Only return VERIFY_FAILED from a single point Everything else is a fatal error. Also improve documentation about that for the vrfy callback.

commit: d0e755716f88234e19f9a8289ea3ba22861c85e7 [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Mon Jul 10 11:31:01 2017 +0200
committer: Simon Butcher <simon.butcher@arm.com> Fri Jul 28 13:15:57 2017 +0100
tree: f147e6ce11c1b82bf6ce0c7bcb2450088c1c3bf0
parent: 8af7bfa982dbc855d159f2e990ea33c464f969bc [diff] [blame]
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 70ad356..fb09253 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c

@@ -1957,8 +1957,8 @@
     /* path_cnt is 0 for the first intermediate CA */
     if( 1 + path_cnt > POLARSSL_X509_MAX_INTERMEDIATE_CA )
     {
-        *flags |= BADCERT_NOT_TRUSTED;
-        return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
+        /* return immediately as the goal is to avoid unbounded recursion */
+        return( POLARSSL_ERR_X509_FATAL_ERROR );
     }
 
     if( x509_time_expired( &child->valid_to ) )
@@ -2174,6 +2174,10 @@
     }
 
 exit:
+    /* prevent misuse of the vrfy callback */
+    if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED )
+        ret = POLARSSL_ERR_X509_FATAL_ERROR;
+
     if( ret != 0 )
     {
         *flags = (uint32_t) -1;
commit	d0e755716f88234e19f9a8289ea3ba22861c85e7	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Mon Jul 10 11:31:01 2017 +0200
committer	Simon Butcher <simon.butcher@arm.com>	Fri Jul 28 13:15:57 2017 +0100
tree	f147e6ce11c1b82bf6ce0c7bcb2450088c1c3bf0
parent	8af7bfa982dbc855d159f2e990ea33c464f969bc [diff] [blame]