Re-implement verify chain if vrfy cbs are disabled

This commit re-implements the previously introduced internal verification chain API in the case where verification callbacks are disabled. In this situation, it is not necessary to maintain the list of individual certificates and flags comprising the verification chain - instead, it suffices to just keep track of the length and the total (=merged) flags.
2025-03-23 06:35:08 +00:00 · 2019-08-16 17:18:15 +01:00 · 2019-08-16 17:18:15 +01:00 · 8d6d320603
parent adc282a5e8
commit 8d6d320603
2 changed files with 70 additions and 0 deletions
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@ -214,6 +214,8 @@ typedef struct mbedtls_x509write_cert
 mbedtls_x509write_cert;
 #endif /* MBEDTLS_X509_CRT_WRITE_C */

+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+
 /**
 * Item in a verification chain: cert and flags for it
 */
@ -236,6 +238,16 @@ typedef struct
    unsigned len;
 } mbedtls_x509_crt_verify_chain;

+#else /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+
+typedef struct
+{
+    unsigned len;
+    uint32_t flags;
+} mbedtls_x509_crt_verify_chain;
+
+#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+
 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)

 /**
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -3185,6 +3185,8 @@ static int x509_crt_check_ee_locally_trusted(
    return( -1 );
 }

+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+
 /*
 * Reset (init or clear) a verify_chain
 */
@ -3261,6 +3263,62 @@ static unsigned x509_crt_verify_chain_len(
    return( chain->len );
 }

+#else
+
+/*
+ * Reset (init or clear) a verify_chain
+ */
+static void x509_crt_verify_chain_reset(
+    mbedtls_x509_crt_verify_chain *ver_chain )
+{
+    ver_chain->len   = 0;
+    ver_chain->flags = 0;
+}
+
+/*
+ * Merge the flags for all certs in the chain, after calling callback
+ */
+static int x509_crt_verify_chain_get_flags(
+           const mbedtls_x509_crt_verify_chain *ver_chain,
+           uint32_t *flags,
+           int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+           void *p_vrfy )
+{
+    ((void) f_vrfy);
+    ((void) p_vrfy);
+    *flags = ver_chain->flags;
+    return( 0 );
+}
+
+static void x509_crt_verify_chain_add_ee_flags(
+    mbedtls_x509_crt_verify_chain *chain,
+    uint32_t ee_flags )
+{
+    chain->flags |= ee_flags;
+}
+
+static void x509_crt_verify_chain_add_crt(
+    mbedtls_x509_crt_verify_chain *chain,
+    mbedtls_x509_crt *crt )
+{
+    ((void) crt);
+    chain->len++;
+}
+
+static uint32_t* x509_crt_verify_chain_get_cur_flags(
+    mbedtls_x509_crt_verify_chain *chain )
+{
+    return( &chain->flags );
+}
+
+static unsigned x509_crt_verify_chain_len(
+    mbedtls_x509_crt_verify_chain const *chain )
+{
+    return( chain->len );
+}
+
+#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+
 /*
 * Build and verify a certificate chain
 *