Rework type for verify chain

- create container with length + table
- make types public (will be needed in restart context)
This commit is contained in:
Manuel Pégourié-Gonnard 2017-08-14 17:17:14 +02:00
parent 18547b5db6
commit c11e4baa63
2 changed files with 44 additions and 37 deletions

View File

@ -142,6 +142,28 @@ typedef struct mbedtls_x509write_cert
} }
mbedtls_x509write_cert; mbedtls_x509write_cert;
/**
* Item in a verification chain: cert and flags for it
*/
typedef struct {
mbedtls_x509_crt *crt;
uint32_t flags;
} mbedtls_x509_crt_verify_chain_item;
/**
* Max size of verification chain: end-entity + intermediates + trusted root
*/
#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
/**
* Verification chain as built by \c mbedtls_crt_verify_chain()
*/
typedef struct
{
mbedtls_x509_crt_verify_chain_item items[MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE];
size_t len;
} mbedtls_x509_crt_verify_chain;
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
/** /**

View File

@ -77,19 +77,6 @@
#endif /* !_WIN32 || EFIX64 || EFI32 */ #endif /* !_WIN32 || EFIX64 || EFI32 */
#endif #endif
/*
* Item in a verification chain: cert and flags for it
*/
typedef struct {
mbedtls_x509_crt *crt;
uint32_t flags;
} x509_crt_verify_chain_item;
/*
* Max size of verification chain: end-entity + intermediates + trusted root
*/
#define X509_MAX_VERIFY_CHAIN_SIZE ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
/* Implementation that should never be optimized out by the compiler */ /* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) { static void mbedtls_zeroize( void *v, size_t n ) {
volatile unsigned char *p = v; while( n-- ) *p++ = 0; volatile unsigned char *p = v; while( n-- ) *p++ = 0;
@ -2148,7 +2135,7 @@ static int x509_crt_check_ee_locally_trusted(
* - [in] crt: the cert list EE, C1, ..., Cn * - [in] crt: the cert list EE, C1, ..., Cn
* - [in] trust_ca: the trusted list R1, ..., Rp * - [in] trust_ca: the trusted list R1, ..., Rp
* - [in] ca_crl, profile: as in verify_with_profile() * - [in] ca_crl, profile: as in verify_with_profile()
* - [out] ver_chain, chain_len: the built and verified chain * - [out] ver_chain: the built and verified chain
* *
* Return value: * Return value:
* - non-zero if the chain could not be fully built and examined * - non-zero if the chain could not be fully built and examined
@ -2160,12 +2147,12 @@ static int x509_crt_verify_chain(
mbedtls_x509_crt *trust_ca, mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl, mbedtls_x509_crl *ca_crl,
const mbedtls_x509_crt_profile *profile, const mbedtls_x509_crt_profile *profile,
x509_crt_verify_chain_item ver_chain[X509_MAX_VERIFY_CHAIN_SIZE], mbedtls_x509_crt_verify_chain *ver_chain,
size_t *chain_len,
mbedtls_x509_crt_restart_ctx *rs_ctx ) mbedtls_x509_crt_restart_ctx *rs_ctx )
{ {
int ret; int ret;
uint32_t *flags; uint32_t *flags;
mbedtls_x509_crt_verify_chain_item *cur;
mbedtls_x509_crt *child; mbedtls_x509_crt *child;
mbedtls_x509_crt *parent; mbedtls_x509_crt *parent;
int parent_is_trusted = 0; int parent_is_trusted = 0;
@ -2174,13 +2161,13 @@ static int x509_crt_verify_chain(
int self_cnt = 0; int self_cnt = 0;
child = crt; child = crt;
*chain_len = 0;
while( 1 ) { while( 1 ) {
/* Add certificate to the verification chain */ /* Add certificate to the verification chain */
ver_chain[*chain_len].crt = child; cur = &ver_chain->items[ver_chain->len];
flags = &ver_chain[*chain_len].flags; cur->crt = child;
++*chain_len; flags = &cur->flags;
ver_chain->len++;
/* Check time-validity (all certificates) */ /* Check time-validity (all certificates) */
if( mbedtls_x509_time_is_past( &child->valid_to ) ) if( mbedtls_x509_time_is_past( &child->valid_to ) )
@ -2201,7 +2188,7 @@ static int x509_crt_verify_chain(
*flags |= MBEDTLS_X509_BADCERT_BAD_PK; *flags |= MBEDTLS_X509_BADCERT_BAD_PK;
/* Special case: EE certs that are locally trusted */ /* Special case: EE certs that are locally trusted */
if( *chain_len == 1 && if( ver_chain->len == 1 &&
x509_crt_check_ee_locally_trusted( child, trust_ca ) == 0 ) x509_crt_check_ee_locally_trusted( child, trust_ca ) == 0 )
{ {
return( 0 ); return( 0 );
@ -2210,7 +2197,7 @@ static int x509_crt_verify_chain(
