diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index 152e4b683..ba7a17419 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -312,8 +312,6 @@ int mbedtls_x509_get_time( unsigned char **p, const unsigned char *end, mbedtls_x509_time *t ); int mbedtls_x509_get_serial( unsigned char **p, const unsigned char *end, mbedtls_x509_buf *serial ); -int mbedtls_x509_name_cmp( const mbedtls_x509_name *a, - const mbedtls_x509_name *b ); int mbedtls_x509_name_cmp_raw( const mbedtls_x509_buf_raw *a, const mbedtls_x509_buf_raw *b ); int mbedtls_x509_memcasecmp( const void *s1, const void *s2, size_t len ); diff --git a/library/x509.c b/library/x509.c index d27c42327..f74d474a9 100644 --- a/library/x509.c +++ b/library/x509.c @@ -541,48 +541,22 @@ static int x509_string_cmp( const mbedtls_x509_buf *a, } /* - * Compare two X.509 Names (aka rdnSequence). + * Compare two X.509 Names (aka rdnSequence) given as raw ASN.1 data. * * See RFC 5280 section 7.1, though we don't implement the whole algorithm: - * we sometimes return unequal when the full algorithm would return equal, + * We sometimes return unequal when the full algorithm would return equal, * but never the other way. (In particular, we don't do Unicode normalisation * or space folding.) * - * Return 0 if equal, -1 otherwise. + * Returns: + * - 0 if both sequences are well-formed and present the same X.509 name. + * - 1 if a difference was detected. + * - A negative error code if a parsing error occurred in either + * of the two buffers. + * + * This function can be used to verify that a buffer contains a well-formed + * ASN.1 encoded X.509 name by calling it with equal parameters. */ -int mbedtls_x509_name_cmp( const mbedtls_x509_name *a, - const mbedtls_x509_name *b ) -{ - /* Avoid recursion, it might not be optimised by the compiler */ - while( a != NULL || b != NULL ) - { - if( a == NULL || b == NULL ) - return( -1 ); - - /* type */ - if( a->oid.tag != b->oid.tag || - a->oid.len != b->oid.len || - memcmp( a->oid.p, b->oid.p, b->oid.len ) != 0 ) - { - return( -1 ); - } - - /* value */ - if( x509_string_cmp( &a->val, &b->val ) != 0 ) - return( -1 ); - - /* structure of the list of sets */ - if( a->next_merged != b->next_merged ) - return( -1 ); - - a = a->next; - b = b->next; - } - - /* a == NULL == b */ - return( 0 ); -} - int mbedtls_x509_name_cmp_raw( mbedtls_x509_buf_raw const *a, mbedtls_x509_buf_raw const *b ) { diff --git a/library/x509_crt.c b/library/x509_crt.c index a05ea9ff4..ad70a201b 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1746,7 +1746,8 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, while( crl_list != NULL ) { if( crl_list->version == 0 || - mbedtls_x509_name_cmp( &crl_list->issuer, &ca->subject ) != 0 ) + mbedtls_x509_name_cmp_raw( &crl_list->issuer_raw_no_hdr, + &ca->subject_raw_no_hdr ) != 0 ) { crl_list = crl_list->next; continue; @@ -1867,8 +1868,11 @@ static int x509_crt_check_parent( const mbedtls_x509_crt *child, int need_ca_bit; /* Parent must be the issuer */ - if( mbedtls_x509_name_cmp( &child->issuer, &parent->subject ) != 0 ) + if( mbedtls_x509_name_cmp_raw( &child->issuer_raw_no_hdr, + &parent->subject_raw_no_hdr ) != 0 ) + { return( -1 ); + } /* Parent must have the basicConstraints CA bit set as a general rule */ need_ca_bit = 1; @@ -2133,8 +2137,11 @@ static int x509_crt_check_ee_locally_trusted( mbedtls_x509_crt *cur; /* must be self-issued */ - if( mbedtls_x509_name_cmp( &crt->issuer, &crt->subject ) != 0 ) + if( mbedtls_x509_name_cmp_raw( &crt->issuer_raw_no_hdr, + &crt->subject_raw_no_hdr ) != 0 ) + { return( -1 ); + } /* look for an exact match with trusted cert */ for( cur = trust_ca; cur != NULL; cur = cur->next ) @@ -2298,7 +2305,8 @@ find_parent: * These can occur with some strategies for key rollover, see [SIRO], * and should be excluded from max_pathlen checks. */ if( ver_chain->len != 1 && - mbedtls_x509_name_cmp( &child->issuer, &child->subject ) == 0 ) + mbedtls_x509_name_cmp_raw( &child->issuer_raw_no_hdr, + &child->subject_raw_no_hdr ) == 0 ) { self_cnt++; }