yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-25 15:05:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Improve behaviour on fatal errors

Browse Source 
If we didn't walk the whole chain, then there may be any kind of errors in the
part of the chain we didn't check, so setting all flags looks like the safe
thing to do.
This commit is contained in:
Manuel Pégourié-Gonnard 2017-06-22 12:19:27 +02:00
parent 1beb048316
commit d15795acd5
3 changed files with 24 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ChangeLog
View File

@ -1,5 +1,12 @@
mbed TLS ChangeLog (Sorted per branch, date) mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.y.z released YYYY-MM-DD
Changes
* Certificate verification functions now set flags to -1 in case the full
chain was not verified due to an internal error (including in the verify
callback) or chain length limitations.
= mbed TLS 2.5.1 released 2017-06-21 = mbed TLS 2.5.1 released 2017-06-21
Security Security

22
library/x509_crt.c
View File

@ -2202,11 +2202,14 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
mbedtls_x509_sequence *cur = NULL; mbedtls_x509_sequence *cur = NULL;
mbedtls_pk_type_t pk_type; mbedtls_pk_type_t pk_type;
if( profile == NULL )
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
*flags = 0; *flags = 0;
if( profile == NULL )
{
ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
goto exit;
}
if( cn != NULL ) if( cn != NULL )
{ {
name = &crt->subject; name = &crt->subject;
@ -2280,7 +2283,7 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
ret = x509_crt_verify_top( crt, parent, ca_crl, profile, ret = x509_crt_verify_top( crt, parent, ca_crl, profile,
pathlen, selfsigned, flags, f_vrfy, p_vrfy ); pathlen, selfsigned, flags, f_vrfy, p_vrfy );
if( ret != 0 ) if( ret != 0 )
return( ret ); goto exit;
} }
else else
{ {
@ -2295,17 +2298,24 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
ret = x509_crt_verify_child( crt, parent, trust_ca, ca_crl, profile, ret = x509_crt_verify_child( crt, parent, trust_ca, ca_crl, profile,
pathlen, selfsigned, flags, f_vrfy, p_vrfy ); pathlen, selfsigned, flags, f_vrfy, p_vrfy );
if( ret != 0 ) if( ret != 0 )
return( ret ); goto exit;
} }
else else
{ {
ret = x509_crt_verify_top( crt, trust_ca, ca_crl, profile, ret = x509_crt_verify_top( crt, trust_ca, ca_crl, profile,
pathlen, selfsigned, flags, f_vrfy, p_vrfy ); pathlen, selfsigned, flags, f_vrfy, p_vrfy );
if( ret != 0 ) if( ret != 0 )
return( ret ); goto exit;
} }
} }
exit:
if( ret != 0 )
{
*flags = (uint32_t) -1;
return( ret );
}
if( *flags != 0 ) if( *flags != 0 )
return( MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ); return( MBEDTLS_ERR_X509_CERT_VERIFY_FAILED );

2
tests/suites/test_suite_x509parse.data
View File

@ -1204,7 +1204,7 @@ mbedtls_x509_crt_verify_max:"data_files/test-ca2.crt":"data_files/dir-maxpath":M
X509 CRT verify long chain (max intermediate CA + 1) X509 CRT verify long chain (max intermediate CA + 1)
depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
mbedtls_x509_crt_verify_max:"data_files/dir-maxpath/00.crt":"data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA+1:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:0 mbedtls_x509_crt_verify_max:"data_files/dir-maxpath/00.crt":"data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA+1:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:-1
X509 CRT verify chain #1 (zero pathlen intermediate) X509 CRT verify chain #1 (zero pathlen intermediate)
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C