k-3-||D|| times (00 if BT=00) or (FF if BT=01)
|
||||
* k = length of modulus in octets
|
||||
*
|
||||
* Based on 10.1.3, "The block type shall be 01" for a signature.
|
||||
*/
|
||||
|
||||
if (len < 3 + 8 + 16 /* min hash len */ ||
|
||||
plain[0] != 0x00 || (plain[1] != 0x00 && plain[1] != 0x01)) {
|
||||
plain[0] != 0x00 || plain[1] != 0x01) {
|
||||
wpa_printf(MSG_INFO, "LibTomCrypt: Invalid signature EB "
|
||||
"structure");
|
||||
return -1;
|
||||
}
|
||||
|
||||
pos = plain + 3;
|
||||
if (plain[1] == 0x00) {
|
||||
/* BT = 00 */
|
||||
if (plain[2] != 0x00) {
|
||||
wpa_printf(MSG_INFO, "LibTomCrypt: Invalid signature "
|
||||
"PS (BT=00)");
|
||||
return -1;
|
||||
}
|
||||
while (pos + 1 < plain + len && *pos == 0x00 && pos[1] == 0x00)
|
||||
pos++;
|
||||
} else {
|
||||
/* BT = 01 */
|
||||
if (plain[2] != 0xff) {
|
||||
wpa_printf(MSG_INFO, "LibTomCrypt: Invalid signature "
|
||||
|
@ -170,7 +162,6 @@ int pkcs1_decrypt_public_key(struct crypto_rsa_key *key,
|
|||
}
|
||||
while (pos < plain + len && *pos == 0xff)
|
||||
pos++;
|
||||
}
|
||||
|
||||
if (pos - plain - 2 < 8) {
|
||||
/* PKCS #1 v1.5, 8.1: At least eight octets long PS */
|
||||
|
|
Loading…
Reference in a new issue