Skip to content

Commit d15795a

Browse files
committed
Improve behaviour on fatal errors
If we didn't walk the whole chain, then there may be any kind of errors in the part of the chain we didn't check, so setting all flags looks like the safe thing to do.
1 parent 1beb048 commit d15795a

File tree

3 files changed

+24
-7
lines changed

3 files changed

+24
-7
lines changed

Diff for: ChangeLog

+7
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,12 @@
11
mbed TLS ChangeLog (Sorted per branch, date)
22

3+
= mbed TLS 2.y.z released YYYY-MM-DD
4+
5+
Changes
6+
* Certificate verification functions now set flags to -1 in case the full
7+
chain was not verified due to an internal error (including in the verify
8+
callback) or chain length limitations.
9+
310
= mbed TLS 2.5.1 released 2017-06-21
411

512
Security

Diff for: library/x509_crt.c

+16-6
Original file line numberDiff line numberDiff line change
@@ -2202,11 +2202,14 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
22022202
mbedtls_x509_sequence *cur = NULL;
22032203
mbedtls_pk_type_t pk_type;
22042204

2205-
if( profile == NULL )
2206-
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
2207-
22082205
*flags = 0;
22092206

2207+
if( profile == NULL )
2208+
{
2209+
ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
2210+
goto exit;
2211+
}
2212+
22102213
if( cn != NULL )
22112214
{
22122215
name = &crt->subject;
@@ -2280,7 +2283,7 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
22802283
ret = x509_crt_verify_top( crt, parent, ca_crl, profile,
22812284
pathlen, selfsigned, flags, f_vrfy, p_vrfy );
22822285
if( ret != 0 )
2283-
return( ret );
2286+
goto exit;
22842287
}
22852288
else
22862289
{
@@ -2295,17 +2298,24 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
22952298
ret = x509_crt_verify_child( crt, parent, trust_ca, ca_crl, profile,
22962299
pathlen, selfsigned, flags, f_vrfy, p_vrfy );
22972300
if( ret != 0 )
2298-
return( ret );
2301+
goto exit;
22992302
}
23002303
else
23012304
{
23022305
ret = x509_crt_verify_top( crt, trust_ca, ca_crl, profile,
23032306
pathlen, selfsigned, flags, f_vrfy, p_vrfy );
23042307
if( ret != 0 )
2305-
return( ret );
2308+
goto exit;
23062309
}
23072310
}
23082311

2312+
exit:
2313+
if( ret != 0 )
2314+
{
2315+
*flags = (uint32_t) -1;
2316+
return( ret );
2317+
}
2318+
23092319
if( *flags != 0 )
23102320
return( MBEDTLS_ERR_X509_CERT_VERIFY_FAILED );
23112321

Diff for: tests/suites/test_suite_x509parse.data

+1-1
Original file line numberDiff line numberDiff line change
@@ -1204,7 +1204,7 @@ mbedtls_x509_crt_verify_max:"data_files/test-ca2.crt":"data_files/dir-maxpath":M
12041204

12051205
X509 CRT verify long chain (max intermediate CA + 1)
12061206
depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
1207-
mbedtls_x509_crt_verify_max:"data_files/dir-maxpath/00.crt":"data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA+1:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:0
1207+
mbedtls_x509_crt_verify_max:"data_files/dir-maxpath/00.crt":"data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA+1:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:-1
12081208

12091209
X509 CRT verify chain #1 (zero pathlen intermediate)
12101210
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C

0 commit comments

Comments
 (0)