Merge branch 'iotssl-541-2.1-pathlen-bugfix'

Author: simonbutcher

ChangeLog

@@ -4,6 +4,9 @@ mbed TLS ChangeLog (Sorted per branch, date)
 
 Bugfix
    * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
+   * Fix bug in certificate validation that caused valid chains to be rejected
+     when the first intermediate certificate has pathLenConstraint=0. Found by
+     Nicholas Wilson. Introduced in mbed TLS 2.1.4. #280
 
 Changes
    * To avoid dropping an entire DTLS datagram if a single record in a datagram

library/x509_crt.c

@@ -2253,18 +2253,8 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
     {
         /* Look for a parent upwards the chain */
         for( parent = crt->next; parent != NULL; parent = parent->next )
-        {
-            /* +2 because the current step is not yet accounted for
-             * and because max_pathlen is one higher than it should be */
-            if( parent->max_pathlen > 0 &&
-                parent->max_pathlen < 2 + pathlen )
-            {
-                continue;
-            }
-
             if( x509_crt_check_parent( crt, parent, 0, pathlen == 0 ) == 0 )
                 break;
-        }
 
         /* Are we part of the chain or at the top? */
         if( parent != NULL )

tests/data_files/dir4/Readme

@@ -36,3 +36,12 @@ cert61.crt (max_pathlen=1) -> cert62.crt -> cert63.crt
 cert71.crt (max_pathlen=1) -> cert72.crt -> cert73.crt (self signed) -> cert74.crt -> cert74.crt
 ```
 
+8. zero pathlen constraint on first intermediate CA (valid)
+```
+cert81.crt -> cert82.crt (max_pathlen=0) -> cert83.crt
+```
+
+9. zero pathlen constraint on trusted root (valid)
+```
+cert91.crt (max_pathlen=0) -> cert92.crt
+```

tests/data_files/dir4/cert81.crt

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUmgAwIBAgIBUTAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBlJvb3Qg
+ODERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
+MFoXDTMwMTIzMTIzNTk1OVowMTEPMA0GA1UEAxMGUm9vdCA4MREwDwYDVQQKEwht
+YmVkIFRMUzELMAkGA1UEBhMCVUswWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT1
+GuTQ9vgf2l3oLM25r78cvIAQqE02GzQGjp/WWw3CysEwTwNEuZGhRiD5lDmkbUGW
+UNxv/7uJjy7k3K3fDNdko1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTHFA2h
+Au0tPnzeYnLcmlTQj4FAajAfBgNVHSMEGDAWgBTHFA2hAu0tPnzeYnLcmlTQj4FA
+ajAMBggqhkjOPQQDAgUAA0gAMEUCIH7Z/HNb/Pwbs40iNll1a9gmgAbYOgdlVPWo
+nSdcb7cZAiEAlhVb6CdBXsjOfAWWEET/QP74z608PKFccCIFPCDLkxo=
+-----END CERTIFICATE-----

tests/data_files/dir4/cert82.crt

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBqDCCAUygAwIBAgIBUjAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBlJvb3Qg
+ODERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
+MFoXDTMwMTIzMTIzNTk1OVowMTEPMA0GA1UEAxMGSW50IDgyMREwDwYDVQQKEwht
+YmVkIFRMUzELMAkGA1UEBhMCVUswWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS2
+giYQt4HVfQ2t8eTS0bvISwp7ol2x17umbllBxwzGDFEUQ00JL1/SStezecK0lNhE
+0AvY8Ez2soQEtdSeQGkCo1MwUTAPBgNVHRMECDAGAQH/AgEAMB0GA1UdDgQWBBS3
++nsv3nQknSg4aDjlTiRpCPo7XzAfBgNVHSMEGDAWgBTHFA2hAu0tPnzeYnLcmlTQ
+j4FAajAMBggqhkjOPQQDAgUAA0gAMEUCIQDus2Lvx3yyvaViY1s334uMm6ge484X
+oktMyxLVjkAMiAIgehTHiJJaT9PnlVa+hUpxsIfVAuMexrm5fw/bDF5Nxzw=
