Fix bug checking pathlen on first intermediate Remove check on the pathLenConstraint value when looking for a parent to the EE cert, as the constraint is on the number of intermediate certs below the parent, and that number is always 0 at that point, so the constraint is always satisfied. The check was actually off-by-one, which caused valid chains to be rejected under the following conditions: - the parent certificate is not a trusted root, and - it has pathLenConstraint == 0 (max_pathlen == 1 in our representation) fixes #280

commit: f4569b14c477efc28f7793246d4ad8877ed941d0 [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Nov 19 09:23:06 2015 +0100
committer: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Nov 19 11:10:38 2015 +0100
tree: 8839b658d38b85e2a30f720923e92d4a097234d0
parent: 8b4331aa5612c05405192be4cacd084132010292 [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index 8a736f9..6d8a5bc 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -1,5 +1,12 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
+= mbed TLS 2.x branch
+
+Bugfix
+   * Fix bug in certificate validation that caused valid chains to be rejected
+     when the first intermediate certificate has pathLenConstraint=0. Found by
+     Nicholas Wilson. Introduced in mbed TLS 2.2.0. #280
+
 = mbed TLS 2.2.0 released 2015-11-04
 
 Security
commit	f4569b14c477efc28f7793246d4ad8877ed941d0	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Thu Nov 19 09:23:06 2015 +0100
committer	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Thu Nov 19 11:10:38 2015 +0100
tree	8839b658d38b85e2a30f720923e92d4a097234d0
parent	8b4331aa5612c05405192be4cacd084132010292 [diff] [blame]