mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-12 22:15:36 +00:00
Add callback to search through SubjectAltNames extension
The current CN name verification x509_crt_verify_name() traverses the dynamically allocated linked list presentation of the subject alternative name extension, searching for an alternative name that matches the desired hostname configured by the application. Eventually, we want to remove this dynamically allocated linked list for the benefit of reduced code size and RAM usage, and hence need to rewrite x509_crt_verify_name() in a way that builds on the raw ASN.1 buffer holding the SubjectAlternativeNames extension. This commit does this by using the existing SubjectAlternativeNames traversal routine x509_subject_alt_name_traverse(), passing to it a callback which compares the current alternative name component to the desired hostname configured by the application.
This commit is contained in:
parent
2c6cc045c2
commit
da410828f4
|
@ -2481,6 +2481,28 @@ static int x509_crt_check_name( void *ctx,
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Returns 1 on a match and 0 on a mismatch.
|
||||||
|
* This is because this function is used as a callback for
|
||||||
|
* mbedtls_asn1_traverse_sequence_of(), which continues the
|
||||||
|
* traversal as long as the callback returns 0. */
|
||||||
|
static int x509_crt_subject_alt_check_name( void *ctx,
|
||||||
|
int tag,
|
||||||
|
unsigned char *data,
|
||||||
|
size_t data_len )
|
||||||
|
{
|
||||||
|
char const *cn = (char const*) ctx;
|
||||||
|
size_t cn_len = strlen( cn );
|
||||||
|
|
||||||
|
/* Skip everything but DNS name */
|
||||||
|
if( tag != ( MBEDTLS_ASN1_CONTEXT_SPECIFIC | 2 ) )
|
||||||
|
return( 0 );
|
||||||
|
|
||||||
|
if( x509_crt_check_cn( data, data_len, cn, cn_len ) == 0 )
|
||||||
|
return( 1 );
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Verify the requested CN - only call this if cn is not NULL!
|
* Verify the requested CN - only call this if cn is not NULL!
|
||||||
*/
|
*/
|
||||||
|
@ -2488,31 +2510,28 @@ static void x509_crt_verify_name( const mbedtls_x509_crt *crt,
|
||||||
const char *cn,
|
const char *cn,
|
||||||
uint32_t *flags )
|
uint32_t *flags )
|
||||||
{
|
{
|
||||||
const mbedtls_x509_sequence *cur;
|
int ret;
|
||||||
size_t cn_len = strlen( cn );
|
|
||||||
|
|
||||||
if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
|
if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
|
||||||
{
|
{
|
||||||
for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next )
|
const unsigned char *end =
|
||||||
{
|
crt->subject_alt_raw.p + crt->subject_alt_raw.len;
|
||||||
if( x509_crt_check_cn( cur->buf.p, cur->buf.len,
|
|
||||||
cn, cn_len ) == 0 )
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
if( cur == NULL )
|
ret = x509_subject_alt_name_traverse( crt->subject_alt_raw.p,
|
||||||
*flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
|
end,
|
||||||
|
x509_crt_subject_alt_check_name,
|
||||||
|
(void*) cn );
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
int ret;
|
|
||||||
ret = mbedtls_x509_name_cmp_raw( &crt->subject_raw_no_hdr,
|
ret = mbedtls_x509_name_cmp_raw( &crt->subject_raw_no_hdr,
|
||||||
&crt->subject_raw_no_hdr,
|
&crt->subject_raw_no_hdr,
|
||||||
x509_crt_check_name, (void*) cn );
|
x509_crt_check_name, (void*) cn );
|
||||||
|
}
|
||||||
|
|
||||||
if( ret != 1 )
|
if( ret != 1 )
|
||||||
*flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
|
*flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Merge the flags for all certs in the chain, after calling callback
|
* Merge the flags for all certs in the chain, after calling callback
|
||||||
|
|
Loading…
Reference in a new issue