TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 67284cce00147d1e803b51169dfe19c88e86f3ca^! / . / library / x509_crt.c
commit67284cce00147d1e803b51169dfe19c88e86f3ca[log] [tgz]
authorHanno Becker <hanno.becker@arm.com>Thu Feb 21 14:31:51 2019 +0000
committerHanno Becker <hanno.becker@arm.com>Tue Jun 25 09:06:26 2019 +0100
tree0a02c20a53c8b00660c7688a3c5681b811ae0ba9
parent7dee12a38c2a2d27573898632a474d8aab5c6adb [diff] [blame]
Add abort condition callback to `mbedtls_x509_name_cmp_raw()`

There are three operations that need to be performed on an X.509 name:
1 Initial traversal to check well-formedness of the ASN.1 structure.
2 Comparison between two X.509 name sequences.
3 Checking whether an X.509 name matches a client's ServerName request.

Each of these tasks involves traversing the nested ASN.1 structure,
In the interest of saving code, we aim to provide a single function
which can perform all of the above tasks.

The existing comparison function is already suitable not only for task 2,
but also for 1: One can simply pass two equal ASN.1 name buffers, in which
case the function will succeed if and only if that buffer is a well-formed
ASN.1 name.

This commit further adds a callback to `mbedtls_x509_name_cmp_raw()` which
is called after each successful step in the simultaneous name traversal and
comparison; it may perform any operation on the current name and potentially
signal that the comparison should be aborted.

With that, task 3 can be implemented by passing equal names and a callback
which aborts as soon as it finds the desired name component.

diff --git a/library/x509_crt.c b/library/x509_crt.c
index ad70a20..85bcced 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c

@@ -1747,7 +1747,8 @@
     {
         if( crl_list->version == 0 ||
             mbedtls_x509_name_cmp_raw( &crl_list->issuer_raw_no_hdr,
-                                       &ca->subject_raw_no_hdr ) != 0 )
+                                       &ca->subject_raw_no_hdr,
+                                       NULL, NULL ) != 0 )
         {
             crl_list = crl_list->next;
             continue;
@@ -1869,7 +1870,8 @@
 
     /* Parent must be the issuer */
     if( mbedtls_x509_name_cmp_raw( &child->issuer_raw_no_hdr,
-                                   &parent->subject_raw_no_hdr ) != 0 )
+                                   &parent->subject_raw_no_hdr,
+                                   NULL, NULL ) != 0 )
     {
         return( -1 );
     }
@@ -2138,7 +2140,8 @@
 
     /* must be self-issued */
     if( mbedtls_x509_name_cmp_raw( &crt->issuer_raw_no_hdr,
-                                   &crt->subject_raw_no_hdr ) != 0 )
+                                   &crt->subject_raw_no_hdr,
+                                   NULL, NULL ) != 0 )
     {
         return( -1 );
     }
@@ -2306,7 +2309,8 @@
          * and should be excluded from max_pathlen checks. */
         if( ver_chain->len != 1 &&
             mbedtls_x509_name_cmp_raw( &child->issuer_raw_no_hdr,
-                                       &child->subject_raw_no_hdr ) == 0 )
+                                       &child->subject_raw_no_hdr,
+                                       NULL, NULL ) == 0 )
         {
             self_cnt++;
         }