Make use of CRT acquire/release for X.509 CRT signature checking

2025-03-24 10:35:12 +00:00 · 2019-02-25 14:45:31 +00:00 · 2019-02-25 14:45:31 +00:00 · e449e2d846
parent 5299cf87d4
commit e449e2d846
1 changed files with 31 additions and 15 deletions
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -2175,29 +2175,45 @@ static int x509_crt_check_signature( const mbedtls_x509_crt_sig_info *sig_info,
                                     mbedtls_x509_crt *parent,
                                     mbedtls_x509_crt_restart_ctx *rs_ctx )
 {
-    /* Skip expensive computation on obvious mismatch */
+    int ret;
-    if( ! mbedtls_pk_can_do( &parent->pk, sig_info->sig_pk ) )
+    mbedtls_pk_context *pk;
        return( -1 );
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    ret = x509_crt_pk_acquire( parent, &pk );
-    if( rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA )
+    if( ret != 0 )
        return( MBEDTLS_ERR_X509_FATAL_ERROR );
    /* Skip expensive computation on obvious mismatch */
    if( ! mbedtls_pk_can_do( pk, sig_info->sig_pk ) )
    {
-        return( mbedtls_pk_verify_restartable( &parent->pk,
+        ret = -1;
        goto exit;
    }
 #if !( defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) )
    ((void) rs_ctx);
 #else
    if( rs_ctx != NULL && sig_info->sig_pk == MBEDTLS_PK_ECDSA )
    {
        ret = mbedtls_pk_verify_restartable( pk,
                    sig_info->sig_md,
                    sig_info->crt_hash, sig_info->crt_hash_len,
                    sig_info->sig.p, sig_info->sig.len,
-                                               &rs_ctx->pk ) );
+                    &rs_ctx->pk );
    }
-#else
+    else
    (void) rs_ctx;
 #endif
    {
        ret = mbedtls_pk_verify_ext( sig_info->sig_pk,
                                     sig_info->sig_opts,
                                     pk,
                                     sig_info->sig_md,
                                     sig_info->crt_hash, sig_info->crt_hash_len,
                                     sig_info->sig.p, sig_info->sig.len );
    }
-    return( mbedtls_pk_verify_ext( sig_info->sig_pk,
+exit:
-                                   sig_info->sig_opts,
+    x509_crt_pk_release( parent, pk );
-                                   &parent->pk,
+    return( ret );
                                   sig_info->sig_md,
                                   sig_info->crt_hash, sig_info->crt_hash_len,
                                   sig_info->sig.p, sig_info->sig.len ) );
 }
 /*