mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-03-22 18:15:14 +00:00
Add abort condition callback to mbedtls_x509_name_cmp_raw()
There are three operations that need to be performed on an X.509 name: 1 Initial traversal to check well-formedness of the ASN.1 structure. 2 Comparison between two X.509 name sequences. 3 Checking whether an X.509 name matches a client's ServerName request. Each of these tasks involves traversing the nested ASN.1 structure, In the interest of saving code, we aim to provide a single function which can perform all of the above tasks. The existing comparison function is already suitable not only for task 2, but also for 1: One can simply pass two equal ASN.1 name buffers, in which case the function will succeed if and only if that buffer is a well-formed ASN.1 name. This commit further adds a callback to `mbedtls_x509_name_cmp_raw()` which is called after each successful step in the simultaneous name traversal and comparison; it may perform any operation on the current name and potentially signal that the comparison should be aborted. With that, task 3 can be implemented by passing equal names and a callback which aborts as soon as it finds the desired name component.
This commit is contained in:
parent
7dee12a38c
commit
67284cce00
|
@ -312,8 +312,12 @@ int mbedtls_x509_get_time( unsigned char **p, const unsigned char *end,
|
|||
mbedtls_x509_time *t );
|
||||
int mbedtls_x509_get_serial( unsigned char **p, const unsigned char *end,
|
||||
mbedtls_x509_buf *serial );
|
||||
int mbedtls_x509_name_cmp_raw( const mbedtls_x509_buf_raw *a,
|
||||
const mbedtls_x509_buf_raw *b );
|
||||
int mbedtls_x509_name_cmp_raw( mbedtls_x509_buf_raw const *a,
|
||||
mbedtls_x509_buf_raw const *b,
|
||||
int (*check)( void *ctx,
|
||||
mbedtls_x509_buf *oid,
|
||||
mbedtls_x509_buf *val ),
|
||||
void *check_ctx );
|
||||
int mbedtls_x509_memcasecmp( const void *s1, const void *s2, size_t len );
|
||||
int mbedtls_x509_get_ext( unsigned char **p, const unsigned char *end,
|
||||
mbedtls_x509_buf *ext, int tag );
|
||||
|
|
|
@ -548,9 +548,16 @@ static int x509_string_cmp( const mbedtls_x509_buf *a,
|
|||
* but never the other way. (In particular, we don't do Unicode normalisation
|
||||
* or space folding.)
|
||||
*
|
||||
* Further, this function allows to pass a callback to be triggered for every
|
||||
* pair of well-formed and equal entries in the two input name lists.
|
||||
*
|
||||
* Returns:
|
||||
* - 0 if both sequences are well-formed and present the same X.509 name.
|
||||
* - 1 if a difference was detected.
|
||||
* - 0 if both sequences are well-formed, present the same X.509 name,
|
||||
* and the callback (if provided) hasn't returned a non-zero value
|
||||
* on any of the name components.
|
||||
* - 1 if a difference was detected in the name components.
|
||||
* - A non-zero error code if the abort callback returns a non-zero value.
|
||||
* In this case, the returned error code is the error code from the callback.
|
||||
* - A negative error code if a parsing error occurred in either
|
||||
* of the two buffers.
|
||||
*
|
||||
|
@ -558,7 +565,11 @@ static int x509_string_cmp( const mbedtls_x509_buf *a,
|
|||
* ASN.1 encoded X.509 name by calling it with equal parameters.
|
||||
*/
|
||||
int mbedtls_x509_name_cmp_raw( mbedtls_x509_buf_raw const *a,
|
||||
mbedtls_x509_buf_raw const *b )
|
||||
mbedtls_x509_buf_raw const *b,
|
||||
int (*abort_check)( void *ctx,
|
||||
mbedtls_x509_buf *oid,
|
||||
mbedtls_x509_buf *val ),
|
||||
void *abort_check_ctx )
|
||||
{
|
||||
int ret;
|
||||
|
||||
|
@ -597,6 +608,13 @@ int mbedtls_x509_name_cmp_raw( mbedtls_x509_buf_raw const *a,
|
|||
if( ( set_a == p_a ) != ( set_b == p_b ) )
|
||||
return( 1 );
|
||||
|
||||
if( abort_check != NULL )
|
||||
{
|
||||
ret = abort_check( abort_check_ctx, &oid_a, &val_a );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
}
|
||||
|
||||
if( p_a == end_a && p_b == end_b )
|
||||
break;
|
||||
}
|
||||
|
|
|
@ -1747,7 +1747,8 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
|
|||
{
|
||||
if( crl_list->version == 0 ||
|
||||
mbedtls_x509_name_cmp_raw( &crl_list->issuer_raw_no_hdr,
|
||||
&ca->subject_raw_no_hdr ) != 0 )
|
||||
&ca->subject_raw_no_hdr,
|
||||
NULL, NULL ) != 0 )
|
||||
{
|
||||
crl_list = crl_list->next;
|
||||
continue;
|
||||
|
@ -1869,7 +1870,8 @@ static int x509_crt_check_parent( const mbedtls_x509_crt *child,
|
|||
|
||||
/* Parent must be the issuer */
|
||||
if( mbedtls_x509_name_cmp_raw( &child->issuer_raw_no_hdr,
|
||||
&parent->subject_raw_no_hdr ) != 0 )
|
||||
&parent->subject_raw_no_hdr,
|
||||
NULL, NULL ) != 0 )
|
||||
{
|
||||
return( -1 );
|
||||
}
|
||||
|
@ -2138,7 +2140,8 @@ static int x509_crt_check_ee_locally_trusted(
|
|||
|
||||
/* must be self-issued */
|
||||
if( mbedtls_x509_name_cmp_raw( &crt->issuer_raw_no_hdr,
|
||||
&crt->subject_raw_no_hdr ) != 0 )
|
||||
&crt->subject_raw_no_hdr,
|
||||
NULL, NULL ) != 0 )
|
||||
{
|
||||
return( -1 );
|
||||
}
|
||||
|
@ -2306,7 +2309,8 @@ find_parent:
|
|||
* and should be excluded from max_pathlen checks. */
|
||||
if( ver_chain->len != 1 &&
|
||||
mbedtls_x509_name_cmp_raw( &child->issuer_raw_no_hdr,
|
||||
&child->subject_raw_no_hdr ) == 0 )
|
||||
&child->subject_raw_no_hdr,
|
||||
NULL, NULL ) == 0 )
|
||||
{
|
||||
self_cnt++;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue