mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-26 09:25:42 +01:00
Merge branch 'iotssl-541-1.3-pathlen-bugfix'
This commit is contained in:
commit
a192c8f5d8
@ -4,6 +4,9 @@ mbed TLS ChangeLog (Sorted per branch, date)
|
||||
|
||||
Bugfix
|
||||
* Fix over-restricive length limit in GCM. Found by Andreas-N. #362
|
||||
* Fix bug in certificate validation that caused valid chains to be rejected
|
||||
when the first intermediate certificate has pathLenConstraint=0. Found by
|
||||
Nicholas Wilson. Introduced in mbed TLS 1.3.15. #280
|
||||
|
||||
= mbed TLS 1.3.15 released 2015-11-04
|
||||
|
||||
|
@ -2092,18 +2092,8 @@ int x509_crt_verify( x509_crt *crt,
|
||||
{
|
||||
/* Look for a parent upwards the chain */
|
||||
for( parent = crt->next; parent != NULL; parent = parent->next )
|
||||
{
|
||||
/* +2 because the current step is not yet accounted for
|
||||
* and because max_pathlen is one higher than it should be */
|
||||
if( parent->max_pathlen > 0 &&
|
||||
parent->max_pathlen < 2 + pathlen )
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
if( x509_crt_check_parent( crt, parent, 0, pathlen == 0 ) == 0 )
|
||||
break;
|
||||
}
|
||||
|
||||
/* Are we part of the chain or at the top? */
|
||||
if( parent != NULL )
|
||||
|
@ -36,3 +36,12 @@ cert61.crt (max_pathlen=1) -> cert62.crt -> cert63.crt
|
||||
cert71.crt (max_pathlen=1) -> cert72.crt -> cert73.crt (self signed) -> cert74.crt -> cert74.crt
|
||||
```
|
||||
|
||||
8. zero pathlen constraint on first intermediate CA (valid)
|
||||
```
|
||||
cert81.crt -> cert82.crt (max_pathlen=0) -> cert83.crt
|
||||
```
|
||||
|
||||
9. zero pathlen constraint on trusted root (valid)
|
||||
```
|
||||
cert91.crt (max_pathlen=0) -> cert92.crt
|
||||
```
|
||||
|
11
tests/data_files/dir4/cert81.crt
Normal file
11
tests/data_files/dir4/cert81.crt
Normal file
@ -0,0 +1,11 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBpTCCAUmgAwIBAgIBUTAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBlJvb3Qg
|
||||
ODERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
|
||||
MFoXDTMwMTIzMTIzNTk1OVowMTEPMA0GA1UEAxMGUm9vdCA4MREwDwYDVQQKEwht
|
||||
YmVkIFRMUzELMAkGA1UEBhMCVUswWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT1
|
||||
GuTQ9vgf2l3oLM25r78cvIAQqE02GzQGjp/WWw3CysEwTwNEuZGhRiD5lDmkbUGW
|
||||
UNxv/7uJjy7k3K3fDNdko1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTHFA2h
|
||||
Au0tPnzeYnLcmlTQj4FAajAfBgNVHSMEGDAWgBTHFA2hAu0tPnzeYnLcmlTQj4FA
|
||||
ajAMBggqhkjOPQQDAgUAA0gAMEUCIH7Z/HNb/Pwbs40iNll1a9gmgAbYOgdlVPWo
|
||||
nSdcb7cZAiEAlhVb6CdBXsjOfAWWEET/QP74z608PKFccCIFPCDLkxo=
|
||||
-----END CERTIFICATE-----
|
11
tests/data_files/dir4/cert82.crt
Normal file
11
tests/data_files/dir4/cert82.crt
Normal file
@ -0,0 +1,11 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBqDCCAUygAwIBAgIBUjAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBlJvb3Qg
|
||||
ODERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
|
||||
MFoXDTMwMTIzMTIzNTk1OVowMTEPMA0GA1UEAxMGSW50IDgyMREwDwYDVQQKEwht
|
||||
YmVkIFRMUzELMAkGA1UEBhMCVUswWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS2
|
||||
giYQt4HVfQ2t8eTS0bvISwp7ol2x17umbllBxwzGDFEUQ00JL1/SStezecK0lNhE
|
||||
0AvY8Ez2soQEtdSeQGkCo1MwUTAPBgNVHRMECDAGAQH/AgEAMB0GA1UdDgQWBBS3
|
||||
+nsv3nQknSg4aDjlTiRpCPo7XzAfBgNVHSMEGDAWgBTHFA2hAu0tPnzeYnLcmlTQ
|
||||
j4FAajAMBggqhkjOPQQDAgUAA0gAMEUCIQDus2Lvx3yyvaViY1s334uMm6ge484X
|
||||
oktMyxLVjkAMiAIgehTHiJJaT9PnlVa+hUpxsIfVAuMexrm5fw/bDF5Nxzw=
|
||||
-----END CERTIFICATE-----
|
11
tests/data_files/dir4/cert83.crt
Normal file
11
