mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-25 16:05:43 +01:00
Set a compile-time limit to X.509 chain length
This commit is contained in:
parent
89d69b398c
commit
fd6c85c3eb
@ -16,6 +16,8 @@ Security
|
|||||||
Features
|
Features
|
||||||
* Add function pk_check_pair() to test if public and private keys match.
|
* Add function pk_check_pair() to test if public and private keys match.
|
||||||
* Add x509_crl_parse_der().
|
* Add x509_crl_parse_der().
|
||||||
|
* Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
|
||||||
|
length of an X.509 verification chain.
|
||||||
|
|
||||||
Bugfix
|
Bugfix
|
||||||
* User set CFLAGS were ignore by Cmake with gcc (introduced in 1.3.9, found
|
* User set CFLAGS were ignore by Cmake with gcc (introduced in 1.3.9, found
|
||||||
|
@ -2185,6 +2185,9 @@
|
|||||||
/* Debug options */
|
/* Debug options */
|
||||||
//#define POLARSSL_DEBUG_DFL_MODE POLARSSL_DEBUG_LOG_FULL /**< Default log: Full or Raw */
|
//#define POLARSSL_DEBUG_DFL_MODE POLARSSL_DEBUG_LOG_FULL /**< Default log: Full or Raw */
|
||||||
|
|
||||||
|
/* X509 options */
|
||||||
|
//#define POLARSSL_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
|
||||||
|
|
||||||
/* \} name SECTION: Module configuration options */
|
/* \} name SECTION: Module configuration options */
|
||||||
|
|
||||||
#include "check_config.h"
|
#include "check_config.h"
|
||||||
|
@ -45,6 +45,18 @@
|
|||||||
* \{
|
* \{
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#if !defined(POLARSSL_X509_MAX_INTERMEDIATE_CA)
|
||||||
|
/**
|
||||||
|
* Maximum number of intermediate CAs in a verification chain.
|
||||||
|
* That is, maximum length of the chain, excluding the end-entity certificate
|
||||||
|
* and the trusted root certificate.
|
||||||
|
*
|
||||||
|
* Set this to a low value to prevent an adversary from making you waste
|
||||||
|
* resources verifying an overlong certificate chain.
|
||||||
|
*/
|
||||||
|
#define POLARSSL_X509_MAX_INTERMEDIATE_CA 8
|
||||||
|
#endif
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \name X509 Error codes
|
* \name X509 Error codes
|
||||||
* \{
|
* \{
|
||||||
|
@ -1834,6 +1834,13 @@ static int x509_crt_verify_child(
|
|||||||
x509_crt *grandparent;
|
x509_crt *grandparent;
|
||||||
const md_info_t *md_info;
|
const md_info_t *md_info;
|
||||||
|
|
||||||
|
/* path_cnt is 0 for the first intermediate CA */
|
||||||
|
if( 1 + path_cnt > POLARSSL_X509_MAX_INTERMEDIATE_CA )
|
||||||
|
{
|
||||||
|
*flags |= BADCERT_NOT_TRUSTED;
|
||||||
|
return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
|
||||||
|
}
|
||||||
|
|
||||||
if( x509_time_expired( &child->valid_to ) )
|
if( x509_time_expired( &child->valid_to ) )
|
||||||
*flags |= BADCERT_EXPIRED;
|
*flags |= BADCERT_EXPIRED;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user