yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-01-22 21:50:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Unnest code in verify_top()

Browse source 
We now know that trust_ca != NULL till the end of the function
This commit is contained in:
Manuel Pégourié-Gonnard 2017-07-03 18:57:51 +02:00
parent 6038cb6909
commit 32fdc60c7b
1 changed files with 23 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

62
library/x509_crt.c
View file

@ -2012,9 +2012,6 @@ static int x509_crt_verify_top(
{ {
int ret; int ret;
uint32_t ca_flags = 0; uint32_t ca_flags = 0;
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
const mbedtls_md_info_t *md_info;
mbedtls_x509_crt *future_past_ca = NULL;
(void) self_cnt; (void) self_cnt;
@ -2030,66 +2027,53 @@ static int x509_crt_verify_top(
if( x509_profile_check_pk_alg( profile, child->sig_pk ) != 0 ) if( x509_profile_check_pk_alg( profile, child->sig_pk ) != 0 )
*flags |= MBEDTLS_X509_BADCERT_BAD_PK; *flags |= MBEDTLS_X509_BADCERT_BAD_PK;
/*
* Child is the top of the chain. Check against the trust_ca list.
*/
*flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
/* Special case #1: no root, stop here */ /* Special case #1: no root, stop here */
if( trust_ca == NULL ) if( trust_ca == NULL )
{
*flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
goto callback; goto callback;
}
/* Special case #2: child == trust_ca: trust and that's it */ /* Special case #2: child == trust_ca: trust and that's it */
if( child->raw.len == trust_ca->raw.len && if( child->raw.len == trust_ca->raw.len &&
memcmp( child->raw.p, trust_ca->raw.p, child->raw.len ) == 0 ) memcmp( child->raw.p, trust_ca->raw.p, child->raw.len ) == 0 )
{ {
*flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED;
goto callback; goto callback;
} }
if( trust_ca != NULL || ( trust_ca = future_past_ca ) != NULL )
{
/*
* Top of chain is signed by a trusted CA
*/
*flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED;
if( x509_profile_check_key( profile, child->sig_pk, &trust_ca->pk ) != 0 )
*flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
}
/* /*
* If top of chain is not the same as the trusted CA send a verify request * General case: we have a trusted root, distinct from child
* to the callback for any issues with validity and CRL presence for the
* trusted CA certificate.
*/ */
if( trust_ca != NULL )
{ /* this wasn't checked by find_parent() */
if( x509_profile_check_key( profile, child->sig_pk, &trust_ca->pk ) != 0 )
*flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
/* Check trusted CA's CRL for the chain's top crt */
#if defined(MBEDTLS_X509_CRL_PARSE_C) #if defined(MBEDTLS_X509_CRL_PARSE_C)
/* Check trusted CA's CRL for the chain's top crt */ *flags |= x509_crt_verifycrl( child, trust_ca, ca_crl, profile );
*flags |= x509_crt_verifycrl( child, trust_ca, ca_crl, profile );
#else #else
((void) ca_crl); ((void) ca_crl);
#endif #endif
if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) ) /* Check time-validity of the parent */
ca_flags |= MBEDTLS_X509_BADCERT_EXPIRED; if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
ca_flags |= MBEDTLS_X509_BADCERT_EXPIRED;
if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) ) if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
ca_flags |= MBEDTLS_X509_BADCERT_FUTURE; ca_flags |= MBEDTLS_X509_BADCERT_FUTURE;
if( NULL != f_vrfy ) /* Call callback on trusted root */
if( NULL != f_vrfy )
{
if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, &ca_flags ) ) != 0 )
{ {
if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, return( ret );
&ca_flags ) ) != 0 )
{
return( ret );
}
} }
} }
callback: callback:
/* Call callback on top cert */ /* Call callback on child */
if( NULL != f_vrfy ) if( NULL != f_vrfy )
{ {
if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 ) if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 )