mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-19 18:39:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Edit ChangeLog entry

Browse Source 
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
This commit is contained in:
Elena Uziunaite 2024-08-20 12:11:57 +01:00
parent 16f0e18e41
commit f72a510590
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
ChangeLog.d/fix_reporting_of_key_usage_issues.txt
View File

@ -1,4 +1,11 @@
Bugfix Security
* Fix the failure to correctly update verification flags when * With TLS 1.3, when a server enables optional authentication of the
checking the (ext)KeyUsage extension. client, if the client-provided certificate does not have appropriate values
Resolves #1260 in if keyUsage or extKeyUsage extensions, then the return value of
mbedtls_ssl_get_verify_result() would incorrectly have the
MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_KEY_USAGE bits
clear. As a result, an attacker that had a certificate valid for uses other
than TLS client authentication could be able to use it for TLS client
authentication anyway. Only TLS 1.3 servers were affected, and only with
optional authentication (required would abort the handshake with a fatal
alert).