Add POLARSSL_X509_MAX_INTERMEDIATE_CA

commit: 4cdb3babaded415e3cc8e5a897754b46fa5a137c [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu Nov 20 17:12:15 2014 +0100
committer: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu Nov 20 17:12:15 2014 +0100
tree: 90cd5e67b8a73cd3a56d01a0e2ad7d0068757991
parent: 6a095d23836c08c32df5c870ffe8a6f074db1126 [diff]
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 8b6a862..b12e7fb 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h

@@ -1021,6 +1021,10 @@
 //
 #define SSL_MAX_CONTENT_LEN             16384 /**< Size of the input / output buffer */
 
+// X509 options
+//
+#define POLARSSL_X509_MAX_INTERMEDIATE_CA   8 /**< Maximum number of intermediate CAs in a verification chain. */
+
 #endif /* POLARSSL_CONFIG_OPTIONS */
 
 /* \} name */

diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h
index 1dbc40d..0f3bd07 100644
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h

@@ -36,6 +36,18 @@
  * \{ 
  */
  
+#if !defined(POLARSSL_CONFIG_OPTIONS)
+/**
+ * Maximum number of intermediate CAs in a verification chain.
+ * That is, maximum length of the chain, excluding the end-entity certificate
+ * and the trusted root certificate.
+ *
+ * Set this to a low value to prevent an adversary from making you waste
+ * resources verifying an overlong certificate chain.
+ */
+#define POLARSSL_X509_MAX_INTERMEDIATE_CA   8
+#endif
+
 /** 
  * \name X509 Error codes
  * \{
commit	4cdb3babaded415e3cc8e5a897754b46fa5a137c	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Thu Nov 20 17:12:15 2014 +0100
committer	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Thu Nov 20 17:12:15 2014 +0100
tree	90cd5e67b8a73cd3a56d01a0e2ad7d0068757991
parent	6a095d23836c08c32df5c870ffe8a6f074db1126 [diff]