yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-06-20 18:48:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Move one special case from verify_top() to child()

Browse source
This commit is contained in:
Manuel Pégourié-Gonnard 2017-07-03 22:51:07 +02:00
parent 66fac75f8b
commit b9983be73a
1 changed files with 7 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
library/x509_crt.c
View file

@ -2000,15 +2000,12 @@ static mbedtls_x509_crt *x509_crt_find_parent( mbedtls_x509_crt *child,
* See comments for mbedtls_x509_crt_verify_with_profile() * See comments for mbedtls_x509_crt_verify_with_profile()
* (also for notation used belowe) * (also for notation used belowe)
* *
* This function is called in two cases: * This function is called in one circumstance with two sub-cases:
* - child was found to have a parent in trusted roots, in which case we're * - child was found to have a parent in trusted roots, in which case we're
* called with trust_ca pointing directly to that parent (not the full list) * called with trust_ca pointing directly to that parent (not the full list)
* - this happens in cases 1, 2 and 3 of the comment on verify() * - this happens in cases 1, 2 and 3 of the comment on verify()
* - case 1 is special as child and trust_ca point to copies of the same * - case 1 is special as child and trust_ca point to copies of the same
* certificate then * certificate then
* - child was found to have no parent either in the chain or in trusted CAs,
* in which case we're called with trust_ca set to NULL
* - this is cases 4 and 5 of the comment on verify()
* *
* For historical reasons, the function currently does not assume that * For historical reasons, the function currently does not assume that
* trust_ca points directly to the right root in the first case, so it always * trust_ca points directly to the right root in the first case, so it always
@ -2027,14 +2024,7 @@ static int x509_crt_verify_top(
(void) self_cnt; (void) self_cnt;
/* Special case #1: no root, stop here */ /* Special case: child == trust_ca: trust and that's it */
if( trust_ca == NULL )
{
*flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
goto callback;
}
/* Special case #2: child == trust_ca: trust and that's it */
if( child->raw.len == trust_ca->raw.len && if( child->raw.len == trust_ca->raw.len &&
memcmp( child->raw.p, trust_ca->raw.p, child->raw.len ) == 0 ) memcmp( child->raw.p, trust_ca->raw.p, child->raw.len ) == 0 )
{ {
@ -2127,11 +2117,11 @@ static int x509_crt_verify_child(
/* Look for a parent upwards the chain */ /* Look for a parent upwards the chain */
parent = x509_crt_find_parent( child, child->next, 0, path_cnt, 0 ); parent = x509_crt_find_parent( child, child->next, 0, path_cnt, 0 );
/* No parent at all? Let verify_top() handle that case */ /* No parent at all? We're done here */
if( parent == NULL ) if( parent == NULL )
{ {
return( x509_crt_verify_top( child, NULL, ca_crl, profile, *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
path_cnt, self_cnt, flags, f_vrfy, p_vrfy ) ); goto callback;
} }
/* Counting intermediate self-issued (not necessarily self-signed) certs /* Counting intermediate self-issued (not necessarily self-signed) certs
@ -2164,7 +2154,8 @@ static int x509_crt_verify_child(
if( ret != 0 ) if( ret != 0 )
return( ret ); return( ret );
/* child is verified to be a child of the parent, call verify callback */ callback:
/* chain upwards of child done, call callback on child */
if( NULL != f_vrfy ) if( NULL != f_vrfy )
if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 ) if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 )
return( ret ); return( ret );