Add callback to search through SubjectAltNames extension

The current CN name verification x509_crt_verify_name() traverses
the dynamically allocated linked list presentation of the subject
alternative name extension, searching for an alternative name that
matches the desired hostname configured by the application.

Eventually, we want to remove this dynamically allocated linked list
for the benefit of reduced code size and RAM usage, and hence need to
rewrite x509_crt_verify_name() in a way that builds on the raw ASN.1
buffer holding the SubjectAlternativeNames extension.

This commit does this by using the existing SubjectAlternativeNames
traversal routine x509_subject_alt_name_traverse(), passing to it a
callback which compares the current alternative name component to the
desired hostname configured by the application.
This commit is contained in:
Hanno Becker 2019-02-21 13:36:59 +00:00
parent 2c6cc045c2
commit da410828f4

View file

@ -2481,6 +2481,28 @@ static int x509_crt_check_name( void *ctx,
return( 0 ); return( 0 );
} }
/* Returns 1 on a match and 0 on a mismatch.
* This is because this function is used as a callback for
* mbedtls_asn1_traverse_sequence_of(), which continues the
* traversal as long as the callback returns 0. */
static int x509_crt_subject_alt_check_name( void *ctx,
int tag,
unsigned char *data,
size_t data_len )
{
char const *cn = (char const*) ctx;
size_t cn_len = strlen( cn );
/* Skip everything but DNS name */
if( tag != ( MBEDTLS_ASN1_CONTEXT_SPECIFIC | 2 ) )
return( 0 );
if( x509_crt_check_cn( data, data_len, cn, cn_len ) == 0 )
return( 1 );
return( 0 );
}
/* /*
* Verify the requested CN - only call this if cn is not NULL! * Verify the requested CN - only call this if cn is not NULL!
*/ */
@ -2488,31 +2510,28 @@ static void x509_crt_verify_name( const mbedtls_x509_crt *crt,
const char *cn, const char *cn,
uint32_t *flags ) uint32_t *flags )
{ {
const mbedtls_x509_sequence *cur; int ret;
size_t cn_len = strlen( cn );
if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME ) if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
{ {
for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next ) const unsigned char *end =
{ crt->subject_alt_raw.p + crt->subject_alt_raw.len;
if( x509_crt_check_cn( cur->buf.p, cur->buf.len,
cn, cn_len ) == 0 )
break;
}
if( cur == NULL ) ret = x509_subject_alt_name_traverse( crt->subject_alt_raw.p,
*flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; end,
x509_crt_subject_alt_check_name,
(void*) cn );
} }
else else
{ {
int ret;
ret = mbedtls_x509_name_cmp_raw( &crt->subject_raw_no_hdr, ret = mbedtls_x509_name_cmp_raw( &crt->subject_raw_no_hdr,
&crt->subject_raw_no_hdr, &crt->subject_raw_no_hdr,
x509_crt_check_name, (void*) cn ); x509_crt_check_name, (void*) cn );
}
if( ret != 1 ) if( ret != 1 )
*flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
} }
}
/* /*
* Merge the flags for all certs in the chain, after calling callback * Merge the flags for all certs in the chain, after calling callback