/* Look for a parent in trusted CAs or up the chain */ /* Look for a parent in trusted CAs or up the chain */
ret = x509_crt_find_parent( child, trust_ca, &parent, ret = x509_crt_find_parent( child, trust_ca, &parent,
&parent_is_trusted, &signature_is_good, &parent_is_trusted, &signature_is_good,
*chain_len - 1, self_cnt, rs_ctx ); ver_chain->len - 1, self_cnt, rs_ctx );
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) { if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) {
@ -2229,7 +2216,7 @@ static int x509_crt_verify_chain(
/* Count intermediate self-issued (not necessarily self-signed) certs. /* Count intermediate self-issued (not necessarily self-signed) certs.
* These can occur with some strategies for key rollover, see [SIRO], * These can occur with some strategies for key rollover, see [SIRO],
* and should be excluded from max_pathlen checks. */ * and should be excluded from max_pathlen checks. */
if( *chain_len != 1 && if( ver_chain->len != 1 &&
x509_name_cmp( &child->issuer, &child->subject ) == 0 ) x509_name_cmp( &child->issuer, &child->subject ) == 0 )
{ {
self_cnt++; self_cnt++;
@ -2238,7 +2225,7 @@ static int x509_crt_verify_chain(
/* path_cnt is 0 for the first intermediate CA, /* path_cnt is 0 for the first intermediate CA,
* and if parent is trusted it's not an intermediate CA */ * and if parent is trusted it's not an intermediate CA */
if( ! parent_is_trusted && if( ! parent_is_trusted &&
*chain_len > MBEDTLS_X509_MAX_INTERMEDIATE_CA ) ver_chain->len > MBEDTLS_X509_MAX_INTERMEDIATE_CA )
{ {
/* return immediately to avoid overflow the chain array */ /* return immediately to avoid overflow the chain array */
return( MBEDTLS_ERR_X509_FATAL_ERROR ); return( MBEDTLS_ERR_X509_FATAL_ERROR );
@ -2334,21 +2321,22 @@ static void x509_crt_verify_name( const mbedtls_x509_crt *crt,
*/ */
static int x509_crt_merge_flags_with_cb( static int x509_crt_merge_flags_with_cb(
uint32_t *flags, uint32_t *flags,
x509_crt_verify_chain_item ver_chain[X509_MAX_VERIFY_CHAIN_SIZE], const mbedtls_x509_crt_verify_chain *ver_chain,
size_t chain_len,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy ) void *p_vrfy )
{ {
int ret; int ret;
size_t i; size_t i;
uint32_t cur_flags; uint32_t cur_flags;
const mbedtls_x509_crt_verify_chain_item *cur;
for( i = chain_len; i != 0; --i ) for( i = ver_chain->len; i != 0; --i )
{ {
cur_flags = ver_chain[i-1].flags; cur = &ver_chain->items[i-1];
cur_flags = cur->flags;
if( NULL != f_vrfy ) if( NULL != f_vrfy )
if( ( ret = f_vrfy( p_vrfy, ver_chain[i-1].crt, i-1, &cur_flags ) ) != 0 ) if( ( ret = f_vrfy( p_vrfy, cur->crt, i-1, &cur_flags ) ) != 0 )
return( ret ); return( ret );
*flags |= cur_flags; *flags |= cur_flags;
@ -2408,13 +2396,11 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
{ {
int ret; int ret;
mbedtls_pk_type_t pk_type; mbedtls_pk_type_t pk_type;
x509_crt_verify_chain_item ver_chain[X509_MAX_VERIFY_CHAIN_SIZE]; mbedtls_x509_crt_verify_chain ver_chain;
size_t chain_len; uint32_t *ee_flags = &ver_chain.items[0].flags;
uint32_t *ee_flags = &ver_chain[0].flags;
*flags = 0; *flags = 0;
memset( ver_chain, 0, sizeof( ver_chain ) ); memset( &ver_chain, 0, sizeof( ver_chain ) );
chain_len = 0;
if( profile == NULL ) if( profile == NULL )
{ {
@ -2437,7 +2423,7 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
/* Check the chain */ /* Check the chain */
ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, profile, ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, profile,
ver_chain, &chain_len, rs_ctx ); &ver_chain, rs_ctx );
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) { if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) {
@ -2450,8 +2436,7 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
goto exit; goto exit;
/* Build final flags, calling callback on the way if any */ /* Build final flags, calling callback on the way if any */
ret = x509_crt_merge_flags_with_cb( flags, ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, f_vrfy, p_vrfy );
ver_chain, chain_len, f_vrfy, p_vrfy );
exit: exit:
/* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by /* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by