From 32fdc60c7bdcf9f94226442a986bfca0bd260141 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 3 Jul 2017 18:57:51 +0200 Subject: [PATCH] Unnest code in verify_top() We now know that trust_ca != NULL till the end of the function --- library/x509_crt.c | 62 +++++++++++++++++----------------------------- 1 file changed, 23 insertions(+), 39 deletions(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index b1288e848..26c40bd79 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2012,9 +2012,6 @@ static int x509_crt_verify_top( { int ret; uint32_t ca_flags = 0; - unsigned char hash[MBEDTLS_MD_MAX_SIZE]; - const mbedtls_md_info_t *md_info; - mbedtls_x509_crt *future_past_ca = NULL; (void) self_cnt; @@ -2030,66 +2027,53 @@ static int x509_crt_verify_top( if( x509_profile_check_pk_alg( profile, child->sig_pk ) != 0 ) *flags |= MBEDTLS_X509_BADCERT_BAD_PK; - /* - * Child is the top of the chain. Check against the trust_ca list. - */ - *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED; - /* Special case #1: no root, stop here */ if( trust_ca == NULL ) + { + *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED; goto callback; + } /* Special case #2: child == trust_ca: trust and that's it */ if( child->raw.len == trust_ca->raw.len && memcmp( child->raw.p, trust_ca->raw.p, child->raw.len ) == 0 ) { - *flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED; goto callback; } - if( trust_ca != NULL || ( trust_ca = future_past_ca ) != NULL ) - { - /* - * Top of chain is signed by a trusted CA - */ - *flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED; - - if( x509_profile_check_key( profile, child->sig_pk, &trust_ca->pk ) != 0 ) - *flags |= MBEDTLS_X509_BADCERT_BAD_KEY; - } - /* - * If top of chain is not the same as the trusted CA send a verify request - * to the callback for any issues with validity and CRL presence for the - * trusted CA certificate. + * General case: we have a trusted root, distinct from child */ - if( trust_ca != NULL ) - { + + /* this wasn't checked by find_parent() */ + if( x509_profile_check_key( profile, child->sig_pk, &trust_ca->pk ) != 0 ) + *flags |= MBEDTLS_X509_BADCERT_BAD_KEY; + + /* Check trusted CA's CRL for the chain's top crt */ #if defined(MBEDTLS_X509_CRL_PARSE_C) - /* Check trusted CA's CRL for the chain's top crt */ - *flags |= x509_crt_verifycrl( child, trust_ca, ca_crl, profile ); + *flags |= x509_crt_verifycrl( child, trust_ca, ca_crl, profile ); #else - ((void) ca_crl); + ((void) ca_crl); #endif - if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) ) - ca_flags |= MBEDTLS_X509_BADCERT_EXPIRED; + /* Check time-validity of the parent */ + if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) ) + ca_flags |= MBEDTLS_X509_BADCERT_EXPIRED; - if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) ) - ca_flags |= MBEDTLS_X509_BADCERT_FUTURE; + if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) ) + ca_flags |= MBEDTLS_X509_BADCERT_FUTURE; - if( NULL != f_vrfy ) + /* Call callback on trusted root */ + if( NULL != f_vrfy ) + { + if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, &ca_flags ) ) != 0 ) { - if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, - &ca_flags ) ) != 0 ) - { - return( ret ); - } + return( ret ); } } callback: - /* Call callback on top cert */ + /* Call callback on child */ if( NULL != f_vrfy ) { if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 )