Skip to content

Commit

Permalink
Merge pull request #6161 from daverodgman/backport-cert-symlink
Browse files Browse the repository at this point in the history
Backport 2.28: x509_crt: handle properly broken links when looking for certificates
  • Loading branch information
gilles-peskine-arm authored Aug 3, 2022
2 parents ddc3845 + 6f227ee commit f222b8e
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 2 deletions.
5 changes: 5 additions & 0 deletions ChangeLog.d/x509-broken-symlink-handling.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Bugfix
* Fix handling of broken symlinks when loading certificates using
mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
broken link is encountered, skip the broken link and continue parsing
other certificate files. Contributed by Eduardo Silva in #2602.
19 changes: 17 additions & 2 deletions library/x509_crt.c
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <dirent.h>
#include <errno.h>
#endif /* !_WIN32 || EFIX64 || EFI32 */
#endif

Expand Down Expand Up @@ -1640,8 +1641,22 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path )
}
else if( stat( entry_name, &sb ) == -1 )
{
ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
goto cleanup;
if( errno == ENOENT )
{
/* Broken symbolic link - ignore this entry.
stat(2) will return this error for either (a) a dangling
symlink or (b) a missing file.
Given that we have just obtained the filename from readdir,
assume that it does exist and therefore treat this as a
dangling symlink. */
continue;
}
else
{
/* Some other file error; report the error. */
ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
goto cleanup;
}
}

if( !S_ISREG( sb.st_mode ) )
Expand Down

0 comments on commit f222b8e

Please sign in to comment.