Make use of abort condition callback in CN comparison

The previous CN name comparison function x509_crt_verify_name()
traversed the dynamically allocated linked list presentation of
the CRT's subject, comparing each entry to the desired hostname
configured by the application code.

Eventually, we want to get rid of the linked list presentation of
the CRT's subject to save both code and RAM usage, and hence need
to rewrite the CN verification routine in a way that builds on the
raw ASN.1 subject data only.

In order to avoid duplicating the code for the parsing of the nested
ASN.1 name structure, this commit performs the name search by using
the existing name traversal function mbedtls_x509_name_cmp_raw(),
passing to it a callback which checks whether the current name
component matches the desired hostname.
This commit is contained in:
Hanno Becker 2019-02-21 11:50:44 +00:00
parent 67284cce00
commit 8b543b3ca8

View file

@ -2369,6 +2369,26 @@ static int x509_crt_check_cn( const mbedtls_x509_buf *name,
return( -1 );
}
/* Returns 1 on a match and 0 on a mismatch.
* This is because this function is used as a callback for
* mbedtls_x509_name_cmp_raw(), which continues the name
* traversal as long as the callback returns 0. */
static int x509_crt_check_name( void *ctx,
mbedtls_x509_buf *oid,
mbedtls_x509_buf *val )
{
char const *cn = (char const*) ctx;
size_t cn_len = strlen( cn );
if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, oid ) == 0 &&
x509_crt_check_cn( val, cn, cn_len ) == 0 )
{
return( 1 );
}
return( 0 );
}
/*
* Verify the requested CN - only call this if cn is not NULL!
*/
@ -2376,7 +2396,6 @@ static void x509_crt_verify_name( const mbedtls_x509_crt *crt,
const char *cn,
uint32_t *flags )
{
const mbedtls_x509_name *name;
const mbedtls_x509_sequence *cur;
size_t cn_len = strlen( cn );
@ -2393,16 +2412,11 @@ static void x509_crt_verify_name( const mbedtls_x509_crt *crt,
}
else
{
for( name = &crt->subject; name != NULL; name = name->next )
{
if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 &&
x509_crt_check_cn( &name->val, cn, cn_len ) == 0 )
{
break;
}
}
if( name == NULL )
int ret;
ret = mbedtls_x509_name_cmp_raw( &crt->subject_raw_no_hdr,
&crt->subject_raw_no_hdr,
x509_crt_check_name, (void*) cn );
if( ret != 1 )
*flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
}
}