Better initialisation of ver_chain

Use dedicated function for consistency, and initialise flags to -1 as this is
the safe value.
This commit is contained in:
Manuel Pégourié-Gonnard 2017-08-23 10:55:41 +02:00
parent 8b7b96bbd3
commit 83e923ba2b

View file

@ -207,6 +207,23 @@ static int x509_profile_check_key( const mbedtls_x509_crt_profile *profile,
return( -1 ); return( -1 );
} }
/*
* Reset (init or clear) a verify_chain
*/
static void x509_crt_verify_chain_reset(
mbedtls_x509_crt_verify_chain *ver_chain )
{
size_t i;
for( i = 0; i < MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE; i++ )
{
ver_chain->items[i].crt = NULL;
ver_chain->items[i].flags = -1;
}
ver_chain->len = 0;
}
/* /*
* Version ::= INTEGER { v1(0), v2(1), v3(2) } * Version ::= INTEGER { v1(0), v2(1), v3(2) }
*/ */
@ -2258,8 +2275,9 @@ static int x509_crt_verify_chain(
/* Add certificate to the verification chain */ /* Add certificate to the verification chain */
cur = &ver_chain->items[ver_chain->len]; cur = &ver_chain->items[ver_chain->len];
cur->crt = child; cur->crt = child;
flags = &cur->flags; cur->flags = 0;
ver_chain->len++; ver_chain->len++;
flags = &cur->flags;
/* Check time-validity (all certificates) */ /* Check time-validity (all certificates) */
if( mbedtls_x509_time_is_past( &child->valid_to ) ) if( mbedtls_x509_time_is_past( &child->valid_to ) )
@ -2499,10 +2517,11 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
int ret; int ret;
mbedtls_pk_type_t pk_type; mbedtls_pk_type_t pk_type;
mbedtls_x509_crt_verify_chain ver_chain; mbedtls_x509_crt_verify_chain ver_chain;
uint32_t *ee_flags = &ver_chain.items[0].flags; uint32_t ee_flags;
*flags = 0; *flags = 0;
memset( &ver_chain, 0, sizeof( ver_chain ) ); ee_flags = 0;
x509_crt_verify_chain_reset( &ver_chain );
if( profile == NULL ) if( profile == NULL )
{ {
@ -2512,16 +2531,16 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
/* check name if requested */ /* check name if requested */
if( cn != NULL ) if( cn != NULL )
x509_crt_verify_name( crt, cn, ee_flags ); x509_crt_verify_name( crt, cn, &ee_flags );
/* Check the type and size of the key */ /* Check the type and size of the key */
pk_type = mbedtls_pk_get_type( &crt->pk ); pk_type = mbedtls_pk_get_type( &crt->pk );
if( x509_profile_check_pk_alg( profile, pk_type ) != 0 ) if( x509_profile_check_pk_alg( profile, pk_type ) != 0 )
*ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK; ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK;
if( x509_profile_check_key( profile, pk_type, &crt->pk ) != 0 ) if( x509_profile_check_key( profile, pk_type, &crt->pk ) != 0 )
*ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY; ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
/* Check the chain */ /* Check the chain */
ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, profile, ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, profile,
@ -2530,6 +2549,9 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
if( ret != 0 ) if( ret != 0 )
goto exit; goto exit;
/* Merge end-entity flags */
ver_chain.items[0].flags |= ee_flags;
/* Build final flags, calling callback on the way if any */ /* Build final flags, calling callback on the way if any */
ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, f_vrfy, p_vrfy ); ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, f_vrfy, p_vrfy );
@ -2663,8 +2685,7 @@ void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx )
ctx->child = NULL; ctx->child = NULL;
ctx->self_cnt = 0; ctx->self_cnt = 0;
memset( ctx->ver_chain.items, 0, sizeof( ctx->ver_chain.items ) ); x509_crt_verify_chain_reset( &ctx->ver_chain );
ctx->ver_chain.len = 0;
} }
/* /*