Merge pull request #6161 from daverodgman/backport-cert-symlink
Backport 2.28: x509_crt: handle properly broken links when looking for certificates
diff --git a/ChangeLog.d/x509-broken-symlink-handling.txt b/ChangeLog.d/x509-broken-symlink-handling.txt
new file mode 100644
index 0000000..52288dc
--- /dev/null
+++ b/ChangeLog.d/x509-broken-symlink-handling.txt
@@ -0,0 +1,5 @@
+Bugfix
+ * Fix handling of broken symlinks when loading certificates using
+ mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
+ broken link is encountered, skip the broken link and continue parsing
+ other certificate files. Contributed by Eduardo Silva in #2602.
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 911644b..42f1fc2 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -77,6 +77,7 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <dirent.h>
+#include <errno.h>
#endif /* !_WIN32 || EFIX64 || EFI32 */
#endif
@@ -1640,8 +1641,22 @@
}
else if( stat( entry_name, &sb ) == -1 )
{
- ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
- goto cleanup;
+ if( errno == ENOENT )
+ {
+ /* Broken symbolic link - ignore this entry.
+ stat(2) will return this error for either (a) a dangling
+ symlink or (b) a missing file.
+ Given that we have just obtained the filename from readdir,
+ assume that it does exist and therefore treat this as a
+ dangling symlink. */
+ continue;
+ }
+ else
+ {
+ /* Some other file error; report the error. */
+ ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
+ goto cleanup;
+ }
}
if( !S_ISREG( sb.st_mode ) )