Set a compile-time limit to X.509 chain length

2025-11-21 12:40:51 +03:00 · 2014-11-20 16:34:20 +01:00
parent 89d69b398c
commit fd6c85c3eb
4 changed files with 24 additions and 0 deletions
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h
@@ -45,6 +45,18 @@
 * \{
 */

+#if !defined(POLARSSL_X509_MAX_INTERMEDIATE_CA)
+/**
+ * Maximum number of intermediate CAs in a verification chain.
+ * That is, maximum length of the chain, excluding the end-entity certificate
+ * and the trusted root certificate.
+ *
+ * Set this to a low value to prevent an adversary from making you waste
+ * resources verifying an overlong certificate chain.
+ */
+#define POLARSSL_X509_MAX_INTERMEDIATE_CA   8
+#endif
+
 /**
 * \name X509 Error codes
 * \{