mirror of
https://github.com/cuberite/polarssl.git
synced 2025-10-30 19:20:40 -04:00
Fail in case critical crt policy not supported
In case the certificate policy is not of type `AnyPolicy` set the returned error code to `MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE` and continue parsing. If the extension is critical, return error anyway, unless `MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION` is configured. Fail parsing on any other error.
This commit is contained in:
Ron Eldor
parent
cc45cd177f
commit
8b0c3c91e6
@ -743,7 +743,7 @@ static int x509_get_certificate_policies( unsigned char **p,
|
|||||||
const unsigned char *end,
|
const unsigned char *end,
|
||||||
mbedtls_x509_sequence *certificate_policies )
|
mbedtls_x509_sequence *certificate_policies )
|
||||||
{
|
{
|
||||||
int ret;
|
int ret, parse_ret = 0;
|
||||||
size_t len;
|
size_t len;
|
||||||
mbedtls_asn1_buf *buf;
|
mbedtls_asn1_buf *buf;
|
||||||
mbedtls_asn1_sequence *cur = certificate_policies;
|
mbedtls_asn1_sequence *cur = certificate_policies;
|
||||||
@ -787,6 +787,19 @@ static int x509_get_certificate_policies( unsigned char **p,
|
|||||||
policy_oid.len = len;
|
policy_oid.len = len;
|
||||||
policy_oid.p = *p;
|
policy_oid.p = *p;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Only AnyPolicy is currently supported when enforcing policy.
|
||||||
|
*/
|
||||||
|
if( MBEDTLS_OID_CMP( MBEDTLS_OID_ANY_POLICY, &policy_oid ) != 0 )
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* Set the parsing return code but continue parsing, in case this
|
||||||
|
* extension is critical and MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
|
||||||
|
* is configured.
|
||||||
|
*/
|
||||||
|
parse_ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
|
||||||
|
}
|
||||||
|
|
||||||
/* Allocate and assign next pointer */
|
/* Allocate and assign next pointer */
|
||||||
if( cur->buf.p != NULL )
|
if( cur->buf.p != NULL )
|
||||||
{
|
{
|
||||||
@ -836,7 +849,7 @@ static int x509_get_certificate_policies( unsigned char **p,
|
|||||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
|
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
|
||||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||||
|
|
||||||
return( 0 );
|
return( parse_ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -970,7 +983,21 @@ static int x509_get_crt_ext( unsigned char **p,
|
|||||||
/* Parse certificate policies type */
|
/* Parse certificate policies type */
|
||||||
if( ( ret = x509_get_certificate_policies( p, end_ext_octet,
|
if( ( ret = x509_get_certificate_policies( p, end_ext_octet,
|
||||||
&crt->certificate_policies ) ) != 0 )
|
&crt->certificate_policies ) ) != 0 )
|
||||||
|
{
|
||||||
|
#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
|
||||||
|
if( is_critical )
|
||||||
return( ret );
|
return( ret );
|
||||||
|
else
|
||||||
|
#endif
|
||||||
|
/*
|
||||||
|
* If MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE is returned, the we cannot
|
||||||
|
* interpret or enforce the policy. However, it is up to the user
|
||||||
|
* to choose how to enforce the policies,
|
||||||
|
* unless the extension is critical.
|
||||||
|
*/
|
||||||
|
if( ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE )
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user