yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-03-23 05:35:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Solely use raw X.509 name data references including SEQUENCE header

Browse source 
So far, the CRT frame structure `mbedtls_x509_crt_frame` used
as `issuer_raw` and `subject_raw` the _content_ of the ASN.1
name structure for issuer resp. subject. This was in contrast
to the fields `issuer_raw` and `subject_raw` from the legacy
`mbedtls_x509_crt` structure, and caused some information
duplication by having both variants `xxx_no_hdr` and `xxx_with_hdr`
in `mbedtls_x509_crt` and `mbedtls_x509_crt_frame`.

This commit removes this mismatch by solely using the legacy
form of `issuer_raw` and `subject_raw`, i.e. those _including_
the ASN.1 name header.
This commit is contained in:
Hanno Becker 2019-03-04 14:43:43 +00:00
parent 4e021c8f50
commit 1e11f217d4
9 changed files with 74 additions and 83 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
include/mbedtls/x509.h
View file

@ -313,8 +313,8 @@ int mbedtls_x509_self_test( int verbose );
* Internal module functions. You probably do not want to use these unless you
* know you do.
*/
int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end,
mbedtls_x509_name *cur );
int mbedtls_x509_get_name( unsigned char *p, size_t len,
mbedtls_x509_name *cur );
int mbedtls_x509_get_alg_null( unsigned char **p, const unsigned char *end,
mbedtls_x509_buf *alg );
int mbedtls_x509_get_alg( unsigned char **p, const unsigned char *end,

1
include/mbedtls/x509_crl.h
View file

@ -76,7 +76,6 @@ typedef struct mbedtls_x509_crl
mbedtls_x509_buf sig_oid; /**< CRL signature type identifier */
mbedtls_x509_buf_raw issuer_raw; /**< The raw issuer data (DER). */
mbedtls_x509_buf_raw issuer_raw_no_hdr;
mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */

6
include/mbedtls/x509_crt.h
View file

@ -95,9 +95,6 @@ typedef struct mbedtls_x509_crt_frame
mbedtls_x509_buf_raw subject_alt_raw; /**< The raw data for the SubjectAlternativeNames extension. */
mbedtls_x509_buf_raw ext_key_usage_raw; /**< The raw data for the ExtendedKeyUsage extension. */
mbedtls_x509_buf_raw issuer_raw_with_hdr;
mbedtls_x509_buf_raw subject_raw_with_hdr;
} mbedtls_x509_crt_frame;
/* This is an internal structure used for caching parsed data from an X.509 CRT.
@ -139,9 +136,6 @@ typedef struct mbedtls_x509_crt
mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */
mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). Used for quick comparison. */
mbedtls_x509_buf_raw subject_raw_no_hdr;
mbedtls_x509_buf_raw issuer_raw_no_hdr;
mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */
mbedtls_x509_name subject; /**< The parsed subject data (named information object). */

4
library/ssl_srv.c
View file

@ -3001,7 +3001,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
if( ret != 0 )
return( ret );
dn_size = frame->subject_raw_with_hdr.len;
dn_size = frame->subject_raw.len;
if( end < p ||
(size_t)( end - p ) < dn_size ||
@ -3014,7 +3014,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
*p++ = (unsigned char)( dn_size >> 8 );
*p++ = (unsigned char)( dn_size );
memcpy( p, frame->subject_raw_with_hdr.p, dn_size );
memcpy( p, frame->subject_raw.p, dn_size );
p += dn_size;
MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );

