<div dir="ltr">Hi, <div><br></div><div>We found an issue with strongswan 5.2.2; peer is accepting CERT payload even though  digital signature field in CERT payload is tampered. </div><div><br></div><div>As per the below code, there is no validation for the peer's pub key certificate; peer's public key is added to the cache without any validation. We do see this as a security vulnerability, could you check this? Is our understanding correct ?</div><div><br></div><div><br></div><div><div>static void process_x509(cert_payload_t *payload, auth_cfg_t *auth,<br>                                          cert_encoding_t encoding, bool *first)<br>{<br>    certificate_t *cert;<br>  char *url;<br><br>  cert = try_get_cert(payload);<br> if (cert)<br>     {<br>             if (*first)<br>           {       /* the first is an end entity certificate */<br>                  DBG1(DBG_IKE, "received end entity cert \"%Y\"",<br>                           cert->get_subject(cert));<br>                 auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);<br>                   *first = FALSE;<br>               }<br>             else<br>          {<br>DBG1(DBG_IKE, "received issuer cert \"%Y\"",<br>                            cert->get_subject(cert));<br>                 auth->add(auth, AUTH_HELPER_IM_CERT, cert);<br>                }<br>     }<br>     else if (encoding == ENC_X509_HASH_AND_URL)<br>   {<br>             /* we fetch the certificate not yet, but only if<br>               * it is really needed during authentication */<br>               url = payload->get_url(payload);<br>           if (!url)<br>             {<br>                     DBG1(DBG_IKE, "received invalid hash-and-url "<br>                               "encoded cert, ignore");<br>                   return;<br>               }<br>             url = strdup(url);<br>            if (*first)<br>           {       /* first URL is for an end entity certificate */<br>                      DBG1(DBG_IKE, "received hash-and-url for end entity cert \"%s\"",<br>                          url);<br>                        auth->add(auth, AUTH_HELPER_SUBJECT_HASH_URL, url);<br>                        *first = FALSE;<br>               }<br>             else<br>          {<br>                     DBG1(DBG_IKE, "received hash-and-url for issuer cert \"%s\"", url);<br>                       auth->add(auth, AUTH_HELPER_IM_HASH_URL, url);<br>             }<br>     }<br>}</div></div><div><br></div><div>Thanks and Regards,</div><div>Ravi</div></div>