mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-23 09:45:38 +01:00
Add POLARSSL_X509_MAX_INTERMEDIATE_CA
This commit is contained in:
parent
6a095d2383
commit
4cdb3babad
@ -22,6 +22,8 @@ Bugfix
|
||||
Changes
|
||||
* Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
|
||||
* Forbid repeated extensions in X.509 certificates.
|
||||
* Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
|
||||
length of an X.509 verification chain (default = 8).
|
||||
|
||||
= Version 1.2.12 released 2014-10-24
|
||||
|
||||
|
@ -1021,6 +1021,10 @@
|
||||
//
|
||||
#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
|
||||
|
||||
// X509 options
|
||||
//
|
||||
#define POLARSSL_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
|
||||
|
||||
#endif /* POLARSSL_CONFIG_OPTIONS */
|
||||
|
||||
/* \} name */
|
||||
|
@ -36,6 +36,18 @@
|
||||
* \{
|
||||
*/
|
||||
|
||||
#if !defined(POLARSSL_CONFIG_OPTIONS)
|
||||
/**
|
||||
* Maximum number of intermediate CAs in a verification chain.
|
||||
* That is, maximum length of the chain, excluding the end-entity certificate
|
||||
* and the trusted root certificate.
|
||||
*
|
||||
* Set this to a low value to prevent an adversary from making you waste
|
||||
* resources verifying an overlong certificate chain.
|
||||
*/
|
||||
#define POLARSSL_X509_MAX_INTERMEDIATE_CA 8
|
||||
#endif
|
||||
|
||||
/**
|
||||
* \name X509 Error codes
|
||||
* \{
|
||||
|
@ -3502,6 +3502,13 @@ static int x509parse_verify_child(
|
||||
unsigned char hash[64];
|
||||
x509_cert *grandparent;
|
||||
|
||||
/* path_cnt is 0 for the first intermediate CA */
|
||||
if( 1 + path_cnt > POLARSSL_X509_MAX_INTERMEDIATE_CA )
|
||||
{
|
||||
*flags |= BADCERT_NOT_TRUSTED;
|
||||
return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
|
||||
}
|
||||
|
||||
if( x509parse_time_expired( &child->valid_to ) )
|
||||
*flags |= BADCERT_EXPIRED;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user