Rework state saving for verify_chain()

Child was almost redundant as it's already saved in ver_chain, except it was multiplexed to also indicate whether an operation is in progress. This commit removes it and introduces an explicit state variable instead. This state can be useful later if we start returning IN_PROGRESS at other points than find_parent() (for example when checking CRL). Note that the state goes none -> find_parent and stays there until the context is free(), as it's only on the first call that nothing was in progress.
2025-03-26 10:25:11 +00:00 · 2017-08-23 12:32:19 +02:00 · 2017-08-23 12:32:19 +02:00 · daf049144e
parent a968843429
commit daf049144e
2 changed files with 10 additions and 6 deletions
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@ -183,7 +183,10 @@ typedef struct
    int parent_is_trusted; /* -1 if find_parent is not in progress */

    /* for verify_chain() */
-    mbedtls_x509_crt *child; /* non-null iff in progress */
+    enum {
+        x509_crt_rs_none,
+        x509_crt_rs_find_parent,
+    } in_progress;  /* none if no operation is in progress */
    int self_cnt;
    mbedtls_x509_crt_verify_chain ver_chain;

--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -2250,14 +2250,15 @@ static int x509_crt_verify_chain(

 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
    /* resume if we had an operation in progress */
-    if( rs_ctx != NULL && rs_ctx->child != NULL )
+    if( rs_ctx != NULL && rs_ctx->in_progress == x509_crt_rs_find_parent )
    {
        /* restore saved state */
-        child = rs_ctx->child;
-        self_cnt = rs_ctx->self_cnt;
        *ver_chain = rs_ctx->ver_chain; /* struct copy */
+        self_cnt = rs_ctx->self_cnt;

+        /* restore derived state */
        cur = &ver_chain->items[ver_chain->len - 1];
+        child = cur->crt;
        flags = &cur->flags;

        goto find_parent;
@ -2314,7 +2315,7 @@ find_parent:
        if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
        {
            /* save state */
-            rs_ctx->child = child;
+            rs_ctx->in_progress = x509_crt_rs_find_parent;
            rs_ctx->self_cnt = self_cnt;
            rs_ctx->ver_chain = *ver_chain; /* struct copy */

@ -2681,7 +2682,7 @@ void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx )

    ctx->parent_is_trusted = -1;

-    ctx->child = NULL;
+    ctx->in_progress = x509_crt_rs_none;
    ctx->self_cnt = 0;
    x509_crt_verify_chain_reset( &ctx->ver_chain );
 }