commit 83e923ba2b0a01215c0e230426191e82e589ca0b
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Wed Aug 23 10:55:41 2017 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Wed Aug 23 10:55:41 2017 +0200
tree 464e1b6203b0aeda12b8bb8f3af36bc0aeb05485
parent 8b7b96bbd3ae77657c512a0addd5a8d9f2084c00

Better initialisation of ver_chain

Use dedicated function for consistency, and initialise flags to -1 as this is
the safe value.

library/x509_crt.c

diff --git a/library/x509_crt.c b/library/x509_crt.c
index a6f6a78..7d60a57 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -208,6 +208,23 @@
 }
 
 /*
+ * Reset (init or clear) a verify_chain
+ */
+static void x509_crt_verify_chain_reset(
+    mbedtls_x509_crt_verify_chain *ver_chain )
+{
+    size_t i;
+
+    for( i = 0; i < MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE; i++ )
+    {
+        ver_chain->items[i].crt = NULL;
+        ver_chain->items[i].flags = -1;
+    }
+
+    ver_chain->len = 0;
+}
+
+/*
  *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
  */
 static int x509_get_version( unsigned char **p,
@@ -2258,8 +2275,9 @@
         /* Add certificate to the verification chain */
         cur = &ver_chain->items[ver_chain->len];
         cur->crt = child;
-        flags = &cur->flags;
+        cur->flags = 0;
         ver_chain->len++;
+        flags = &cur->flags;
 
         /* Check time-validity (all certificates) */
         if( mbedtls_x509_time_is_past( &child->valid_to ) )
@@ -2499,10 +2517,11 @@
     int ret;
     mbedtls_pk_type_t pk_type;
     mbedtls_x509_crt_verify_chain ver_chain;
-    uint32_t *ee_flags = &ver_chain.items[0].flags;
+    uint32_t ee_flags;
 
     *flags = 0;
-    memset( &ver_chain, 0, sizeof( ver_chain ) );
+    ee_flags = 0;
+    x509_crt_verify_chain_reset( &ver_chain );
 
     if( profile == NULL )
     {
@@ -2512,16 +2531,16 @@
 
     /* check name if requested */
     if( cn != NULL )
-        x509_crt_verify_name( crt, cn, ee_flags );
+        x509_crt_verify_name( crt, cn, &ee_flags );
 
     /* Check the type and size of the key */
     pk_type = mbedtls_pk_get_type( &crt->pk );
 
     if( x509_profile_check_pk_alg( profile, pk_type ) != 0 )
-        *ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK;
+        ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK;
 
     if( x509_profile_check_key( profile, pk_type, &crt->pk ) != 0 )
-        *ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+        ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
 
     /* Check the chain */
     ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, profile,
@@ -2530,6 +2549,9 @@
     if( ret != 0 )
         goto exit;
 
+    /* Merge end-entity flags */
+    ver_chain.items[0].flags |= ee_flags;
+
     /* Build final flags, calling callback on the way if any */
     ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, f_vrfy, p_vrfy );
 
@@ -2663,8 +2685,7 @@
 
     ctx->child = NULL;
     ctx->self_cnt = 0;
-    memset( ctx->ver_chain.items, 0, sizeof( ctx->ver_chain.items ) );
-    ctx->ver_chain.len = 0;
+    x509_crt_verify_chain_reset( &ctx->ver_chain );
 }
 
 /*