Solely use raw X.509 name data references including SEQUENCE header
So far, the CRT frame structure `mbedtls_x509_crt_frame` used
as `issuer_raw` and `subject_raw` the _content_ of the ASN.1
name structure for issuer resp. subject. This was in contrast
to the fields `issuer_raw` and `subject_raw` from the legacy
`mbedtls_x509_crt` structure, and caused some information
duplication by having both variants `xxx_no_hdr` and `xxx_with_hdr`
in `mbedtls_x509_crt` and `mbedtls_x509_crt_frame`.
This commit removes this mismatch by solely using the legacy
form of `issuer_raw` and `subject_raw`, i.e. those _including_
the ASN.1 name header.
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index f00e44b..6757e2a 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -3001,7 +3001,7 @@
if( ret != 0 )
return( ret );
- dn_size = frame->subject_raw_with_hdr.len;
+ dn_size = frame->subject_raw.len;
if( end < p ||
(size_t)( end - p ) < dn_size ||
@@ -3014,7 +3014,7 @@
*p++ = (unsigned char)( dn_size >> 8 );
*p++ = (unsigned char)( dn_size );
- memcpy( p, frame->subject_raw_with_hdr.p, dn_size );
+ memcpy( p, frame->subject_raw.p, dn_size );
p += dn_size;
MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
diff --git a/library/x509.c b/library/x509.c
index 55726da..9d00beb 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -544,53 +544,67 @@
void *abort_check_ctx )
{
int ret;
+ size_t idx;
+ unsigned char *p[2], *end[2], *set[2];
- unsigned char *p_a, *end_a, *set_a;
- unsigned char *p_b, *end_b, *set_b;
+ p[0] = a->p;
+ p[1] = b->p;
+ end[0] = p[0] + a->len;
+ end[1] = p[1] + b->len;
- p_a = set_a = (unsigned char*) a->p;
- p_b = set_b = (unsigned char*) b->p;
+ for( idx = 0; idx < 2; idx++ )
+ {
+ size_t len;
+ ret = mbedtls_asn1_get_tag( &p[idx], end[idx], &len,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE );
- end_a = p_a + a->len;
- end_b = p_b + b->len;
+ if( end[idx] != p[idx] + len )
+ {
+ return( MBEDTLS_ERR_X509_INVALID_NAME +
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ }
+
+ set[idx] = p[idx];
+ }
while( 1 )
{
int next_merged;
- mbedtls_x509_buf oid_a, val_a, oid_b, val_b;
+ mbedtls_x509_buf oid[2], val[2];
- ret = x509_set_sequence_iterate( &p_a, (const unsigned char **) &set_a,
- end_a, &oid_a, &val_a );
+ ret = x509_set_sequence_iterate( &p[0], (const unsigned char **) &set[0],
+ end[0], &oid[0], &val[0] );
if( ret != 0 )
goto exit;
- ret = x509_set_sequence_iterate( &p_b, (const unsigned char **) &set_b,
- end_b, &oid_b, &val_b );
+ ret = x509_set_sequence_iterate( &p[1], (const unsigned char **) &set[1],
+ end[1], &oid[1], &val[1] );
if( ret != 0 )
goto exit;
- if( oid_a.len != oid_b.len ||
- memcmp( oid_a.p, oid_b.p, oid_b.len ) != 0 )
+ if( oid[0].len != oid[1].len ||
+ memcmp( oid[0].p, oid[1].p, oid[1].len ) != 0 )
{
return( 1 );
}
- if( x509_string_cmp( &val_a, &val_b ) != 0 )
+ if( x509_string_cmp( &val[0], &val[1] ) != 0 )
return( 1 );
- next_merged = ( set_a != p_a );
- if( next_merged != ( set_b != p_b ) )
+ next_merged = ( set[0] != p[0] );
+ if( next_merged != ( set[1] != p[1] ) )
return( 1 );
if( abort_check != NULL )
{
- ret = abort_check( abort_check_ctx, &oid_a, &val_a,
+ ret = abort_check( abort_check_ctx, &oid[0], &val[0],
next_merged );
