aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2019-06-22 15:27:36 (GMT)
committerJouni Malinen <j@w1.fi>2019-06-22 15:27:36 (GMT)
commit34c1b75c8203cf552ca8c1d0f2c89cdbf45dd7ed (patch)
treecc4c8fe62f1b36c682c5a97aeb748d647dc2e602
parent5e6ab36df8cda388db81d84db7963e0a9d142550 (diff)
downloadhostap-34c1b75c8203cf552ca8c1d0f2c89cdbf45dd7ed.zip
hostap-34c1b75c8203cf552ca8c1d0f2c89cdbf45dd7ed.tar.gz
hostap-34c1b75c8203cf552ca8c1d0f2c89cdbf45dd7ed.tar.bz2
TLS: Only allow 0xff value as TRUE for ASN.1 DER encoded BOOLEAN
While BER encoding allows any nonzero value to be used for TRUE, DER is explicitly allowing only the value 0xff. Enforce this constraint in X.509 parsing to be more strict with what is acceptable. Signed-off-by: Jouni Malinen <j@w1.fi>
-rw-r--r--src/tls/x509v3.c12
1 files changed, 12 insertions, 0 deletions
diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
index 71ac6b9..76b6ba1 100644
--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
@@ -852,6 +852,12 @@ static int x509_parse_ext_basic_constraints(struct x509_certificate *cert,
hdr.length);
return -1;
}
+ if (hdr.payload[0] != 0 && hdr.payload[0] != 0xff) {
+ wpa_printf(MSG_DEBUG,
+ "X509: Invalid cA BOOLEAN value 0x%x in BasicConstraints (DER requires 0 or 0xff)",
+ hdr.payload[0]);
+ return -1;
+ }
cert->ca = hdr.payload[0];
pos = hdr.payload + hdr.length;
@@ -1312,6 +1318,12 @@ static int x509_parse_extension(struct x509_certificate *cert,
"Boolean length (%u)", hdr.length);
return -1;
}
+ if (hdr.payload[0] != 0 && hdr.payload[0] != 0xff) {
+ wpa_printf(MSG_DEBUG,
+ "X509: Invalid critical BOOLEAN value 0x%x in Extension (DER requires 0 or 0xff)",
+ hdr.payload[0]);
+ return -1;
+ }
critical_ext = hdr.payload[0];
pos = hdr.payload;
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||