+-----END CERTIFICATE-----

tests/data_files/dir4/cert83.crt

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBoDCCAUWgAwIBAgIBUzAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBkludCA4
+MjERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
+MFoXDTMwMTIzMTIzNTk1OVowMDEOMAwGA1UEAxMFRUUgODMxETAPBgNVBAoTCG1i
+ZWQgVExTMQswCQYDVQQGEwJVSzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMSy
+6X5iBYrdxxOMfdcA23pLBoJCeyEjiWfALxTm80MJGBdRNVdnT50xNU3SDDwHWPda
+/EQqHq+itsqkUeyAGAyjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFGsFH/KsvM4n
+r+i1gI2iCVXi3KtFMB8GA1UdIwQYMBaAFLf6ey/edCSdKDhoOOVOJGkI+jtfMAwG
+CCqGSM49BAMCBQADRwAwRAIgQURH8DHWFHVK38+znWc85G1P+g4ocdkA5Gt0LbOg
+SJMCIBsacOLFywxZYF8atizw6zMRw+QeHR2514JIhJUck2kd
+-----END CERTIFICATE-----

tests/data_files/dir4/cert91.crt

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBqTCCAUygAwIBAgIBWzAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBlJvb3Qg
+OTERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
+MFoXDTMwMTIzMTIzNTk1OVowMTEPMA0GA1UEAxMGUm9vdCA5MREwDwYDVQQKEwht
+YmVkIFRMUzELMAkGA1UEBhMCVUswWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATh
+D2SmdS6D7cYi2vGMyuCdol/OOUN2di2pS2wfSI/MsY/Z4O9iNHqbXQP6l+hcT5ap
+daycs7r6ZPNqmWM7b16go1MwUTAPBgNVHRMECDAGAQH/AgEAMB0GA1UdDgQWBBRb
+zVrcAxddj0i0DEqvTGT8F37bizAfBgNVHSMEGDAWgBRbzVrcAxddj0i0DEqvTGT8
+F37bizAMBggqhkjOPQQDAgUAA0kAMEYCIQDbrSV4ndH0vAR3HqJfBn8NT8zdvMjB
+qSJes6Qwa42b2wIhAKyoH0H+b1Svw8pMkvUYF4ElH5Cnn7gxb7Wl3arc0+hQ
+-----END CERTIFICATE-----

tests/data_files/dir4/cert92.crt

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBoTCCAUWgAwIBAgIBXDAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBlJvb3Qg
+OTERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
+MFoXDTMwMTIzMTIzNTk1OVowMDEOMAwGA1UEAxMFRUUgOTIxETAPBgNVBAoTCG1i
+ZWQgVExTMQswCQYDVQQGEwJVSzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABC9E
+tK1pE8Ei8vgScunyjx50C+qDsQS8D2RhGHC4VkE2yyiFxJA/ynhoeXTKZsHuEWI9
+CfOSvk0RrTWf9nr0pTGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFLqsN52tAf1k
+XlzxQmdD5qG6Sy6PMB8GA1UdIwQYMBaAFFvNWtwDF12PSLQMSq9MZPwXftuLMAwG
+CCqGSM49BAMCBQADSAAwRQIgXlfKqhkhXgK112Eycl+Z5NHM+6aqXE7i9j7IyGfk
+ikICIQDBYNGbpSx82XG+IS/h4AWNTa4Hs6rmWvQDWJum7NrzMQ==
+-----END CERTIFICATE-----

tests/suites/test_suite_x509parse.data

@@ -1160,6 +1160,14 @@ X509 CRT verify chain #8 (self signed maxpathlen root)
 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
 mbedtls_x509_crt_verify_chain:"data_files/dir4/cert61.crt data_files/dir4/cert63.crt data_files/dir4/cert62.crt":"data_files/dir4/cert61.crt":0
 
+X509 CRT verify chain #9 (zero pathlen first intermediate, valid)
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+mbedtls_x509_crt_verify_chain:"data_files/dir4/cert83.crt data_files/dir4/cert82.crt":"data_files/dir4/cert81.crt":0
+
+X509 CRT verify chain #10 (zero pathlen root, valid)
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+mbedtls_x509_crt_verify_chain:"data_files/dir4/cert92.crt":"data_files/dir4/cert91.crt":0
+
 X509 OID description #1
 x509_oid_desc:"2B06010505070301":"TLS Web Server Authentication"