67
library/x509.c
View file

@ -544,53 +544,67 @@ int mbedtls_x509_name_cmp_raw( mbedtls_x509_buf_raw const *a,
void *abort_check_ctx )
{
int ret;
size_t idx;
unsigned char *p[2], *end[2], *set[2];
unsigned char *p_a, *end_a, *set_a;
unsigned char *p_b, *end_b, *set_b;
p[0] = a->p;
p[1] = b->p;
end[0] = p[0] + a->len;
end[1] = p[1] + b->len;
p_a = set_a = (unsigned char*) a->p;
p_b = set_b = (unsigned char*) b->p;
for( idx = 0; idx < 2; idx++ )
{
size_t len;
ret = mbedtls_asn1_get_tag( &p[idx], end[idx], &len,
MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE );
end_a = p_a + a->len;
end_b = p_b + b->len;
if( end[idx] != p[idx] + len )
{
return( MBEDTLS_ERR_X509_INVALID_NAME +
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
}
set[idx] = p[idx];
}
while( 1 )
{
int next_merged;
mbedtls_x509_buf oid_a, val_a, oid_b, val_b;
mbedtls_x509_buf oid[2], val[2];
ret = x509_set_sequence_iterate( &p_a, (const unsigned char **) &set_a,
end_a, &oid_a, &val_a );
ret = x509_set_sequence_iterate( &p[0], (const unsigned char **) &set[0],
end[0], &oid[0], &val[0] );
if( ret != 0 )
goto exit;
ret = x509_set_sequence_iterate( &p_b, (const unsigned char **) &set_b,
end_b, &oid_b, &val_b );
ret = x509_set_sequence_iterate( &p[1], (const unsigned char **) &set[1],
end[1], &oid[1], &val[1] );
if( ret != 0 )
goto exit;
if( oid_a.len != oid_b.len ||
memcmp( oid_a.p, oid_b.p, oid_b.len ) != 0 )
if( oid[0].len != oid[1].len ||
memcmp( oid[0].p, oid[1].p, oid[1].len ) != 0 )
{
return( 1 );
}
if( x509_string_cmp( &val_a, &val_b ) != 0 )
if( x509_string_cmp( &val[0], &val[1] ) != 0 )
return( 1 );
next_merged = ( set_a != p_a );
if( next_merged != ( set_b != p_b ) )
next_merged = ( set[0] != p[0] );
if( next_merged != ( set[1] != p[1] ) )
return( 1 );
if( abort_check != NULL )
{
ret = abort_check( abort_check_ctx, &oid_a, &val_a,
ret = abort_check( abort_check_ctx, &oid[0], &val[0],
next_merged );
if( ret != 0 )
return( ret );
}
if( p_a == end_a && p_b == end_b )
if( p[0] == end[0] && p[1] == end[1] )
break;
}
@ -626,20 +640,15 @@ static int x509_get_name_cb( void *ctx,
return( 0 );
}
int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end,
int mbedtls_x509_get_name( unsigned char *p,
size_t len,
mbedtls_x509_name *cur )
{
int ret;
mbedtls_x509_buf_raw name_buf = { *p, end - *p };
mbedtls_x509_buf_raw name_buf = { p, len };
memset( cur, 0, sizeof( mbedtls_x509_name ) );
ret = mbedtls_x509_name_cmp_raw( &name_buf, &name_buf,
x509_get_name_cb,
&cur );
if( ret != 0 )
return( ret );
*p = (unsigned char*) end;
return( 0 );
return( mbedtls_x509_name_cmp_raw( &name_buf, &name_buf,
x509_get_name_cb,
&cur ) );
}
static int x509_parse_int( unsigned char **p, size_t n, int *res )

10
library/x509_crl.c
View file

@ -428,17 +428,17 @@ int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain,
mbedtls_x509_crl_free( crl );
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
}
crl->issuer_raw_no_hdr.p = p;
p += len;
crl->issuer_raw.len = p - crl->issuer_raw.p;
if( ( ret = mbedtls_x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
if( ( ret = mbedtls_x509_get_name( crl->issuer_raw.p,
crl->issuer_raw.len,
&crl->issuer ) ) != 0 )
{
mbedtls_x509_crl_free( crl );
return( ret );
}
crl->issuer_raw_no_hdr.len = p - crl->issuer_raw_no_hdr.p;
crl->issuer_raw.len = p - crl->issuer_raw.p;
/*
* thisUpdate Time
* nextUpdate Time OPTIONAL

