mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-01 22:20:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fail in case critical crt policy not supported

Browse Source 
In case the certificate policy is not of type `AnyPolicy`
set the returned error code to `MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE`
and continue parsing. If the extension is critical, return error anyway,
unless `MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION` is configured.
Fail parsing on any other error.
This commit is contained in:
Ron Eldor 2019-05-15 12:20:00 +03:00
parent cc45cd177f
commit 8b0c3c91e6
1 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
library/x509_crt.c
View File

@ -743,7 +743,7 @@ static int x509_get_certificate_policies( unsigned char **p,
const unsigned char *end, const unsigned char *end,
mbedtls_x509_sequence *certificate_policies ) mbedtls_x509_sequence *certificate_policies )
{ {
int ret; int ret, parse_ret = 0;
size_t len; size_t len;
mbedtls_asn1_buf *buf; mbedtls_asn1_buf *buf;
mbedtls_asn1_sequence *cur = certificate_policies; mbedtls_asn1_sequence *cur = certificate_policies;
@ -787,6 +787,19 @@ static int x509_get_certificate_policies( unsigned char **p,
policy_oid.len = len; policy_oid.len = len;
policy_oid.p = *p; policy_oid.p = *p;
/*
* Only AnyPolicy is currently supported when enforcing policy.
*/
if( MBEDTLS_OID_CMP( MBEDTLS_OID_ANY_POLICY, &policy_oid ) != 0 )
{
/*
* Set the parsing return code but continue parsing, in case this
* extension is critical and MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
* is configured.
*/
parse_ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
}
/* Allocate and assign next pointer */ /* Allocate and assign next pointer */
if( cur->buf.p != NULL ) if( cur->buf.p != NULL )
{ {
@ -836,7 +849,7 @@ static int x509_get_certificate_policies( unsigned char **p,
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
return( 0 ); return( parse_ret );
} }
/* /*
@ -970,7 +983,21 @@ static int x509_get_crt_ext( unsigned char **p,
/* Parse certificate policies type */ /* Parse certificate policies type */
if( ( ret = x509_get_certificate_policies( p, end_ext_octet, if( ( ret = x509_get_certificate_policies( p, end_ext_octet,
&crt->certificate_policies ) ) != 0 ) &crt->certificate_policies ) ) != 0 )
{
#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
if( is_critical )
return( ret ); return( ret );
else
#endif
/*
* If MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE is returned, the we cannot
* interpret or enforce the policy. However, it is up to the user
* to choose how to enforce the policies,
* unless the extension is critical.
*/
if( ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE )
return( ret );
}
break; break;
default: default: