Skip to content

Commit

Permalink
Merge #309
Browse files Browse the repository at this point in the history
309: [back-port][v0.9] fix: return error when verify empty cert chain r=xinyufort a=Taowyoo

back-port #308 to 0.9.X

Co-authored-by: Yuxiang Cao <[email protected]>
  • Loading branch information
bors[bot] and Taowyoo authored Aug 30, 2023
2 parents 95a2439 + 0eeea4e commit e0d2836
Show file tree
Hide file tree
Showing 6 changed files with 55 additions and 11 deletions.
26 changes: 18 additions & 8 deletions .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,20 +18,30 @@ addons:
- clang-11
- cmake
- qemu-user
before_script:
- printenv
- whereis clang && clang --version
# remove clang-16 path from PATH
- export PATH=$(echo $PATH | sed -e 's|:/usr/local/clang-16.0.0/bin||')
# setup clang-11 as default clang
- sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-11 100
- whereis clang && clang --version
rust:
- stable
env:
jobs:
# Matrix build of 3 targets against Rust stable
- TARGET=x86_64-unknown-linux-gnu ZLIB_INSTALLED=true AES_NI_SUPPORT=true
- TARGET=aarch64-unknown-linux-musl
- TARGET=x86_64-fortanix-unknown-sgx
global:
- RUST_BACKTRACE=1
jobs:
include:
# Test additional Rust toolchains on x86_64
- rust: beta
- rust: nightly
- env: TARGET=x86_64-fortanix-unknown-sgx
rust: stable
- env: TARGET=aarch64-unknown-linux-musl
rust: stable
- env: TARGET=x86_64-unknown-linux-gnu ZLIB_INSTALLED=true AES_NI_SUPPORT=true
rust: nightly
- env: TARGET=x86_64-unknown-linux-gnu ZLIB_INSTALLED=true AES_NI_SUPPORT=true
rust: beta
- env: TARGET=x86_64-unknown-linux-gnu ZLIB_INSTALLED=true AES_NI_SUPPORT=true
rust: stable
script:
- ./ct.sh
2 changes: 1 addition & 1 deletion Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion mbedtls/Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[package]
name = "mbedtls"
version = "0.9.1"
version = "0.9.2"
authors = ["Jethro Beekman <[email protected]>"]
build = "build.rs"
edition = "2018"
Expand Down
3 changes: 3 additions & 0 deletions mbedtls/src/ssl/config.rs
Original file line number Diff line number Diff line change
Expand Up @@ -306,6 +306,9 @@ impl Config {
}

pub fn push_cert(&mut self, own_cert: Arc<MbedtlsList<Certificate>>, own_pk: Arc<Pk>) -> Result<()> {
if own_cert.is_empty() {
return Err(Error::SslBadInputData);
}
// Need to ensure own_cert/pk_key outlive the config.
self.own_cert.push(own_cert.clone());
self.own_pk.push(own_pk.clone());
Expand Down
2 changes: 1 addition & 1 deletion mbedtls/src/ssl/context.rs
Original file line number Diff line number Diff line change
Expand Up @@ -583,7 +583,7 @@ impl HandshakeContext {
key: Arc<Pk>,
) -> Result<()> {
// mbedtls_ssl_set_hs_own_cert does not check for NULL handshake.
if self.inner.handshake as *const _ == ::core::ptr::null() {
if self.inner.handshake as *const _ == ::core::ptr::null() || chain.is_empty() {
return Err(Error::SslBadInputData);
}

Expand Down
31 changes: 31 additions & 0 deletions mbedtls/src/x509/certificate.rs
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,9 @@ impl Certificate {
where
F: VerifyCallback + 'static,
{
if chain.is_empty() {
return Err(Error::X509BadInputData);
}
let (f_vrfy, p_vrfy): (Option<unsafe extern "C" fn(_, _, _, _) -> _>, _) = if let Some(cb) = cb.as_ref() {
(Some(x509::verify_callback::<F>),
cb as *const _ as *mut c_void)
Expand Down Expand Up @@ -1420,6 +1423,34 @@ cYp0bH/RcPTC0Z+ZaqSWMtfxRrk63MJQF9EXpDCdvQRcTMD9D85DJrMKn8aumq0M
assert!(crate::tests::TestTrait::<dyn Sync, MbedtlsList<Certificate>>::new().impls_trait(), "MbedtlsList<Certificate> should be Sync");
}

#[test]
fn empty_cert_chain_test() {
const C_CERT: &'static str = concat!(include_str!("../../tests/data/certificate.crt"), "\0");
const C_ROOT: &'static str = concat!(include_str!("../../tests/data/root.crt"), "\0");

let mut certs = MbedtlsList::new();
certs.push(Certificate::from_pem(&C_CERT.as_bytes()).unwrap());
let mut roots = MbedtlsList::new();
roots.push(Certificate::from_pem(&C_ROOT.as_bytes()).unwrap());

assert!(Certificate::verify(&certs, &roots, None, None).is_ok());

let empty_certs = MbedtlsList::new();

assert_eq!(
Certificate::verify(&certs, &empty_certs, None, None).unwrap_err(),
Error::X509CertVerifyFailed
);
assert_eq!(
Certificate::verify(&empty_certs, &empty_certs, None, None).unwrap_err(),
Error::X509BadInputData
);
assert_eq!(
Certificate::verify(&empty_certs, &roots, None, None).unwrap_err(),
Error::X509BadInputData
);
}

#[test]
fn empty_crl_test() {
const C_CERT: &'static str = concat!(include_str!("../../tests/data/certificate.crt"), "\0");
Expand Down

0 comments on commit e0d2836

Please sign in to comment.