50
library/x509_crt.c
View file

@ -126,8 +126,10 @@ int mbedtls_x509_crt_cache_provide_frame( mbedtls_x509_crt const *crt )
frame->serial.len = crt->serial.len;
frame->pubkey_raw.p = crt->pk_raw.p;
frame->pubkey_raw.len = crt->pk_raw.len;
frame->issuer_raw = crt->issuer_raw_no_hdr;
frame->subject_raw = crt->subject_raw_no_hdr;
frame->issuer_raw.p = crt->issuer_raw.p;
frame->issuer_raw.len = crt->issuer_raw.len;
frame->subject_raw.p = crt->subject_raw.p;
frame->subject_raw.len = crt->subject_raw.len;
frame->issuer_id.p = crt->issuer_id.p;
frame->issuer_id.len = crt->issuer_id.len;
frame->subject_id.p = crt->subject_id.p;
@ -136,10 +138,6 @@ int mbedtls_x509_crt_cache_provide_frame( mbedtls_x509_crt const *crt )
frame->sig.len = crt->sig.len;
frame->v3_ext.p = crt->v3_ext.p;
frame->v3_ext.len = crt->v3_ext.len;
frame->issuer_raw_with_hdr.p = crt->issuer_raw.p;
frame->issuer_raw_with_hdr.len = crt->issuer_raw.len;
frame->subject_raw_with_hdr.p = crt->subject_raw.p;
frame->subject_raw_with_hdr.len = crt->subject_raw.len;
/* The legacy CRT structure doesn't explicitly contain
* the `AlgorithmIdentifier` bounds; however, those can
@ -1185,15 +1183,14 @@ static int x509_crt_parse_frame( unsigned char *start,
*
* RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
*/
frame->issuer_raw_with_hdr.p = p;
frame->issuer_raw.p = p;
ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE );
if( ret != 0 )
return( ret + MBEDTLS_ERR_X509_INVALID_FORMAT );
frame->issuer_raw.p = p;
frame->issuer_raw.len = len;
p += len;
frame->issuer_raw.len = p - frame->issuer_raw.p;
ret = mbedtls_x509_name_cmp_raw( &frame->issuer_raw,
&frame->issuer_raw,
@ -1201,8 +1198,6 @@ static int x509_crt_parse_frame( unsigned char *start,
if( ret != 0 )
return( ret );
frame->issuer_raw_with_hdr.len = p - frame->issuer_raw_with_hdr.p;
/*
* Validity ::= SEQUENCE { ...
*/
@ -1218,15 +1213,14 @@ static int x509_crt_parse_frame( unsigned char *start,
*
* RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
*/
frame->subject_raw_with_hdr.p = p;
frame->subject_raw.p = p;
ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE );
if( ret != 0 )
return( ret + MBEDTLS_ERR_X509_INVALID_FORMAT );
frame->subject_raw.p = p;
frame->subject_raw.len = len;
p += len;
frame->subject_raw.len = p - frame->subject_raw.p;
ret = mbedtls_x509_name_cmp_raw( &frame->subject_raw,
&frame->subject_raw,
@ -1234,8 +1228,6 @@ static int x509_crt_parse_frame( unsigned char *start,
if( ret != 0 )
return( ret );
frame->subject_raw_with_hdr.len = p - frame->subject_raw_with_hdr.p;
/*
* SubjectPublicKeyInfo
*/
@ -1317,19 +1309,17 @@ static int x509_crt_parse_frame( unsigned char *start,
static int x509_crt_subject_from_frame( mbedtls_x509_crt_frame *frame,
mbedtls_x509_name *subject )
{
unsigned char *p = frame->subject_raw.p;
unsigned char *end = p + frame->subject_raw.len;
return( mbedtls_x509_get_name( &p, end, subject ) );
return( mbedtls_x509_get_name( frame->subject_raw.p,
frame->subject_raw.len,
subject ) );
}
static int x509_crt_issuer_from_frame( mbedtls_x509_crt_frame *frame,
mbedtls_x509_name *issuer )
{
unsigned char *p = frame->issuer_raw.p;
unsigned char *end = p + frame->issuer_raw.len;
return( mbedtls_x509_get_name( &p, end, issuer ) );
return( mbedtls_x509_get_name( frame->issuer_raw.p,
frame->issuer_raw.len,
issuer ) );
}
static int x509_crt_subject_alt_from_frame( mbedtls_x509_crt_frame *frame,
@ -1453,12 +1443,10 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt,
crt->tbs.len = frame->tbs.len;
crt->serial.p = frame->serial.p;
crt->serial.len = frame->serial.len;
crt->issuer_raw.p = frame->issuer_raw_with_hdr.p;
crt->issuer_raw.len = frame->issuer_raw_with_hdr.len;
crt->subject_raw.p = frame->subject_raw_with_hdr.p;
crt->subject_raw.len = frame->subject_raw_with_hdr.len;
crt->issuer_raw_no_hdr = frame->issuer_raw;
crt->subject_raw_no_hdr = frame->subject_raw;
crt->issuer_raw.p = frame->issuer_raw.p;
crt->issuer_raw.len = frame->issuer_raw.len;
crt->subject_raw.p = frame->subject_raw.p;
crt->subject_raw.len = frame->subject_raw.len;
crt->issuer_id.p = frame->issuer_id.p;
crt->issuer_id.len = frame->issuer_id.len;
crt->subject_id.p = frame->subject_id.p;
@ -2561,7 +2549,7 @@ static int x509_crt_verifycrl( unsigned char *crt_serial,
while( crl_list != NULL )
{
if( crl_list->version == 0 ||
mbedtls_x509_name_cmp_raw( &crl_list->issuer_raw_no_hdr,
mbedtls_x509_name_cmp_raw( &crl_list->issuer_raw,
&ca_subject, NULL, NULL ) != 0 )
{
crl_list = crl_list->next;

