TLS: Only allow 0xff value as TRUE for ASN.1 DER encoded BOOLEAN

While BER encoding allows any nonzero value to be used for TRUE, DER is
explicitly allowing only the value 0xff. Enforce this constraint in
X.509 parsing to be more strict with what is acceptable.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2019-06-22 18:27:36 +03:00
parent 5e6ab36df8
commit 34c1b75c82

View File

@ -852,6 +852,12 @@ static int x509_parse_ext_basic_constraints(struct x509_certificate *cert,
hdr.length);
return -1;
}
if (hdr.payload[0] != 0 && hdr.payload[0] != 0xff) {
wpa_printf(MSG_DEBUG,
"X509: Invalid cA BOOLEAN value 0x%x in BasicConstraints (DER requires 0 or 0xff)",
hdr.payload[0]);
return -1;
}
cert->ca = hdr.payload[0];
pos = hdr.payload + hdr.length;
@ -1312,6 +1318,12 @@ static int x509_parse_extension(struct x509_certificate *cert,
"Boolean length (%u)", hdr.length);
return -1;
}
if (hdr.payload[0] != 0 && hdr.payload[0] != 0xff) {
wpa_printf(MSG_DEBUG,
"X509: Invalid critical BOOLEAN value 0x%x in Extension (DER requires 0 or 0xff)",
hdr.payload[0]);
return -1;
}
critical_ext = hdr.payload[0];
pos = hdr.payload;
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||