X.509 certificate validation with internal TLS implementation

Jouni Malinen j
Wed May 21 00:55:10 PDT 2014

Source code review of the internal TLS implementation in hostap.git has
found insufficient validation steps for the signature field in X.509
certificates. While the digest value is verified to be correct, extra
padding after that value is not used to reject the certificate. This can
make it easier to generate forged certificates that would pass the
validation steps even without a valid signature, especially in the case
of a small public exponent (3) used in a CA certificate. This could be
used by rogue APs/authentication servers to bypass server
authentication in wpa_supplicant or rogue STA to bypass EAP-TLS client
authentication in hostapd.

This can affect EAP-TLS, EAP-TTLS, EAP-PEAP, and EAP-FAST server
certificate validation in wpa_suppliant and EAP-TLS client certificate
validation in hostapd if the internal TLS library is used. This is not
enabled by default (OpenSSL is used by default), but can be selected in
the build configuration (e.g., wpa_supplicant/.config and
hostapd/.config) with CONFIG_TLS=internal.

I'm not aware of any large scale use of the internal TLS implementation
included in hostap.git, but if it is used in any product for EAP-TLS,
EAP-TTLS, EAP-PEAP, or EAP-FAST authentication, I'm strongly
recommending following fixes to be applied to any such product to
address this issue.


Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list