mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-25 19:51:12 +00:00
Introduce mbedtls_x509_crt_verify_restartable()
This commit is contained in:
parent
21b7719fb2
commit
bc3f44ae9c
|
@ -142,6 +142,23 @@ typedef struct mbedtls_x509write_cert
|
||||||
}
|
}
|
||||||
mbedtls_x509write_cert;
|
mbedtls_x509write_cert;
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Context for resuming X.509 verify operations
|
||||||
|
*/
|
||||||
|
typedef struct
|
||||||
|
{
|
||||||
|
mbedtls_ecdsa_restart_ctx ecdsa; /*!< ecdsa restart context */
|
||||||
|
} mbedtls_x509_crt_restart_ctx;
|
||||||
|
|
||||||
|
#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||||
|
|
||||||
|
/* Now we can declare functions that take a pointer to that */
|
||||||
|
typedef void mbedtls_x509_crt_restart_ctx;
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
/**
|
/**
|
||||||
* Default security profile. Should provide a good balance between security
|
* Default security profile. Should provide a good balance between security
|
||||||
|
@ -352,6 +369,37 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
|
||||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||||
void *p_vrfy );
|
void *p_vrfy );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Restartable version of \c mbedtls_crt_verify_with_profile()
|
||||||
|
*
|
||||||
|
* \note Performs the same job as \c mbedtls_crt_verify_with_profile()
|
||||||
|
* but can return early and restart according to the limit
|
||||||
|
* set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
|
||||||
|
*
|
||||||
|
* \param crt a certificate (chain) to be verified
|
||||||
|
* \param trust_ca the list of trusted CAs
|
||||||
|
* \param ca_crl the list of CRLs for trusted CAs
|
||||||
|
* \param profile security profile for verification
|
||||||
|
* \param cn expected Common Name (can be set to
|
||||||
|
* NULL if the CN must not be verified)
|
||||||
|
* \param flags result of the verification
|
||||||
|
* \param f_vrfy verification function
|
||||||
|
* \param p_vrfy verification parameter
|
||||||
|
* \param rs_ctx resart context
|
||||||
|
*
|
||||||
|
* \return See \c mbedtls_crt_verify_with_profile(), or
|
||||||
|
* MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
|
||||||
|
* operations was reached: see \c mbedtls_ecp_set_max_ops().
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
|
||||||
|
mbedtls_x509_crt *trust_ca,
|
||||||
|
mbedtls_x509_crl *ca_crl,
|
||||||
|
const mbedtls_x509_crt_profile *profile,
|
||||||
|
const char *cn, uint32_t *flags,
|
||||||
|
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||||
|
void *p_vrfy,
|
||||||
|
mbedtls_x509_crt_restart_ctx *rs_ctx );
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
|
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
|
||||||
/**
|
/**
|
||||||
* \brief Check usage of certificate against keyUsage extension.
|
* \brief Check usage of certificate against keyUsage extension.
