Make use of CRT acquire/release searching for issuer in CRT verif.

This commit continues rewriting the CRT chain verification to use
the new acquire/release framework for CRTs. Specifically, it replaces
all member accesses of the current _parent_ CRT by accesses to the
respective frame.
This commit is contained in:
Hanno Becker 2019-02-25 14:46:49 +00:00
parent e449e2d846
commit 43bf900018

View file

@ -2222,15 +2222,15 @@ exit:
* *
* top means parent is a locally-trusted certificate * top means parent is a locally-trusted certificate
*/ */
static int x509_crt_check_parent( const mbedtls_x509_crt_sig_info *child_sig, static int x509_crt_check_parent( const mbedtls_x509_crt_sig_info *sig_info,
const mbedtls_x509_crt *parent, const mbedtls_x509_crt_frame *parent,
int top ) int top )
{ {
int need_ca_bit; int need_ca_bit;
/* Parent must be the issuer */ /* Parent must be the issuer */
if( mbedtls_x509_name_cmp_raw( &child_sig->issuer_raw, if( mbedtls_x509_name_cmp_raw( &sig_info->issuer_raw,
&parent->subject_raw_no_hdr, &parent->subject_raw,
NULL, NULL ) != 0 ) NULL, NULL ) != 0 )
{ {
return( -1 ); return( -1 );
@ -2248,7 +2248,8 @@ static int x509_crt_check_parent( const mbedtls_x509_crt_sig_info *child_sig,
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE) #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
if( need_ca_bit && if( need_ca_bit &&
mbedtls_x509_crt_check_key_usage( parent, MBEDTLS_X509_KU_KEY_CERT_SIGN ) != 0 ) x509_crt_check_key_usage_frame( parent,
MBEDTLS_X509_KU_KEY_CERT_SIGN ) != 0 )
{ {
return( -1 ); return( -1 );
} }
@ -2376,7 +2377,7 @@ static int x509_crt_find_parent_in(
mbedtls_x509_crt_restart_ctx *rs_ctx ) mbedtls_x509_crt_restart_ctx *rs_ctx )
{ {
int ret; int ret;
mbedtls_x509_crt *parent, *fallback_parent; mbedtls_x509_crt *parent_crt, *fallback_parent;
int signature_is_good, fallback_signature_is_good; int signature_is_good, fallback_signature_is_good;
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
@ -2384,7 +2385,7 @@ static int x509_crt_find_parent_in(
if( rs_ctx != NULL && rs_ctx->parent != NULL ) if( rs_ctx != NULL && rs_ctx->parent != NULL )
{ {
/* restore saved state */ /* restore saved state */
parent = rs_ctx->parent; parent_crt = rs_ctx->parent;
fallback_parent = rs_ctx->fallback_parent; fallback_parent = rs_ctx->fallback_parent;
fallback_signature_is_good = rs_ctx->fallback_signature_is_good; fallback_signature_is_good = rs_ctx->fallback_signature_is_good;
@ -2401,7 +2402,8 @@ static int x509_crt_find_parent_in(
fallback_parent = NULL; fallback_parent = NULL;
fallback_signature_is_good = 0; fallback_signature_is_good = 0;
for( parent = candidates; parent != NULL; parent = parent->next ) for( parent_crt = candidates; parent_crt != NULL;
parent_crt = parent_crt->next )
{ {
int parent_valid, parent_match, path_len_ok; int parent_valid, parent_match, path_len_ok;
@ -2410,35 +2412,45 @@ check_signature:
#endif #endif
parent_valid = parent_match = path_len_ok = 0; parent_valid = parent_match = path_len_ok = 0;
if( mbedtls_x509_time_is_past( &parent->valid_from ) &&
mbedtls_x509_time_is_future( &parent->valid_to ) )
{ {
parent_valid = 1; mbedtls_x509_crt_frame *parent;
}
/* basic parenting skills (name, CA bit, key usage) */ ret = x509_crt_frame_acquire( parent_crt, &parent );
if( x509_crt_check_parent( child_sig, parent, top ) == 0 ) if( ret != 0 )
parent_match = 1; return( MBEDTLS_ERR_X509_FATAL_ERROR );
/* +1 because stored max_pathlen is 1 higher that the actual value */ if( mbedtls_x509_time_is_past( &parent->valid_from ) &&
if( !( parent->max_pathlen > 0 && mbedtls_x509_time_is_future( &parent->valid_to ) )
(size_t) parent->max_pathlen < 1 + path_cnt - self_cnt ) ) {
{ parent_valid = 1;
path_len_ok = 1; }
/* basic parenting skills (name, CA bit, key usage) */
if( x509_crt_check_parent( child_sig, parent, top ) == 0 )
parent_match = 1;
/* +1 because the stored max_pathlen is 1 higher
* than the actual value */
if( !( parent->max_pathlen > 0 &&
(size_t) parent->max_pathlen < 1 + path_cnt - self_cnt ) )
{
path_len_ok = 1;
}
x509_crt_frame_release( parent_crt, parent );
} }
if( parent_match == 0 || path_len_ok == 0 ) if( parent_match == 0 || path_len_ok == 0 )
continue; continue;
/* Signature */ /* Signature */
ret = x509_crt_check_signature( child_sig, parent, rs_ctx ); ret = x509_crt_check_signature( child_sig, parent_crt, rs_ctx );
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
{ {
/* save state */ /* save state */
rs_ctx->parent = parent; rs_ctx->parent = parent_crt;
rs_ctx->fallback_parent = fallback_parent; rs_ctx->fallback_parent = fallback_parent;
rs_ctx->fallback_signature_is_good = fallback_signature_is_good; rs_ctx->fallback_signature_is_good = fallback_signature_is_good;
@ -2457,7 +2469,7 @@ check_signature:
{ {
if( fallback_parent == NULL ) if( fallback_parent == NULL )
{ {
fallback_parent = parent; fallback_parent = parent_crt;
fallback_signature_is_good = signature_is_good; fallback_signature_is_good = signature_is_good;
} }
@ -2467,9 +2479,9 @@ check_signature:
break; break;
} }
if( parent != NULL ) if( parent_crt != NULL )
{ {
*r_parent = parent; *r_parent = parent_crt;
*r_signature_is_good = signature_is_good; *r_signature_is_good = signature_is_good;
} }
else else