robin.thoni
/
ipxe
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
Browse Source

[crypto] Differentiate "untrusted root" and "incomplete chain" error cases 

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 12 years ago
parent
5c66395939
commit
f2af64aba5
2 changed files with 18 additions and 6 deletions
Unified View Show Diff Stats
  1. 13
    1
      src/crypto/x509.c
  2. 5
    5
      src/net/tls.c

+ 13
- 1
src/crypto/x509.c View File

93 
 	__einfo_error ( EINFO_EACCES_PATH_LEN )
 93 
 	__einfo_error ( EINFO_EACCES_PATH_LEN )
94 
 #define EINFO_EACCES_PATH_LEN \
 94 
 #define EINFO_EACCES_PATH_LEN \
95 
 	__einfo_uniqify ( EINFO_EACCES, 0x05, "Maximum path length exceeded" )
 95 
 	__einfo_uniqify ( EINFO_EACCES, 0x05, "Maximum path length exceeded" )
96 
+#define EACCES_UNTRUSTED \
97 
+	__einfo_error ( EINFO_EACCES_UNTRUSTED )
98 
+#define EINFO_EACCES_UNTRUSTED \
99 
+	__einfo_uniqify ( EINFO_EACCES, 0x06, "Untrusted root certificate" )
96
100
97 
 /** "commonName" object identifier */
 101 
 /** "commonName" object identifier */
98 
 static uint8_t oid_common_name[] = { ASN1_OID_COMMON_NAME };
 102 
 static uint8_t oid_common_name[] = { ASN1_OID_COMMON_NAME };
1179 
 		if ( ( rc = x509_validate_time ( current, time ) ) != 0 )
 1183 
 		if ( ( rc = x509_validate_time ( current, time ) ) != 0 )
1180 
 			return rc;
 1184 
 			return rc;
1181
1185
1182 
-		/* Succeed if we have reached a root certificate */
1186 
+		/* Succeed if we have reached a trusted root certificate */
1183 
 		if ( x509_validate_root ( current, root ) == 0 )
 1187 
 		if ( x509_validate_root ( current, root ) == 0 )
1184 
 			return 0;
 1188 
 			return 0;
1185
1189
1190 
+		/* Fail if we have reached an untrusted root certificate */
1191 
+		if ( asn1_compare ( &current->issuer.raw,
1192 
+				    &current->subject.raw ) == 0 ) {
1193 
+			DBGC ( context, "X509 chain %p reached untrusted root "
1194 
+			       "certificate\n", context );
1195 
+			return -EACCES_UNTRUSTED;
1196 
+		}
1197 
+
1186 
 		/* Get next certificate in chain */
 1198 
 		/* Get next certificate in chain */
1187 
 		if ( ( rc = parse_next ( next, current, context ) ) != 0 ) {
 1199 
 		if ( ( rc = parse_next ( next, current, context ) ) != 0 ) {
1188 
 			DBGC ( context, "X509 chain %p could not get next "
 1200 
 			DBGC ( context, "X509 chain %p could not get next "

+ 5
- 5
src/net/tls.c View File

46 
 #include <ipxe/tls.h>
 46 
 #include <ipxe/tls.h>
47
47
48 
 /* Disambiguate the various error causes */
 48 
 /* Disambiguate the various error causes */
49 
-#define EACCES_UNTRUSTED \
50 
-	__einfo_error ( EINFO_EACCES_UNTRUSTED )
51 
-#define EINFO_EACCES_UNTRUSTED \
52 
-	__einfo_uniqify ( EINFO_EACCES, 0x01, "Untrusted certificate chain" )
49 
+#define EACCES_INCOMPLETE \
50 
+	__einfo_error ( EINFO_EACCES_INCOMPLETE )
51 
+#define EINFO_EACCES_INCOMPLETE \
52 
+	__einfo_uniqify ( EINFO_EACCES, 0x01, "Incomplete certificate chain" )
53 
 #define EACCES_WRONG_NAME \
 53 
 #define EACCES_WRONG_NAME \
54 
 	__einfo_error ( EINFO_EACCES_WRONG_NAME )
 54 
 	__einfo_error ( EINFO_EACCES_WRONG_NAME )
55 
 #define EINFO_EACCES_WRONG_NAME \
 55 
 #define EINFO_EACCES_WRONG_NAME \
1302 
 	/* Return error at end of chain */
 1302 
 	/* Return error at end of chain */
1303 
 	if ( context->current >= context->end ) {
 1303 
 	if ( context->current >= context->end ) {
1304 
 		DBGC ( tls, "TLS %p reached end of certificate chain\n", tls );
 1304 
 		DBGC ( tls, "TLS %p reached end of certificate chain\n", tls );
1305 
-		return -EACCES_UNTRUSTED;
1305 
+		return -EACCES_INCOMPLETE;
1306 
 	}
 1306 
 	}
1307
1307
1308 
 	/* Extract current certificate and update context */
 1308 
 	/* Extract current certificate and update context */

Write Preview
Loading…
Cancel
Save