mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-07-08 18:40:41 +00:00
Fix bug checking pathlen on first intermediate
Remove check on the pathLenConstraint value when looking for a parent to the EE cert, as the constraint is on the number of intermediate certs below the parent, and that number is always 0 at that point, so the constraint is always satisfied. The check was actually off-by-one, which caused valid chains to be rejected under the following conditions: - the parent certificate is not a trusted root, and - it has pathLenConstraint == 0 (max_pathlen == 1 in our representation) fixes #280
This commit is contained in:
Manuel Pégourié-Gonnard
parent
d7d0b0118c
commit
7929229a32
|
|
@ -1,5 +1,12 @@
|
||||||
PolarSSL ChangeLog
|
PolarSSL ChangeLog
|
||||||
|
|
||||||
|
= Version 1.2.19 released 2015-12-xx
|
||||||
|
|
||||||
|
Bugfix
|
||||||
|
* Fix bug in certificate validation that caused valid chains to be rejected
|
||||||
|
when the first intermediate certificate has pathLenConstraint=0. Found by
|
||||||
|
Nicholas Wilson. Introduced in mbed TLS 1.3.15. #280
|
||||||
|
|
||||||
= Version 1.2.18 released 2015-11-04
|
= Version 1.2.18 released 2015-11-04
|
||||||
|
|
||||||
Security
|
Security
|
||||||
|
|
|
||||||
|
|
@ -3679,15 +3679,6 @@ int x509parse_verify( x509_cert *crt,
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* +2 because the current step is not yet accounted for
|
|
||||||
* and because max_pathlen is one higher than it should be */
|
|
||||||
if( parent->max_pathlen > 0 &&
|
|
||||||
parent->max_pathlen < 2 + pathlen )
|
|
||||||
{
|
|
||||||
parent = parent->next;
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue