yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-06-01 16:30:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Make use of raw comparison function in CRT verification

Browse source 
This commit replaces the previous calls to `mbedtls_x509_name_cmp()`
during CRT verification (to match child and parent, to check whether
a CRT is self-issued, and to match CRLs and CAs) by calls to the new
`mbedtls_x509_name_cmp_raw()` using the raw ASN.1 data; it passes the
raw buffers introduced in the last commits.

The previous name comparison function mbedtls_x509_name_cmp() is now
both unused and unneeded, and is removed.
This commit is contained in:
Hanno Becker 2019-02-21 13:58:38 +00:00
parent f8a42862b7
commit 7dee12a38c
3 changed files with 22 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
include/mbedtls/x509.h
View file

@ -312,8 +312,6 @@ int mbedtls_x509_get_time( unsigned char **p, const unsigned char *end,
mbedtls_x509_time *t ); mbedtls_x509_time *t );
int mbedtls_x509_get_serial( unsigned char **p, const unsigned char *end, int mbedtls_x509_get_serial( unsigned char **p, const unsigned char *end,
mbedtls_x509_buf *serial ); mbedtls_x509_buf *serial );
int mbedtls_x509_name_cmp( const mbedtls_x509_name *a,
const mbedtls_x509_name *b );
int mbedtls_x509_name_cmp_raw( const mbedtls_x509_buf_raw *a, int mbedtls_x509_name_cmp_raw( const mbedtls_x509_buf_raw *a,
const mbedtls_x509_buf_raw *b ); const mbedtls_x509_buf_raw *b );
int mbedtls_x509_memcasecmp( const void *s1, const void *s2, size_t len ); int mbedtls_x509_memcasecmp( const void *s1, const void *s2, size_t len );

46
library/x509.c
View file

@ -541,48 +541,22 @@ static int x509_string_cmp( const mbedtls_x509_buf *a,
} }
/* /*
* Compare two X.509 Names (aka rdnSequence). * Compare two X.509 Names (aka rdnSequence) given as raw ASN.1 data.
* *
* See RFC 5280 section 7.1, though we don't implement the whole algorithm: * See RFC 5280 section 7.1, though we don't implement the whole algorithm:
* we sometimes return unequal when the full algorithm would return equal, * We sometimes return unequal when the full algorithm would return equal,
* but never the other way. (In particular, we don't do Unicode normalisation * but never the other way. (In particular, we don't do Unicode normalisation
* or space folding.) * or space folding.)
* *
* Return 0 if equal, -1 otherwise. * Returns:
* - 0 if both sequences are well-formed and present the same X.509 name.
* - 1 if a difference was detected.
* - A negative error code if a parsing error occurred in either
* of the two buffers.
*
* This function can be used to verify that a buffer contains a well-formed
* ASN.1 encoded X.509 name by calling it with equal parameters.
*/ */
int mbedtls_x509_name_cmp( const mbedtls_x509_name *a,
const mbedtls_x509_name *b )
{
/* Avoid recursion, it might not be optimised by the compiler */
while( a != NULL || b != NULL )
{
if( a == NULL || b == NULL )
return( -1 );
/* type */
if( a->oid.tag != b->oid.tag ||
a->oid.len != b->oid.len ||
memcmp( a->oid.p, b->oid.p, b->oid.len ) != 0 )
{
return( -1 );
}
/* value */
if( x509_string_cmp( &a->val, &b->val ) != 0 )
return( -1 );
/* structure of the list of sets */
if( a->next_merged != b->next_merged )
return( -1 );
a = a->next;
b = b->next;
}
/* a == NULL == b */
return( 0 );
}
int mbedtls_x509_name_cmp_raw( mbedtls_x509_buf_raw const *a, int mbedtls_x509_name_cmp_raw( mbedtls_x509_buf_raw const *a,
mbedtls_x509_buf_raw const *b ) mbedtls_x509_buf_raw const *b )
{ {

16
library/x509_crt.c
View file

@ -1746,7 +1746,8 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
while( crl_list != NULL ) while( crl_list != NULL )
{ {
if( crl_list->version == 0 || if( crl_list->version == 0 ||
mbedtls_x509_name_cmp( &crl_list->issuer, &ca->subject ) != 0 ) mbedtls_x509_name_cmp_raw( &crl_list->issuer_raw_no_hdr,
&ca->subject_raw_no_hdr ) != 0 )
{ {
crl_list = crl_list->next; crl_list = crl_list->next;
continue; continue;
@ -1867,8 +1868,11 @@ static int x509_crt_check_parent( const mbedtls_x509_crt *child,
int need_ca_bit; int need_ca_bit;
/* Parent must be the issuer */ /* Parent must be the issuer */
if( mbedtls_x509_name_cmp( &child->issuer, &parent->subject ) != 0 ) if( mbedtls_x509_name_cmp_raw( &child->issuer_raw_no_hdr,
&parent->subject_raw_no_hdr ) != 0 )
{
return( -1 ); return( -1 );
}
/* Parent must have the basicConstraints CA bit set as a general rule */ /* Parent must have the basicConstraints CA bit set as a general rule */
need_ca_bit = 1; need_ca_bit = 1;
@ -2133,8 +2137,11 @@ static int x509_crt_check_ee_locally_trusted(
mbedtls_x509_crt *cur; mbedtls_x509_crt *cur;
/* must be self-issued */ /* must be self-issued */
if( mbedtls_x509_name_cmp( &crt->issuer, &crt->subject ) != 0 ) if( mbedtls_x509_name_cmp_raw( &crt->issuer_raw_no_hdr,
&crt->subject_raw_no_hdr ) != 0 )
{
return( -1 ); return( -1 );
}
/* look for an exact match with trusted cert */ /* look for an exact match with trusted cert */
for( cur = trust_ca; cur != NULL; cur = cur->next ) for( cur = trust_ca; cur != NULL; cur = cur->next )
@ -2298,7 +2305,8 @@ find_parent:
* These can occur with some strategies for key rollover, see [SIRO], * These can occur with some strategies for key rollover, see [SIRO],
* and should be excluded from max_pathlen checks. */ * and should be excluded from max_pathlen checks. */
if( ver_chain->len != 1 && if( ver_chain->len != 1 &&
mbedtls_x509_name_cmp( &child->issuer, &child->subject ) == 0 ) mbedtls_x509_name_cmp_raw( &child->issuer_raw_no_hdr,
&child->subject_raw_no_hdr ) == 0 )
{ {
self_cnt++; self_cnt++;
} }