Add abort condition callback to `mbedtls_x509_name_cmp_raw()`
There are three operations that need to be performed on an X.509 name:
1 Initial traversal to check well-formedness of the ASN.1 structure.
2 Comparison between two X.509 name sequences.
3 Checking whether an X.509 name matches a client's ServerName request.
Each of these tasks involves traversing the nested ASN.1 structure,
In the interest of saving code, we aim to provide a single function
which can perform all of the above tasks.
The existing comparison function is already suitable not only for task 2,
but also for 1: One can simply pass two equal ASN.1 name buffers, in which
case the function will succeed if and only if that buffer is a well-formed
ASN.1 name.
This commit further adds a callback to `mbedtls_x509_name_cmp_raw()` which
is called after each successful step in the simultaneous name traversal and
comparison; it may perform any operation on the current name and potentially
signal that the comparison should be aborted.
With that, task 3 can be implemented by passing equal names and a callback
which aborts as soon as it finds the desired name component.
diff --git a/library/x509_crt.c b/library/x509_crt.c
index ad70a20..85bcced 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1747,7 +1747,8 @@
{
if( crl_list->version == 0 ||
mbedtls_x509_name_cmp_raw( &crl_list->issuer_raw_no_hdr,
- &ca->subject_raw_no_hdr ) != 0 )
+ &ca->subject_raw_no_hdr,
+ NULL, NULL ) != 0 )
{
crl_list = crl_list->next;
continue;
@@ -1869,7 +1870,8 @@
/* Parent must be the issuer */
if( mbedtls_x509_name_cmp_raw( &child->issuer_raw_no_hdr,
- &parent->subject_raw_no_hdr ) != 0 )
+ &parent->subject_raw_no_hdr,
+ NULL, NULL ) != 0 )
{
return( -1 );
}
@@ -2138,7 +2140,8 @@
/* must be self-issued */
if( mbedtls_x509_name_cmp_raw( &crt->issuer_raw_no_hdr,
- &crt->subject_raw_no_hdr ) != 0 )
+ &crt->subject_raw_no_hdr,
+ NULL, NULL ) != 0 )
{
return( -1 );
}
@@ -2306,7 +2309,8 @@
* and should be excluded from max_pathlen checks. */
if( ver_chain->len != 1 &&
mbedtls_x509_name_cmp_raw( &child->issuer_raw_no_hdr,
- &child->subject_raw_no_hdr ) == 0 )
+ &child->subject_raw_no_hdr,
+ NULL, NULL ) == 0 )
{
self_cnt++;
}