diff options
| author | Michael Brown <mcb30@ipxe.org> | 2012-03-22 10:55:13 +0000 |
|---|---|---|
| committer | Michael Brown <mcb30@ipxe.org> | 2012-03-22 11:41:22 +0000 |
| commit | f2af64aba55fda84bd4c6dc6d3590049a637c03f (patch) | |
| tree | 9fa5e8b9847522daae32e8c79abc14fffa32d9ff /src | |
| parent | 5c6639593969e6b7b6b4796cbb833c002819857c (diff) | |
| download | ipxe-f2af64aba55fda84bd4c6dc6d3590049a637c03f.tar.gz | |
[crypto] Differentiate "untrusted root" and "incomplete chain" error cases
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/crypto/x509.c | 14 | ||||
| -rw-r--r-- | src/net/tls.c | 10 |
2 files changed, 18 insertions, 6 deletions
diff --git a/src/crypto/x509.c b/src/crypto/x509.c index 145c77ee1..cf82fc033 100644 --- a/src/crypto/x509.c +++ b/src/crypto/x509.c @@ -93,6 +93,10 @@ FILE_LICENCE ( GPL2_OR_LATER ); __einfo_error ( EINFO_EACCES_PATH_LEN ) #define EINFO_EACCES_PATH_LEN \ __einfo_uniqify ( EINFO_EACCES, 0x05, "Maximum path length exceeded" ) +#define EACCES_UNTRUSTED \ + __einfo_error ( EINFO_EACCES_UNTRUSTED ) +#define EINFO_EACCES_UNTRUSTED \ + __einfo_uniqify ( EINFO_EACCES, 0x06, "Untrusted root certificate" ) /** "commonName" object identifier */ static uint8_t oid_common_name[] = { ASN1_OID_COMMON_NAME }; @@ -1179,10 +1183,18 @@ int x509_validate_chain ( int ( * parse_next ) if ( ( rc = x509_validate_time ( current, time ) ) != 0 ) return rc; - /* Succeed if we have reached a root certificate */ + /* Succeed if we have reached a trusted root certificate */ if ( x509_validate_root ( current, root ) == 0 ) return 0; + /* Fail if we have reached an untrusted root certificate */ + if ( asn1_compare ( ¤t->issuer.raw, + ¤t->subject.raw ) == 0 ) { + DBGC ( context, "X509 chain %p reached untrusted root " + "certificate\n", context ); + return -EACCES_UNTRUSTED; + } + /* Get next certificate in chain */ if ( ( rc = parse_next ( next, current, context ) ) != 0 ) { DBGC ( context, "X509 chain %p could not get next " diff --git a/src/net/tls.c b/src/net/tls.c index 6475f78d8..ce39da9a9 100644 --- a/src/net/tls.c +++ b/src/net/tls.c @@ -46,10 +46,10 @@ FILE_LICENCE ( GPL2_OR_LATER ); #include <ipxe/tls.h> /* Disambiguate the various error causes */ -#define EACCES_UNTRUSTED \ - __einfo_error ( EINFO_EACCES_UNTRUSTED ) -#define EINFO_EACCES_UNTRUSTED \ - __einfo_uniqify ( EINFO_EACCES, 0x01, "Untrusted certificate chain" ) +#define EACCES_INCOMPLETE \ + __einfo_error ( EINFO_EACCES_INCOMPLETE ) +#define EINFO_EACCES_INCOMPLETE \ + __einfo_uniqify ( EINFO_EACCES, 0x01, "Incomplete certificate chain" ) #define EACCES_WRONG_NAME \ __einfo_error ( EINFO_EACCES_WRONG_NAME ) #define EINFO_EACCES_WRONG_NAME \ @@ -1302,7 +1302,7 @@ static int tls_parse_next ( struct x509_certificate *cert, /* Return error at end of chain */ if ( context->current >= context->end ) { DBGC ( tls, "TLS %p reached end of certificate chain\n", tls ); - return -EACCES_UNTRUSTED; + return -EACCES_INCOMPLETE; } /* Extract current certificate and update context */ |