X.509: Fix internal TLS/X.509 validation of PKCS#1 signature

Verify that there is no extra data after the hash field. This is needed
to avoid potential attacks using additional data to construct a value
that passes the RSA operation and allows the hash value to be forged.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
index a9483cb..751a268 100644 (file)
--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
@@ -1783,6 +1783,15 @@ skip_digest_oid:
                return -1;
        }
 
+       if (hdr.payload + hdr.length < data + data_len) {
+               wpa_hexdump(MSG_INFO,
+                           "X509: Extra data after certificate signature hash",
+                           hdr.payload + hdr.length,
+                           data + data_len - hdr.payload - hdr.length);
+               os_free(data);
+               return -1;
+       }
+
        os_free(data);
 
        wpa_printf(MSG_DEBUG, "X509: Certificate Digest matches with "