commit da410828f4f63a6480c25e7cb7239ae1d16372af
author Hanno Becker <hanno.becker@arm.com> Thu Feb 21 13:36:59 2019 +0000
committer Hanno Becker <hanno.becker@arm.com> Tue Jun 25 09:06:26 2019 +0100
tree 67e70db4e937f1f879a932794dcac21f4c9a2787
parent 2c6cc045c27318157792f6944044ee83b1486a7a

Add callback to search through SubjectAltNames extension

The current CN name verification x509_crt_verify_name() traverses
the dynamically allocated linked list presentation of the subject
alternative name extension, searching for an alternative name that
matches the desired hostname configured by the application.

Eventually, we want to remove this dynamically allocated linked list
for the benefit of reduced code size and RAM usage, and hence need to
rewrite x509_crt_verify_name() in a way that builds on the raw ASN.1
buffer holding the SubjectAlternativeNames extension.

This commit does this by using the existing SubjectAlternativeNames
traversal routine x509_subject_alt_name_traverse(), passing to it a
callback which compares the current alternative name component to the
desired hostname configured by the application.

library/x509_crt.c

diff --git a/library/x509_crt.c b/library/x509_crt.c
index a38f749..8541d11 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -2481,6 +2481,28 @@
     return( 0 );
 }
 
+/* Returns 1 on a match and 0 on a mismatch.
+ * This is because this function is used as a callback for
+ * mbedtls_asn1_traverse_sequence_of(), which continues the
+ * traversal as long as the callback returns 0. */
+static int x509_crt_subject_alt_check_name( void *ctx,
+                                            int tag,
+                                            unsigned char *data,
+                                            size_t data_len )
+{
+    char const *cn = (char const*) ctx;
+    size_t cn_len = strlen( cn );
+
+    /* Skip everything but DNS name */
+    if( tag != ( MBEDTLS_ASN1_CONTEXT_SPECIFIC | 2 ) )
+        return( 0 );
+
+    if( x509_crt_check_cn( data, data_len, cn, cn_len ) == 0 )
+        return( 1 );
+
+    return( 0 );
+}
+
 /*
  * Verify the requested CN - only call this if cn is not NULL!
  */
@@ -2488,30 +2510,27 @@
                                   const char *cn,
                                   uint32_t *flags )
 {
-    const mbedtls_x509_sequence *cur;
-    size_t cn_len = strlen( cn );
+    int ret;
 
     if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
     {
-        for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next )
-        {
-            if( x509_crt_check_cn( cur->buf.p, cur->buf.len,
-                                   cn, cn_len ) == 0 )
-                break;
-        }
+        const unsigned char *end =
+            crt->subject_alt_raw.p + crt->subject_alt_raw.len;
 
-        if( cur == NULL )
-            *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
+        ret = x509_subject_alt_name_traverse( crt->subject_alt_raw.p,
+                                              end,
+                                              x509_crt_subject_alt_check_name,
+                                              (void*) cn );
     }
     else
     {
-        int ret;
         ret = mbedtls_x509_name_cmp_raw( &crt->subject_raw_no_hdr,
                                          &crt->subject_raw_no_hdr,
                                          x509_crt_check_name, (void*) cn );
-        if( ret != 1 )
-            *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
     }
+
+    if( ret != 1 )
+        *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
 }
 
 /*