if( ret != 0 )
return( ret );
}
- if( p_a == end_a && p_b == end_b )
+ if( p[0] == end[0] && p[1] == end[1] )
break;
}
@@ -626,20 +640,15 @@
return( 0 );
}
-int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end,
+int mbedtls_x509_get_name( unsigned char *p,
+ size_t len,
mbedtls_x509_name *cur )
{
- int ret;
- mbedtls_x509_buf_raw name_buf = { *p, end - *p };
+ mbedtls_x509_buf_raw name_buf = { p, len };
memset( cur, 0, sizeof( mbedtls_x509_name ) );
- ret = mbedtls_x509_name_cmp_raw( &name_buf, &name_buf,
- x509_get_name_cb,
- &cur );
- if( ret != 0 )
- return( ret );
-
- *p = (unsigned char*) end;
- return( 0 );
+ return( mbedtls_x509_name_cmp_raw( &name_buf, &name_buf,
+ x509_get_name_cb,
+ &cur ) );
}
static int x509_parse_int( unsigned char **p, size_t n, int *res )
diff --git a/library/x509_crl.c b/library/x509_crl.c
index f077841..5829425 100644
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@@ -428,17 +428,17 @@
mbedtls_x509_crl_free( crl );
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
}
- crl->issuer_raw_no_hdr.p = p;
+ p += len;
+ crl->issuer_raw.len = p - crl->issuer_raw.p;
- if( ( ret = mbedtls_x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
+ if( ( ret = mbedtls_x509_get_name( crl->issuer_raw.p,
+ crl->issuer_raw.len,
+ &crl->issuer ) ) != 0 )
{
mbedtls_x509_crl_free( crl );
return( ret );
}
- crl->issuer_raw_no_hdr.len = p - crl->issuer_raw_no_hdr.p;
- crl->issuer_raw.len = p - crl->issuer_raw.p;
-
/*
* thisUpdate Time
* nextUpdate Time OPTIONAL
diff --git a/library/x509_crt.c b/library/x509_crt.c
index fb5265a..bd452b6 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -126,8 +126,10 @@
frame->serial.len = crt->serial.len;
frame->pubkey_raw.p = crt->pk_raw.p;
frame->pubkey_raw.len = crt->pk_raw.len;
- frame->issuer_raw = crt->issuer_raw_no_hdr;
- frame->subject_raw = crt->subject_raw_no_hdr;
+ frame->issuer_raw.p = crt->issuer_raw.p;
+ frame->issuer_raw.len = crt->issuer_raw.len;
+ frame->subject_raw.p = crt->subject_raw.p;
+ frame->subject_raw.len = crt->subject_raw.len;
frame->issuer_id.p = crt->issuer_id.p;
frame->issuer_id.len = crt->issuer_id.len;
frame->subject_id.p = crt->subject_id.p;
@@ -136,10 +138,6 @@
frame->sig.len = crt->sig.len;
frame->v3_ext.p = crt->v3_ext.p;
frame->v3_ext.len = crt->v3_ext.len;
- frame->issuer_raw_with_hdr.p = crt->issuer_raw.p;
- frame->issuer_raw_with_hdr.len = crt->issuer_raw.len;
- frame->subject_raw_with_hdr.p = crt->subject_raw.p;
- frame->subject_raw_with_hdr.len = crt->subject_raw.len;
/* The legacy CRT structure doesn't explicitly contain
* the `AlgorithmIdentifier` bounds; however, those can
@@ -1185,15 +1183,14 @@
*
* RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
*/
- frame->issuer_raw_with_hdr.p = p;
+ frame->issuer_raw.p = p;
ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE );
if( ret != 0 )
return( ret + MBEDTLS_ERR_X509_INVALID_FORMAT );
- frame->issuer_raw.p = p;
- frame->issuer_raw.len = len;
p += len;
+ frame->issuer_raw.len = p - frame->issuer_raw.p;
ret = mbedtls_x509_name_cmp_raw( &frame->issuer_raw,
&frame->issuer_raw,
@@ -1201,8 +1198,6 @@
if( ret != 0 )
return( ret );
- frame->issuer_raw_with_hdr.len = p - frame->issuer_raw_with_hdr.p;
-
/*
* Validity ::= SEQUENCE { ...
