Google Git
Sign in
pigweed / third_party / github / ARMmbed / mbedtls / fd6c85c3eb39a59231843bcabc46e5fcbfba30d5^! / .
commitfd6c85c3eb39a59231843bcabc46e5fcbfba30d5[log] [tgz]
authorManuel Pégourié-Gonnard <mpg@elzevir.fr>Thu Nov 20 16:34:20 2014 +0100
committerManuel Pégourié-Gonnard <mpg@elzevir.fr>Thu Nov 20 16:37:41 2014 +0100
tree65b8af116a7702a23e96b46f2d9a885f476a069f
parent89d69b398ce52956f21eddb0586d75ba9c2b1f2f [diff]
Set a compile-time limit to X.509 chain length

diff --git a/ChangeLog b/ChangeLog
index d1a87be..1b6770a 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -16,6 +16,8 @@
 Features
    * Add function pk_check_pair() to test if public and private keys match.
    * Add x509_crl_parse_der().
+   * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
+     length of an X.509 verification chain.
 
 Bugfix
    * User set CFLAGS were ignore by Cmake with gcc (introduced in 1.3.9, found

diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index fa15b37..a0ec2f3 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h

@@ -2185,6 +2185,9 @@
 /* Debug options */
 //#define POLARSSL_DEBUG_DFL_MODE POLARSSL_DEBUG_LOG_FULL /**< Default log: Full or Raw */
 
+/* X509 options */
+//#define POLARSSL_X509_MAX_INTERMEDIATE_CA   8   /**< Maximum number of intermediate CAs in a verification chain. */
+
 /* \} name SECTION: Module configuration options */
 
 #include "check_config.h"

diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h
index 9b0bcb7..3fe6820 100644
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h

@@ -45,6 +45,18 @@
  * \{
  */
 
+#if !defined(POLARSSL_X509_MAX_INTERMEDIATE_CA)
+/**
+ * Maximum number of intermediate CAs in a verification chain.
+ * That is, maximum length of the chain, excluding the end-entity certificate
+ * and the trusted root certificate.
+ *
+ * Set this to a low value to prevent an adversary from making you waste
+ * resources verifying an overlong certificate chain.
+ */
+#define POLARSSL_X509_MAX_INTERMEDIATE_CA   8
+#endif
+
 /**
  * \name X509 Error codes
  * \{

diff --git a/library/x509_crt.c b/library/x509_crt.c
index 2d72f6a..4d20889 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c

@@ -1834,6 +1834,13 @@
     x509_crt *grandparent;
     const md_info_t *md_info;
 
+    /* path_cnt is 0 for the first intermediate CA */
+    if( 1 + path_cnt > POLARSSL_X509_MAX_INTERMEDIATE_CA )
+    {
+        *flags |= BADCERT_NOT_TRUSTED;
+        return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
+    }
+
     if( x509_time_expired( &child->valid_to ) )
         *flags |= BADCERT_EXPIRED;