8
library/x509_csr.c
View file

@ -183,15 +183,17 @@ int mbedtls_x509_csr_parse_der( mbedtls_x509_csr *csr,
mbedtls_x509_csr_free( csr );
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
}
p += len;
csr->subject_raw.len = p - csr->subject_raw.p;
if( ( ret = mbedtls_x509_get_name( &p, p + len, &csr->subject ) ) != 0 )
if( ( ret = mbedtls_x509_get_name( csr->subject_raw.p,
csr->subject_raw.len,
&csr->subject ) ) != 0 )
{
mbedtls_x509_csr_free( csr );
return( ret );
}
csr->subject_raw.len = p - csr->subject_raw.p;
/*
* subjectPKInfo SubjectPublicKeyInfo
*/

7
tests/suites/test_suite_x509write.function
View file

@ -216,7 +216,7 @@ void mbedtls_x509_string_to_names( char * name, char * parsed_name, int result
)
{
int ret;
size_t len = 0;
size_t len;
mbedtls_asn1_named_data *names = NULL;
mbedtls_x509_name parsed, *parsed_cur, *parsed_prv;
unsigned char buf[1024], out[1024], *c;
@ -234,10 +234,9 @@ void mbedtls_x509_string_to_names( char * name, char * parsed_name, int result
ret = mbedtls_x509_write_names( &c, buf, names );
TEST_ASSERT( ret > 0 );
len = (size_t) ret;
TEST_ASSERT( mbedtls_asn1_get_tag( &c, buf + sizeof( buf ), &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) == 0 );
TEST_ASSERT( mbedtls_x509_get_name( &c, buf + sizeof( buf ), &parsed ) == 0 );
TEST_ASSERT( mbedtls_x509_get_name( c, len, &parsed ) == 0 );
ret = mbedtls_x509_dn_gets( (char *) out, sizeof( out ), &parsed );
TEST_ASSERT( ret > 0 );