I don't think this can cause a crash as the member accessed is in the
beginning of the context, so wouldn't be outside of valid memory if the actual
context was RSA.
Also, the mismatch will be caught later when checking signature, so the cert
chain will be rejected anyway.
* mbedtls-2.6: (27 commits)
Update version number to 2.6.0
Fix language in Changelog for clarity
Improve documentation of PKCS1 decryption functions
Fix style and missing item in ChangeLog
Add credit to Changelog to fix for #666
Fix naked call to time() with platform call
Fix ChangeLog for duplication after merge
Rename time and index parameter to avoid name conflict.
Correct comment
Adapt ChangeLog
Reliably zeroize sensitive data in AES sample application
Reliably zeroize sensitive data in Crypt-and-Hash sample application
Fix potential integer overflow parsing DER CRT
Fix potential integer overflow parsing DER CRL
Move the git scripts to correct path
Update after @sbutcher-arm comments
Fix slash direction for linux path
Add note for the git_hoos README file
Pre push hook script
Check return code of mbedtls_mpi_fill_random
...
This is the first step towards making verify_chain() iterative. While from a
readability point of view the current recursive version is fine, one of the
goals of this refactoring is to prepare for restartable ECC integration, which
will need the explicit stack anyway.
Besides avoiding near-duplication, this avoids having three generations of
certificate (child, parent, grandparent) in one function, with all the
off-by-one opportunities that come with it.
This also allows to simplify the signature of verify_child(), which will be
done in next commit.
This is from the morally 5th (and soon obsolete) invocation of this function
in verify_top().
Doing this badtime-skipping when we search for a parent in the provided chain
is a change of behaviour, but it's backwards-compatible: it can only cause us
to accept valid chains that we used to reject before. Eg if the peer has a
chain with two version of an intermediate certificate with different validity
periods, the first non valid and the second valid - such cases are probably
rare or users would have complained already, but it doesn't hurt to handle it
properly as it allows for more uniform code.
This may look like a behaviour change because one check has been added to the
function that was previously done in only one of the 3 call sites. However it
is not, because:
- for the 2 call sites in verify(), the test always succeeds as path_cnt is 0.
- for the call site in verify_child(), the same test was done later anyway in
verify_top()
There are 3 instance that were replaced, but 2 instances of variants of this
function exist and will be handled next (the extra parameter that isn't used
so far is in preparation for that):
- one in verify_child() where path_cnt constraint is handled too
- one in verify_top() where there is extra logic to skip parents that are
expired or future, but only if there are better parents to be found
This is a slight change of behaviour in that the previous condition was:
- same subject
- signature matches
while the new condition is:
- exact same certificate
However the documentation for mbedtls_x509_crt_verify() (note on trust_ca)
mentions the new condition, so code that respected the documentation will keep
working.
In addition, this is a bit faster as it doesn't check the self-signature
(which never needs to be checked for certs in the trusted list).
When we're looking for a parent, in trusted CAs, 'top' should be 1.
This only impacted which call site for verify_top() was chosen, and the error
was then fixed inside verify_top() by iterating over CAs again, this time
correctly setting 'top' to 1.
This is the beginning of a series of commits refactoring the chain
building/verification functions in order to:
- make it simpler to understand and work with
- prepare integration of restartable ECC