From 8b543b3ca8defdba08e64a6f3ba359fd05ba5bda Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 21 Feb 2019 11:50:44 +0000 Subject: [PATCH] Make use of abort condition callback in CN comparison The previous CN name comparison function x509_crt_verify_name() traversed the dynamically allocated linked list presentation of the CRT's subject, comparing each entry to the desired hostname configured by the application code. Eventually, we want to get rid of the linked list presentation of the CRT's subject to save both code and RAM usage, and hence need to rewrite the CN verification routine in a way that builds on the raw ASN.1 subject data only. In order to avoid duplicating the code for the parsing of the nested ASN.1 name structure, this commit performs the name search by using the existing name traversal function mbedtls_x509_name_cmp_raw(), passing to it a callback which checks whether the current name component matches the desired hostname. --- library/x509_crt.c | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index 85bccedcb..1d5bedc78 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2369,6 +2369,26 @@ static int x509_crt_check_cn( const mbedtls_x509_buf *name, return( -1 ); } +/* Returns 1 on a match and 0 on a mismatch. + * This is because this function is used as a callback for + * mbedtls_x509_name_cmp_raw(), which continues the name + * traversal as long as the callback returns 0. */ +static int x509_crt_check_name( void *ctx, + mbedtls_x509_buf *oid, + mbedtls_x509_buf *val ) +{ + char const *cn = (char const*) ctx; + size_t cn_len = strlen( cn ); + + if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, oid ) == 0 && + x509_crt_check_cn( val, cn, cn_len ) == 0 ) + { + return( 1 ); + } + + return( 0 ); +} + /* * Verify the requested CN - only call this if cn is not NULL! */ @@ -2376,7 +2396,6 @@ static void x509_crt_verify_name( const mbedtls_x509_crt *crt, const char *cn, uint32_t *flags ) { - const mbedtls_x509_name *name; const mbedtls_x509_sequence *cur; size_t cn_len = strlen( cn ); @@ -2393,16 +2412,11 @@ static void x509_crt_verify_name( const mbedtls_x509_crt *crt, } else { - for( name = &crt->subject; name != NULL; name = name->next ) - { - if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 && - x509_crt_check_cn( &name->val, cn, cn_len ) == 0 ) - { - break; - } - } - - if( name == NULL ) + int ret; + ret = mbedtls_x509_name_cmp_raw( &crt->subject_raw_no_hdr, + &crt->subject_raw_no_hdr, + x509_crt_check_name, (void*) cn ); + if( ret != 1 ) *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; } }