Set a compile-time limit to X.509 chain length

This commit is contained in:
Manuel Pégourié-Gonnard 2014-11-20 16:34:20 +01:00
parent 89d69b398c
commit fd6c85c3eb
4 changed files with 24 additions and 0 deletions

View File

@ -16,6 +16,8 @@ Security
Features Features
* Add function pk_check_pair() to test if public and private keys match. * Add function pk_check_pair() to test if public and private keys match.
* Add x509_crl_parse_der(). * Add x509_crl_parse_der().
* Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
length of an X.509 verification chain.
Bugfix Bugfix
* User set CFLAGS were ignore by Cmake with gcc (introduced in 1.3.9, found * User set CFLAGS were ignore by Cmake with gcc (introduced in 1.3.9, found

View File

@ -2185,6 +2185,9 @@
/* Debug options */ /* Debug options */
//#define POLARSSL_DEBUG_DFL_MODE POLARSSL_DEBUG_LOG_FULL /**< Default log: Full or Raw */ //#define POLARSSL_DEBUG_DFL_MODE POLARSSL_DEBUG_LOG_FULL /**< Default log: Full or Raw */
/* X509 options */
//#define POLARSSL_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
/* \} name SECTION: Module configuration options */ /* \} name SECTION: Module configuration options */
#include "check_config.h" #include "check_config.h"

View File

@ -45,6 +45,18 @@
* \{ * \{
*/ */
#if !defined(POLARSSL_X509_MAX_INTERMEDIATE_CA)
/**
* Maximum number of intermediate CAs in a verification chain.
* That is, maximum length of the chain, excluding the end-entity certificate
* and the trusted root certificate.
*
* Set this to a low value to prevent an adversary from making you waste
* resources verifying an overlong certificate chain.
*/
#define POLARSSL_X509_MAX_INTERMEDIATE_CA 8
#endif
/** /**
* \name X509 Error codes * \name X509 Error codes
* \{ * \{

View File

@ -1834,6 +1834,13 @@ static int x509_crt_verify_child(
x509_crt *grandparent; x509_crt *grandparent;
const md_info_t *md_info; const md_info_t *md_info;
/* path_cnt is 0 for the first intermediate CA */
if( 1 + path_cnt > POLARSSL_X509_MAX_INTERMEDIATE_CA )
{
*flags |= BADCERT_NOT_TRUSTED;
return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
}
if( x509_time_expired( &child->valid_to ) ) if( x509_time_expired( &child->valid_to ) )
*flags |= BADCERT_EXPIRED; *flags |= BADCERT_EXPIRED;