tests/data_files/dir4/cert83.crt
Normal file
@ -0,0 +1,11 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBoDCCAUWgAwIBAgIBUzAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBkludCA4
|
||||
MjERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
|
||||
MFoXDTMwMTIzMTIzNTk1OVowMDEOMAwGA1UEAxMFRUUgODMxETAPBgNVBAoTCG1i
|
||||
ZWQgVExTMQswCQYDVQQGEwJVSzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMSy
|
||||
6X5iBYrdxxOMfdcA23pLBoJCeyEjiWfALxTm80MJGBdRNVdnT50xNU3SDDwHWPda
|
||||
/EQqHq+itsqkUeyAGAyjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFGsFH/KsvM4n
|
||||
r+i1gI2iCVXi3KtFMB8GA1UdIwQYMBaAFLf6ey/edCSdKDhoOOVOJGkI+jtfMAwG
|
||||
CCqGSM49BAMCBQADRwAwRAIgQURH8DHWFHVK38+znWc85G1P+g4ocdkA5Gt0LbOg
|
||||
SJMCIBsacOLFywxZYF8atizw6zMRw+QeHR2514JIhJUck2kd
|
||||
-----END CERTIFICATE-----
|
11
tests/data_files/dir4/cert91.crt
Normal file
11
tests/data_files/dir4/cert91.crt
Normal file
@ -0,0 +1,11 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBqTCCAUygAwIBAgIBWzAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBlJvb3Qg
|
||||
OTERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
|
||||
MFoXDTMwMTIzMTIzNTk1OVowMTEPMA0GA1UEAxMGUm9vdCA5MREwDwYDVQQKEwht
|
||||
YmVkIFRMUzELMAkGA1UEBhMCVUswWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATh
|
||||
D2SmdS6D7cYi2vGMyuCdol/OOUN2di2pS2wfSI/MsY/Z4O9iNHqbXQP6l+hcT5ap
|
||||
daycs7r6ZPNqmWM7b16go1MwUTAPBgNVHRMECDAGAQH/AgEAMB0GA1UdDgQWBBRb
|
||||
zVrcAxddj0i0DEqvTGT8F37bizAfBgNVHSMEGDAWgBRbzVrcAxddj0i0DEqvTGT8
|
||||
F37bizAMBggqhkjOPQQDAgUAA0kAMEYCIQDbrSV4ndH0vAR3HqJfBn8NT8zdvMjB
|
||||
qSJes6Qwa42b2wIhAKyoH0H+b1Svw8pMkvUYF4ElH5Cnn7gxb7Wl3arc0+hQ
|
||||
-----END CERTIFICATE-----
|
11
tests/data_files/dir4/cert92.crt
Normal file
11
tests/data_files/dir4/cert92.crt
Normal file
@ -0,0 +1,11 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBoTCCAUWgAwIBAgIBXDAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBlJvb3Qg
|
||||
OTERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
|
||||
MFoXDTMwMTIzMTIzNTk1OVowMDEOMAwGA1UEAxMFRUUgOTIxETAPBgNVBAoTCG1i
|
||||
ZWQgVExTMQswCQYDVQQGEwJVSzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABC9E
|
||||
tK1pE8Ei8vgScunyjx50C+qDsQS8D2RhGHC4VkE2yyiFxJA/ynhoeXTKZsHuEWI9
|
||||
CfOSvk0RrTWf9nr0pTGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFLqsN52tAf1k
|
||||
XlzxQmdD5qG6Sy6PMB8GA1UdIwQYMBaAFFvNWtwDF12PSLQMSq9MZPwXftuLMAwG
|
||||
CCqGSM49BAMCBQADSAAwRQIgXlfKqhkhXgK112Eycl+Z5NHM+6aqXE7i9j7IyGfk
|
||||
ikICIQDBYNGbpSx82XG+IS/h4AWNTa4Hs6rmWvQDWJum7NrzMQ==
|
||||
-----END CERTIFICATE-----
|
@ -1156,6 +1156,14 @@ X509 CRT verify chain #8 (self signed maxpathlen root)
|
||||
depends_on:POLARSSL_SHA256_C:POLARSSL_RSA_C
|
||||
x509_crt_verify_chain:"data_files/dir4/cert61.crt data_files/dir4/cert63.crt data_files/dir4/cert62.crt":"data_files/dir4/cert61.crt":0
|
||||
|
||||
X509 CRT verify chain #9 (zero pathlen first intermediate, valid)
|
||||
depends_on:POLARSSL_SHA256_C:POLARSSL_ECDSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
|
||||
x509_crt_verify_chain:"data_files/dir4/cert83.crt data_files/dir4/cert82.crt":"data_files/dir4/cert81.crt":0
|
||||
|
||||
X509 CRT verify chain #10 (zero pathlen root, valid)
|
||||
depends_on:POLARSSL_SHA256_C:POLARSSL_ECDSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
|
||||
x509_crt_verify_chain:"data_files/dir4/cert92.crt":"data_files/dir4/cert91.crt":0
|
||||
|
||||
X509 OID description #1
|
||||
x509_oid_desc:"2B06010505070301":"TLS Web Server Authentication"
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user