mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-23 11:55:41 +01:00
Make use of abort condition callback in CN comparison
The previous CN name comparison function x509_crt_verify_name() traversed the dynamically allocated linked list presentation of the CRT's subject, comparing each entry to the desired hostname configured by the application code. Eventually, we want to get rid of the linked list presentation of the CRT's subject to save both code and RAM usage, and hence need to rewrite the CN verification routine in a way that builds on the raw ASN.1 subject data only. In order to avoid duplicating the code for the parsing of the nested ASN.1 name structure, this commit performs the name search by using the existing name traversal function mbedtls_x509_name_cmp_raw(), passing to it a callback which checks whether the current name component matches the desired hostname.
This commit is contained in:
parent
67284cce00
commit
8b543b3ca8
@ -2369,6 +2369,26 @@ static int x509_crt_check_cn( const mbedtls_x509_buf *name,
|
||||
return( -1 );
|
||||
}
|
||||
|
||||
/* Returns 1 on a match and 0 on a mismatch.
|
||||
* This is because this function is used as a callback for
|
||||
* mbedtls_x509_name_cmp_raw(), which continues the name
|
||||
* traversal as long as the callback returns 0. */
|
||||
static int x509_crt_check_name( void *ctx,
|
||||
mbedtls_x509_buf *oid,
|
||||
mbedtls_x509_buf *val )
|
||||
{
|
||||
char const *cn = (char const*) ctx;
|
||||
size_t cn_len = strlen( cn );
|
||||
|
||||
if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, oid ) == 0 &&
|
||||
x509_crt_check_cn( val, cn, cn_len ) == 0 )
|
||||
{
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Verify the requested CN - only call this if cn is not NULL!
|
||||
*/
|
||||
@ -2376,7 +2396,6 @@ static void x509_crt_verify_name( const mbedtls_x509_crt *crt,
|
||||
const char *cn,
|
||||
uint32_t *flags )
|
||||
{
|
||||
const mbedtls_x509_name *name;
|
||||
const mbedtls_x509_sequence *cur;
|
||||
size_t cn_len = strlen( cn );
|
||||
|
||||
@ -2393,16 +2412,11 @@ static void x509_crt_verify_name( const mbedtls_x509_crt *crt,
|
||||
}
|
||||
else
|
||||
{
|
||||
for( name = &crt->subject; name != NULL; name = name->next )
|
||||
{
|
||||
if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 &&
|
||||
x509_crt_check_cn( &name->val, cn, cn_len ) == 0 )
|
||||
{
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if( name == NULL )
|
||||
int ret;
|
||||
ret = mbedtls_x509_name_cmp_raw( &crt->subject_raw_no_hdr,
|
||||
&crt->subject_raw_no_hdr,
|
||||
x509_crt_check_name, (void*) cn );
|
||||
if( ret != 1 )
|
||||
*flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user