mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-27 05:14:14 +01:00
Add POLARSSL_X509_MAX_INTERMEDIATE_CA
This commit is contained in:
parent
6a095d2383
commit
4cdb3babad
@ -22,6 +22,8 @@ Bugfix
|
|||||||
Changes
|
Changes
|
||||||
* Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
|
* Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
|
||||||
* Forbid repeated extensions in X.509 certificates.
|
* Forbid repeated extensions in X.509 certificates.
|
||||||
|
* Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
|
||||||
|
length of an X.509 verification chain (default = 8).
|
||||||
|
|
||||||
= Version 1.2.12 released 2014-10-24
|
= Version 1.2.12 released 2014-10-24
|
||||||
|
|
||||||
|
@ -1021,6 +1021,10 @@
|
|||||||
//
|
//
|
||||||
#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
|
#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
|
||||||
|
|
||||||
|
// X509 options
|
||||||
|
//
|
||||||
|
#define POLARSSL_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
|
||||||
|
|
||||||
#endif /* POLARSSL_CONFIG_OPTIONS */
|
#endif /* POLARSSL_CONFIG_OPTIONS */
|
||||||
|
|
||||||
/* \} name */
|
/* \} name */
|
||||||
|
@ -36,6 +36,18 @@
|
|||||||
* \{
|
* \{
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#if !defined(POLARSSL_CONFIG_OPTIONS)
|
||||||
|
/**
|
||||||
|
* Maximum number of intermediate CAs in a verification chain.
|
||||||
|
* That is, maximum length of the chain, excluding the end-entity certificate
|
||||||
|
* and the trusted root certificate.
|
||||||
|
*
|
||||||
|
* Set this to a low value to prevent an adversary from making you waste
|
||||||
|
* resources verifying an overlong certificate chain.
|
||||||
|
*/
|
||||||
|
#define POLARSSL_X509_MAX_INTERMEDIATE_CA 8
|
||||||
|
#endif
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \name X509 Error codes
|
* \name X509 Error codes
|
||||||
* \{
|
* \{
|
||||||
|
@ -3502,6 +3502,13 @@ static int x509parse_verify_child(
|
|||||||
unsigned char hash[64];
|
unsigned char hash[64];
|
||||||
x509_cert *grandparent;
|
x509_cert *grandparent;
|
||||||
|
|
||||||
|
/* path_cnt is 0 for the first intermediate CA */
|
||||||
|
if( 1 + path_cnt > POLARSSL_X509_MAX_INTERMEDIATE_CA )
|
||||||
|
{
|
||||||
|
*flags |= BADCERT_NOT_TRUSTED;
|
||||||
|
return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
|
||||||
|
}
|
||||||
|
|
||||||
if( x509parse_time_expired( &child->valid_to ) )
|
if( x509parse_time_expired( &child->valid_to ) )
|
||||||
*flags |= BADCERT_EXPIRED;
|
*flags |= BADCERT_EXPIRED;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user