yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-04-29 21:16:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

Make the ver_chain length explicit

Browse source
This commit is contained in:
Manuel Pégourié-Gonnard 2017-07-05 17:36:47 +02:00
parent a707e1d1ef
commit 505c3953c7
1 changed files with 14 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
library/x509_crt.c
View file

@ -2086,22 +2086,25 @@ static int x509_crt_verify_chain(
mbedtls_x509_crt *trust_ca, mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl, mbedtls_x509_crl *ca_crl,
const mbedtls_x509_crt_profile *profile, const mbedtls_x509_crt_profile *profile,
x509_crt_verify_chain_item ver_chain[X509_MAX_VERIFY_CHAIN_SIZE] ) x509_crt_verify_chain_item ver_chain[X509_MAX_VERIFY_CHAIN_SIZE],
size_t *chain_len )
{ {
uint32_t *flags; uint32_t *flags;
mbedtls_x509_crt *child; mbedtls_x509_crt *child;
mbedtls_x509_crt *parent; mbedtls_x509_crt *parent;
int parent_is_trusted = 0; int parent_is_trusted = 0;
int child_is_trusted = 0; int child_is_trusted = 0;
int path_cnt = 0; int path_cnt = 0; /* like chain_len but not updated at the same time */
int self_cnt = 0; int self_cnt = 0;
child = crt; child = crt;
*chain_len = 0;
while( 1 ) { while( 1 ) {
/* Add certificate to the verification chain */ /* Add certificate to the verification chain */
ver_chain[path_cnt].crt = child; ver_chain[path_cnt].crt = child;
flags = &ver_chain[path_cnt].flags; flags = &ver_chain[path_cnt].flags;
++*chain_len;
/* Check time-validity (all certificates) */ /* Check time-validity (all certificates) */
if( mbedtls_x509_time_is_past( &child->valid_to ) ) if( mbedtls_x509_time_is_past( &child->valid_to ) )
@ -2245,18 +2248,16 @@ static void x509_crt_verify_name( const mbedtls_x509_crt *crt,
static int x509_crt_merge_flags_with_cb( static int x509_crt_merge_flags_with_cb(
uint32_t *flags, uint32_t *flags,
x509_crt_verify_chain_item ver_chain[X509_MAX_VERIFY_CHAIN_SIZE], x509_crt_verify_chain_item ver_chain[X509_MAX_VERIFY_CHAIN_SIZE],
size_t chain_len,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy ) void *p_vrfy )
{ {
int ret; int ret;
size_t i, j; size_t i;
uint32_t cur_flags; uint32_t cur_flags;
for( i = X509_MAX_VERIFY_CHAIN_SIZE; i != 0; --i ) for( i = chain_len; i != 0; --i )
{ {
if( ver_chain[i-1].crt == NULL )
continue;
cur_flags = ver_chain[i-1].flags; cur_flags = ver_chain[i-1].flags;
if( NULL != f_vrfy ) if( NULL != f_vrfy )
@ -2302,10 +2303,12 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
int ret; int ret;
mbedtls_pk_type_t pk_type; mbedtls_pk_type_t pk_type;
x509_crt_verify_chain_item ver_chain[X509_MAX_VERIFY_CHAIN_SIZE]; x509_crt_verify_chain_item ver_chain[X509_MAX_VERIFY_CHAIN_SIZE];
size_t chain_len;
uint32_t *ee_flags = &ver_chain[0].flags; uint32_t *ee_flags = &ver_chain[0].flags;
*flags = 0; *flags = 0;
memset( ver_chain, 0, sizeof( ver_chain ) ); memset( ver_chain, 0, sizeof( ver_chain ) );
chain_len = 0;
if( profile == NULL ) if( profile == NULL )
{ {
@ -2327,12 +2330,14 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
*ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY; *ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
/* Check the chain */ /* Check the chain */
ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, profile, ver_chain ); ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, profile,
ver_chain, &chain_len );
if( ret != 0 ) if( ret != 0 )
goto exit; goto exit;
/* Build final flags, calling callback on the way if any */ /* Build final flags, calling callback on the way if any */
ret = x509_crt_merge_flags_with_cb( flags, ver_chain, f_vrfy, p_vrfy ); ret = x509_crt_merge_flags_with_cb( flags,
ver_chain, chain_len, f_vrfy, p_vrfy );
exit: exit:
/* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by /* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by