Make sure the digestAlgorithm.parameters field is empty, which it has

to be for the hashes we support. Otherwise, the field can encode "garbage" that might be used to make the signature be a perfect cube, similar (but not identical) to Bleichenbacher's Crypto 06 rump session attack.
author: Simon Josefsson <simon@josefsson.org> 2006-09-08 13:39:29 +0000
committer: Simon Josefsson <simon@josefsson.org> 2006-09-08 13:39:29 +0000
commit: c5c36a61fc8e0c2764a6818788344a9d79fdcad4 (patch)
tree: 1fb6b912ea452b35ec6dc9cf96fb48e4861284af
parent: 7575d8d1ade70ad56e1528c4f8b0d0ac1e89e564 (diff)
download: gnutls-c5c36a61fc8e0c2764a6818788344a9d79fdcad4.tar.gz
1 files changed, 10 insertions, 1 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index fc2f2759a6..a35c599830 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2003, 2004, 2005 Free Software Foundation
+ * Copyright (C) 2003, 2004, 2005, 2006 Free Software Foundation
  *
  * Author: Nikos Mavroyanopoulos
  *
@@ -505,6 +505,15 @@ decode_ber_digest_info (const gnutls_datum_t * info,
       return GNUTLS_E_UNKNOWN_HASH_ALGORITHM;
     }
 
+  len = sizeof (str) - 1;
+  result = asn1_read_value (dinfo, "digestAlgorithm.parameters", NULL, &len);
+  if (result != ASN1_ELEMENT_NOT_FOUND)
+    {
+      gnutls_assert ();
+      asn1_delete_structure (&dinfo);
+      return _gnutls_asn2err (result);
+    }
+
   result = asn1_read_value (dinfo, "digest", digest, digest_size);
   if (result != ASN1_SUCCESS)
     {
author	Simon Josefsson <simon@josefsson.org>	2006-09-08 13:39:29 +0000
committer	Simon Josefsson <simon@josefsson.org>	2006-09-08 13:39:29 +0000
commit	c5c36a61fc8e0c2764a6818788344a9d79fdcad4 (patch)
tree	1fb6b912ea452b35ec6dc9cf96fb48e4861284af
parent	7575d8d1ade70ad56e1528c4f8b0d0ac1e89e564 (diff)
download	gnutls-c5c36a61fc8e0c2764a6818788344a9d79fdcad4.tar.gz