mirror of
https://github.com/haproxy/haproxy.git
synced 2026-04-29 18:18:59 -04:00
468c000db0
Tim reported that a decoding error from the base64 function wouldn't be matched in case of bad input, and could possibly cause trouble with -1 being passed in decoded_sig->data. In the case of HMAC+SHA it is harmless as the comparison is made using memcmp() after checking for length equality, but in the case of RSA/ECDSA this result is passed as a size_t to EVP_DigetVerifyFinal() and may depend on the lib's mood. The fix simply consists in checking the intermediary result before storing it. That's precisely what happens with one of the regtests which returned 0 instead of 4 on the intentionally defective token, so the regtest was fixed as well. No backport is needed as this is new in this release. |
||
|---|---|---|
| .. | ||
| es256-public.pem | ||
| es384-public.pem | ||
| es512-public.pem | ||
| jws_verify.vtc | ||
| rsa-public.pem | ||