diff options
| -rw-r--r-- | doc/news.rst | 6 | ||||
| -rw-r--r-- | src/lib/cert/x509/x509path.cpp | 2 | ||||
| -rw-r--r-- | src/lib/cert/x509/x509path.h | 3 | ||||
| -rw-r--r-- | src/lib/tls/credentials_manager.cpp | 13 |
4 files changed, 18 insertions, 6 deletions
diff --git a/doc/news.rst b/doc/news.rst index 58f58c14a..7a96db195 100644 --- a/doc/news.rst +++ b/doc/news.rst @@ -4,6 +4,12 @@ Release Notes Version 1.11.24, Not Yet Released ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +* When the bugs affecting X.509 path validation were fixed in 1.11.23, a check + in Credentials_Manager::verify_certificate_chain was accidentally removed + which caused path validation failures not to be signaled to the TLS layer. + Thus in 1.11.23 certificate authentication in TLS is bypassed. + Reported by Florent Le Coz in GH #324 + * Fixed an endian dependency in McEliece key generation which caused keys to be generated differently on big and little endian systems, even when using a deterministic PRNG with the same seed. diff --git a/src/lib/cert/x509/x509path.cpp b/src/lib/cert/x509/x509path.cpp index a6c3ce6e9..b5345c272 100644 --- a/src/lib/cert/x509/x509path.cpp +++ b/src/lib/cert/x509/x509path.cpp @@ -338,6 +338,8 @@ const X509_Certificate& Path_Validation_Result::trust_root() const { if(m_cert_path.empty()) throw std::runtime_error("Path_Validation_Result::trust_root no path set"); + if(result() != Certificate_Status_Code::VERIFIED) + throw std::runtime_error("Path_Validation_Result::trust_root meaningless with invalid status"); return m_cert_path[m_cert_path.size()-1]; } diff --git a/src/lib/cert/x509/x509path.h b/src/lib/cert/x509/x509path.h index c56aef21f..08d92915d 100644 --- a/src/lib/cert/x509/x509path.h +++ b/src/lib/cert/x509/x509path.h @@ -84,7 +84,8 @@ class BOTAN_DLL Path_Validation_Result std::set<std::string> trusted_hashes() const; /** - * @return the trust root of the validation + * @return the trust root of the validation if successful + * throws an exception if the validation failed */ const X509_Certificate& trust_root() const; diff --git a/src/lib/tls/credentials_manager.cpp b/src/lib/tls/credentials_manager.cpp index 43ba7650a..3762dc149 100644 --- a/src/lib/tls/credentials_manager.cpp +++ b/src/lib/tls/credentials_manager.cpp @@ -129,11 +129,14 @@ void Credentials_Manager::verify_certificate_chain( Path_Validation_Restrictions restrictions; - auto result = x509_path_validate(cert_chain, - restrictions, - trusted_CAs, - purported_hostname, - choose_leaf_usage(type)); + Path_Validation_Result result = x509_path_validate(cert_chain, + restrictions, + trusted_CAs, + purported_hostname, + choose_leaf_usage(type)); + + if(!result.successful_validation()) + throw std::runtime_error("Certificate validation failure: " + result.result_string()); if(!cert_in_some_store(trusted_CAs, result.trust_root())) throw std::runtime_error("Certificate chain roots in unknown/untrusted CA"); |