|
||||||
|
@ -422,6 +470,18 @@ void mbedtls_x509_crt_init( mbedtls_x509_crt *crt );
|
||||||
* \param crt Certificate chain to free
|
* \param crt Certificate chain to free
|
||||||
*/
|
*/
|
||||||
void mbedtls_x509_crt_free( mbedtls_x509_crt *crt );
|
void mbedtls_x509_crt_free( mbedtls_x509_crt *crt );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||||
|
/**
|
||||||
|
* \brief Initialize a restart context
|
||||||
|
*/
|
||||||
|
void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Free the components of a restart context
|
||||||
|
*/
|
||||||
|
void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx );
|
||||||
|
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||||
|
|
||||||
/* \} name */
|
/* \} name */
|
||||||
|
|
|
@ -2271,7 +2271,7 @@ static int x509_crt_merge_flags_with_cb(
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Verify the certificate validity
|
* Verify the certificate validity (default profile, not restartable)
|
||||||
*/
|
*/
|
||||||
int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
|
int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
|
||||||
mbedtls_x509_crt *trust_ca,
|
mbedtls_x509_crt *trust_ca,
|
||||||
|
@ -2280,19 +2280,13 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
|
||||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||||
void *p_vrfy )
|
void *p_vrfy )
|
||||||
{
|
{
|
||||||
return( mbedtls_x509_crt_verify_with_profile( crt, trust_ca, ca_crl,
|
return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
|
||||||
&mbedtls_x509_crt_profile_default, cn, flags, f_vrfy, p_vrfy ) );
|
&mbedtls_x509_crt_profile_default, cn, flags,
|
||||||
|
f_vrfy, p_vrfy, NULL ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Verify the certificate validity, with profile
|
* Verify the certificate validity (user-chosen profile, not restartable)
|
||||||
*
|
|
||||||
* This function:
|
|
||||||
* - checks the requested CN (if any)
|
|
||||||
* - checks the type and size of the EE cert's key,
|
|
||||||
* as that isn't done as part of chain building/verification currently
|
|
||||||
* - builds and verifies the chain
|
|
||||||
* - then calls the callback and merges the flags
|
|
||||||
*/
|
*/
|
||||||
int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
|
int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
|
||||||
mbedtls_x509_crt *trust_ca,
|
mbedtls_x509_crt *trust_ca,
|
||||||
|
@ -2301,6 +2295,29 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
|
||||||
const char *cn, uint32_t *flags,
|
const char *cn, uint32_t *flags,
|
||||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||||
void *p_vrfy )
|
void *p_vrfy )
|
||||||
|
{
|
||||||
|
return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
|
||||||
|
profile, cn, flags, f_vrfy, p_vrfy, NULL ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Verify the certificate validity, with profile, restartable version
|
||||||
|
*
|
||||||
|
* This function:
|
||||||
|
* - checks the requested CN (if any)
|
||||||
|
* - checks the type and size of the EE cert's key,
|
||||||
|
* as that isn't done as part of chain building/verification currently
|
||||||
|
* - builds and verifies the chain
|
||||||
|
* - then calls the callback and merges the flags
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
|
||||||
|
mbedtls_x509_crt *trust_ca,
|
||||||
|
mbedtls_x509_crl *ca_crl,
|
||||||
|
const mbedtls_x509_crt_profile *profile,
|
||||||
|
const char *cn, uint32_t *flags,
|
||||||
|
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||||
|
void *p_vrfy,
|
||||||
|
mbedtls_x509_crt_restart_ctx *rs_ctx )
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
mbedtls_pk_type_t pk_type;
|
mbedtls_pk_type_t pk_type;
|
||||||
|
@ -2308,6 +2325,8 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
|
||||||
size_t chain_len;
|
size_t chain_len;
|
||||||
uint32_t *ee_flags = &ver_chain[0].flags;
|
uint32_t *ee_flags = &ver_chain[0].flags;
|
||||||
|
|
||||||
|
(void) rs_ctx;
|
||||||
|
|
||||||
*flags = 0;
|
*flags = 0;
|
||||||
memset( ver_chain, 0, sizeof( ver_chain ) );
|
memset( ver_chain, 0, sizeof( ver_chain ) );
|
||||||
chain_len = 0;
|
chain_len = 0;
|
||||||
|
@ -2450,4 +2469,25 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
|
||||||
while( cert_cur != NULL );
|
while( cert_cur != NULL );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||||
|
/*
|
||||||
|
* Initialize a restart context
|
||||||
|
*/
|
||||||
|
void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx )
|
||||||
|
{
|
||||||
|
mbedtls_ecdsa_restart_init( &ctx->ecdsa );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Free the components of a restart context
|
||||||
|
*/
|
||||||
|
void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx )
|
||||||
|
{
|
||||||
|
if( ctx == NULL )
|
||||||
|
return;
|
||||||
|
|
||||||
|
mbedtls_ecdsa_restart_free( &ctx->ecdsa );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||||
|
|
||||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||||
|
|
Loading…
Reference in a new issue