Ver código fonte

[crypto] Differentiate "untrusted root" and "incomplete chain" error cases

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 12 anos atrás
pai
commit
f2af64aba5
2 arquivos alterados com 18 adições e 6 exclusões
  1. 13
    1
      src/crypto/x509.c
  2. 5
    5
      src/net/tls.c

+ 13
- 1
src/crypto/x509.c Ver arquivo

@@ -93,6 +93,10 @@ FILE_LICENCE ( GPL2_OR_LATER );
93 93
 	__einfo_error ( EINFO_EACCES_PATH_LEN )
94 94
 #define EINFO_EACCES_PATH_LEN \
95 95
 	__einfo_uniqify ( EINFO_EACCES, 0x05, "Maximum path length exceeded" )
96
+#define EACCES_UNTRUSTED \
97
+	__einfo_error ( EINFO_EACCES_UNTRUSTED )
98
+#define EINFO_EACCES_UNTRUSTED \
99
+	__einfo_uniqify ( EINFO_EACCES, 0x06, "Untrusted root certificate" )
96 100
 
97 101
 /** "commonName" object identifier */
98 102
 static uint8_t oid_common_name[] = { ASN1_OID_COMMON_NAME };
@@ -1179,10 +1183,18 @@ int x509_validate_chain ( int ( * parse_next )
1179 1183
 		if ( ( rc = x509_validate_time ( current, time ) ) != 0 )
1180 1184
 			return rc;
1181 1185
 
1182
-		/* Succeed if we have reached a root certificate */
1186
+		/* Succeed if we have reached a trusted root certificate */
1183 1187
 		if ( x509_validate_root ( current, root ) == 0 )
1184 1188
 			return 0;
1185 1189
 
1190
+		/* Fail if we have reached an untrusted root certificate */
1191
+		if ( asn1_compare ( &current->issuer.raw,
1192
+				    &current->subject.raw ) == 0 ) {
1193
+			DBGC ( context, "X509 chain %p reached untrusted root "
1194
+			       "certificate\n", context );
1195
+			return -EACCES_UNTRUSTED;
1196
+		}
1197
+
1186 1198
 		/* Get next certificate in chain */
1187 1199
 		if ( ( rc = parse_next ( next, current, context ) ) != 0 ) {
1188 1200
 			DBGC ( context, "X509 chain %p could not get next "

+ 5
- 5
src/net/tls.c Ver arquivo

@@ -46,10 +46,10 @@ FILE_LICENCE ( GPL2_OR_LATER );
46 46
 #include <ipxe/tls.h>
47 47
 
48 48
 /* Disambiguate the various error causes */
49
-#define EACCES_UNTRUSTED \
50
-	__einfo_error ( EINFO_EACCES_UNTRUSTED )
51
-#define EINFO_EACCES_UNTRUSTED \
52
-	__einfo_uniqify ( EINFO_EACCES, 0x01, "Untrusted certificate chain" )
49
+#define EACCES_INCOMPLETE \
50
+	__einfo_error ( EINFO_EACCES_INCOMPLETE )
51
+#define EINFO_EACCES_INCOMPLETE \
52
+	__einfo_uniqify ( EINFO_EACCES, 0x01, "Incomplete certificate chain" )
53 53
 #define EACCES_WRONG_NAME \
54 54
 	__einfo_error ( EINFO_EACCES_WRONG_NAME )
55 55
 #define EINFO_EACCES_WRONG_NAME \
@@ -1302,7 +1302,7 @@ static int tls_parse_next ( struct x509_certificate *cert,
1302 1302
 	/* Return error at end of chain */
1303 1303
 	if ( context->current >= context->end ) {
1304 1304
 		DBGC ( tls, "TLS %p reached end of certificate chain\n", tls );
1305
-		return -EACCES_UNTRUSTED;
1305
+		return -EACCES_INCOMPLETE;
1306 1306
 	}
1307 1307
 
1308 1308
 	/* Extract current certificate and update context */

Carregando…
Cancelar
Salvar