From 8d6d3206036e2017cdccf638bc46a2b2e5e00d66 Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Fri, 16 Aug 2019 17:18:15 +0100
Subject: [PATCH] Re-implement verify chain if vrfy cbs are disabled

This commit re-implements the previously introduced internal
verification chain API in the case where verification callbacks
are disabled. In this situation, it is not necessary to maintain
the list of individual certificates and flags comprising the
verification chain - instead, it suffices to just keep track
of the length and the total (=merged) flags.
---
 include/mbedtls/x509_crt.h | 12 ++++++++
 library/x509_crt.c         | 58 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+)

diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index e90f6a09a..aa0ec9749 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -214,6 +214,8 @@ typedef struct mbedtls_x509write_cert
 mbedtls_x509write_cert;
 #endif /* MBEDTLS_X509_CRT_WRITE_C */
 
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+
 /**
  * Item in a verification chain: cert and flags for it
  */
@@ -236,6 +238,16 @@ typedef struct
     unsigned len;
 } mbedtls_x509_crt_verify_chain;
 
+#else /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+
+typedef struct
+{
+    unsigned len;
+    uint32_t flags;
+} mbedtls_x509_crt_verify_chain;
+
+#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+
 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
 
 /**
diff --git a/library/x509_crt.c b/library/x509_crt.c
index a04e33ccb..5f2af7fcb 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -3185,6 +3185,8 @@ static int x509_crt_check_ee_locally_trusted(
     return( -1 );
 }
 
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+
 /*
  * Reset (init or clear) a verify_chain
  */
@@ -3261,6 +3263,62 @@ static unsigned x509_crt_verify_chain_len(
     return( chain->len );
 }
 
+#else
+
+/*
+ * Reset (init or clear) a verify_chain
+ */
+static void x509_crt_verify_chain_reset(
+    mbedtls_x509_crt_verify_chain *ver_chain )
+{
+    ver_chain->len   = 0;
+    ver_chain->flags = 0;
+}
+
+/*
+ * Merge the flags for all certs in the chain, after calling callback
+ */
+static int x509_crt_verify_chain_get_flags(
+           const mbedtls_x509_crt_verify_chain *ver_chain,
+           uint32_t *flags,
+           int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+           void *p_vrfy )
+{
+    ((void) f_vrfy);
+    ((void) p_vrfy);
+    *flags = ver_chain->flags;
+    return( 0 );
+}
+
+static void x509_crt_verify_chain_add_ee_flags(
+    mbedtls_x509_crt_verify_chain *chain,
+    uint32_t ee_flags )
+{
+    chain->flags |= ee_flags;
+}
+
+static void x509_crt_verify_chain_add_crt(
+    mbedtls_x509_crt_verify_chain *chain,
+    mbedtls_x509_crt *crt )
+{
+    ((void) crt);
+    chain->len++;
+}
+
+static uint32_t* x509_crt_verify_chain_get_cur_flags(
+    mbedtls_x509_crt_verify_chain *chain )
+{
+    return( &chain->flags );
+}
+
+static unsigned x509_crt_verify_chain_len(
+    mbedtls_x509_crt_verify_chain const *chain )
+{
+    return( chain->len );
+}
+
+#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+
 /*
  * Build and verify a certificate chain
  *