yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-05-14 21:22:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Make verify_chain() iterative

Browse source
This commit is contained in:
Manuel Pégourié-Gonnard 2017-07-05 17:05:03 +02:00
parent f86f491f25
commit ce6e52ff42
1 changed files with 74 additions and 67 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
library/x509_crt.c
View file

@ -2071,11 +2071,9 @@ static int x509_crt_check_ee_locally_trusted(
* -> return that chain with NOT_TRUSTED set on Ciq * -> return that chain with NOT_TRUSTED set on Ciq
* *
* Arguments: * Arguments:
* - child: the current bottom of the chain to verify * - [in] crt: the cert list EE, C1, ..., Cn
* - trust_ca, ca_crl, profile: as in verify_with_profile() * - [in] trust_ca: the trusted list R1, ..., Rp
* - top: 1 if child is known to be locally trusted * - [in] ca_crl, profile: as in verify_with_profile()
* - path_cnt: current depth as passed to f_vrfy() (EE = 0, etc)
* - self_cnt: number of self-issued certs seen so far in the chain
* - [out] ver_chain: the built and verified chain * - [out] ver_chain: the built and verified chain
* *
* Return value: * Return value:
@ -2084,16 +2082,23 @@ static int x509_crt_check_ee_locally_trusted(
* even if it was found to be invalid * even if it was found to be invalid
*/ */
static int x509_crt_verify_chain( static int x509_crt_verify_chain(
mbedtls_x509_crt *child, mbedtls_x509_crt *crt,
mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl,
const mbedtls_x509_crt_profile *profile, const mbedtls_x509_crt_profile *profile,
int top, int path_cnt, int self_cnt,
x509_crt_verify_chain_item ver_chain[X509_MAX_VERIFY_CHAIN_SIZE] ) x509_crt_verify_chain_item ver_chain[X509_MAX_VERIFY_CHAIN_SIZE] )
{ {
uint32_t *flags; uint32_t *flags;
mbedtls_x509_crt *child;
mbedtls_x509_crt *parent; mbedtls_x509_crt *parent;
int parent_is_trusted = 0; int parent_is_trusted = 0;
int child_is_trusted = 0;
int path_cnt = 0;
int self_cnt = 0;
child = crt;
while( 1 ) {
/* Add certificate to the verification chain */ /* Add certificate to the verification chain */
ver_chain[path_cnt].crt = child; ver_chain[path_cnt].crt = child;
flags = &ver_chain[path_cnt].flags; flags = &ver_chain[path_cnt].flags;
@ -2106,7 +2111,7 @@ static int x509_crt_verify_chain(
*flags |= MBEDTLS_X509_BADCERT_FUTURE; *flags |= MBEDTLS_X509_BADCERT_FUTURE;
/* Stop here for trusted roots (but not for trusted EE certs) */ /* Stop here for trusted roots (but not for trusted EE certs) */
if( top ) if( child_is_trusted )
return( 0 ); return( 0 );
/* Check signature algorithm: MD & PK algs */ /* Check signature algorithm: MD & PK algs */
@ -2160,12 +2165,16 @@ static int x509_crt_verify_chain(
#if defined(MBEDTLS_X509_CRL_PARSE_C) #if defined(MBEDTLS_X509_CRL_PARSE_C)
/* Check trusted CA's CRL for the given crt */ /* Check trusted CA's CRL for the given crt */
*flags |= x509_crt_verifycrl(child, parent, ca_crl, profile ); *flags |= x509_crt_verifycrl(child, parent, ca_crl, profile );
#else
(void) ca_crl;
#endif #endif
/* verify the rest of the chain starting from parent */ /* prepare for next iteration */
return( x509_crt_verify_chain( parent, trust_ca, ca_crl, profile, child = parent;
parent_is_trusted, path_cnt + 1, self_cnt, parent = NULL;
ver_chain ) ); child_is_trusted = parent_is_trusted;
++path_cnt;
}
} }
/* /*
@ -2290,9 +2299,7 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
*ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY; *ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
/* Check the chain */ /* Check the chain */
ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, profile, ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, profile, ver_chain );
0, 0, 0,
ver_chain );
if( ret != 0 ) if( ret != 0 )
goto exit; goto exit;