*/
@@ -1218,15 +1213,14 @@
*
* RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
*/
- frame->subject_raw_with_hdr.p = p;
+ frame->subject_raw.p = p;
ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE );
if( ret != 0 )
return( ret + MBEDTLS_ERR_X509_INVALID_FORMAT );
- frame->subject_raw.p = p;
- frame->subject_raw.len = len;
p += len;
+ frame->subject_raw.len = p - frame->subject_raw.p;
ret = mbedtls_x509_name_cmp_raw( &frame->subject_raw,
&frame->subject_raw,
@@ -1234,8 +1228,6 @@
if( ret != 0 )
return( ret );
- frame->subject_raw_with_hdr.len = p - frame->subject_raw_with_hdr.p;
-
/*
* SubjectPublicKeyInfo
*/
@@ -1317,19 +1309,17 @@
static int x509_crt_subject_from_frame( mbedtls_x509_crt_frame *frame,
mbedtls_x509_name *subject )
{
- unsigned char *p = frame->subject_raw.p;
- unsigned char *end = p + frame->subject_raw.len;
-
- return( mbedtls_x509_get_name( &p, end, subject ) );
+ return( mbedtls_x509_get_name( frame->subject_raw.p,
+ frame->subject_raw.len,
+ subject ) );
}
static int x509_crt_issuer_from_frame( mbedtls_x509_crt_frame *frame,
mbedtls_x509_name *issuer )
{
- unsigned char *p = frame->issuer_raw.p;
- unsigned char *end = p + frame->issuer_raw.len;
-
- return( mbedtls_x509_get_name( &p, end, issuer ) );
+ return( mbedtls_x509_get_name( frame->issuer_raw.p,
+ frame->issuer_raw.len,
+ issuer ) );
}
static int x509_crt_subject_alt_from_frame( mbedtls_x509_crt_frame *frame,
@@ -1453,12 +1443,10 @@
crt->tbs.len = frame->tbs.len;
crt->serial.p = frame->serial.p;
crt->serial.len = frame->serial.len;
- crt->issuer_raw.p = frame->issuer_raw_with_hdr.p;
- crt->issuer_raw.len = frame->issuer_raw_with_hdr.len;
- crt->subject_raw.p = frame->subject_raw_with_hdr.p;
- crt->subject_raw.len = frame->subject_raw_with_hdr.len;
- crt->issuer_raw_no_hdr = frame->issuer_raw;
- crt->subject_raw_no_hdr = frame->subject_raw;
+ crt->issuer_raw.p = frame->issuer_raw.p;
+ crt->issuer_raw.len = frame->issuer_raw.len;
+ crt->subject_raw.p = frame->subject_raw.p;
+ crt->subject_raw.len = frame->subject_raw.len;
crt->issuer_id.p = frame->issuer_id.p;
crt->issuer_id.len = frame->issuer_id.len;
crt->subject_id.p = frame->subject_id.p;
@@ -2561,7 +2549,7 @@
while( crl_list != NULL )
{
if( crl_list->version == 0 ||
- mbedtls_x509_name_cmp_raw( &crl_list->issuer_raw_no_hdr,
+ mbedtls_x509_name_cmp_raw( &crl_list->issuer_raw,
&ca_subject, NULL, NULL ) != 0 )
{
crl_list = crl_list->next;
diff --git a/library/x509_csr.c b/library/x509_csr.c
index d1a2760..23af9ae 100644
--- a/library/x509_csr.c
+++ b/library/x509_csr.c
@@ -183,15 +183,17 @@
mbedtls_x509_csr_free( csr );
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
}
+ p += len;
+ csr->subject_raw.len = p - csr->subject_raw.p;
- if( ( ret = mbedtls_x509_get_name( &p, p + len, &csr->subject ) ) != 0 )
+ if( ( ret = mbedtls_x509_get_name( csr->subject_raw.p,
+ csr->subject_raw.len,
+ &csr->subject ) ) != 0 )
{
mbedtls_x509_csr_free( csr );
return( ret );
}
- csr->subject_raw.len = p - csr->subject_raw.p;
-
/*
* subjectPKInfo SubjectPublicKeyInfo
*/