mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-05 15:05:58 +00:00
Fix bug checking pathlen on first intermediate
Remove check on the pathLenConstraint value when looking for a parent to the EE cert, as the constraint is on the number of intermediate certs below the parent, and that number is always 0 at that point, so the constraint is always satisfied. The check was actually off-by-one, which caused valid chains to be rejected under the following conditions: - the parent certificate is not a trusted root, and - it has pathLenConstraint == 0 (max_pathlen == 1 in our representation) fixes #280
This commit is contained in:
parent
8b4331aa56
commit
f4569b14c4
|
@ -1,5 +1,12 @@
|
||||||
mbed TLS ChangeLog (Sorted per branch, date)
|
mbed TLS ChangeLog (Sorted per branch, date)
|
||||||
|
|
||||||
|
= mbed TLS 2.x branch
|
||||||
|
|
||||||
|
Bugfix
|
||||||
|
* Fix bug in certificate validation that caused valid chains to be rejected
|
||||||
|
when the first intermediate certificate has pathLenConstraint=0. Found by
|
||||||
|
Nicholas Wilson. Introduced in mbed TLS 2.2.0. #280
|
||||||
|
|
||||||
= mbed TLS 2.2.0 released 2015-11-04
|
= mbed TLS 2.2.0 released 2015-11-04
|
||||||
|
|
||||||
Security
|
Security
|
||||||
|
|
|
@ -2253,18 +2253,8 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
|
||||||
{
|
{
|
||||||
/* Look for a parent upwards the chain */
|
/* Look for a parent upwards the chain */
|
||||||
for( parent = crt->next; parent != NULL; parent = parent->next )
|
for( parent = crt->next; parent != NULL; parent = parent->next )
|
||||||
{
|
|
||||||
/* +2 because the current step is not yet accounted for
|
|
||||||
* and because max_pathlen is one higher than it should be */
|
|
||||||
if( parent->max_pathlen > 0 &&
|
|
||||||
parent->max_pathlen < 2 + pathlen )
|
|
||||||
{
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
if( x509_crt_check_parent( crt, parent, 0, pathlen == 0 ) == 0 )
|
if( x509_crt_check_parent( crt, parent, 0, pathlen == 0 ) == 0 )
|
||||||
break;
|
break;
|
||||||
}
|
|
||||||
|
|
||||||
/* Are we part of the chain or at the top? */
|
/* Are we part of the chain or at the top? */
|
||||||
if( parent != NULL )
|
if( parent != NULL )
|
||||||
|
|
Loading…
Reference in a new issue