Factor one more occurrence of code into function

This may look like a behaviour change because one check has been added to the function that was previously done in only one of the 3 call sites. However it is not, because: - for the 2 call sites in verify(), the test always succeeds as path_cnt is 0. - for the call site in verify_child(), the same test was done later anyway in verify_top()
2025-11-04 04:32:24 -05:00 · 2017-06-29 12:38:42 +02:00 · 2017-06-29 12:38:42 +02:00 · 9c6118c498
commit 9c6118c498
parent 2f1c33dc33
1 changed files with 10 additions and 19 deletions
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -1904,13 +1904,18 @@ static mbedtls_x509_crt *x509_crt_find_parent( mbedtls_x509_crt *child,
 {
    mbedtls_x509_crt *parent;

-    (void) self_cnt;
-
    for( parent = candidates; parent != NULL; parent = parent->next )
    {
        if( x509_crt_check_parent( child, parent, top, path_cnt == 0 ) != 0 )
            continue;

+        /* +1 because stored max_pathlen is 1 higher that the actual value */
+        if( parent->max_pathlen > 0 &&
+            parent->max_pathlen < 1 + path_cnt - self_cnt )
+        {
+            continue;
+        }
+
        break;
    }

@ -2158,23 +2163,9 @@ static int x509_crt_verify_child(
    else
    {
        /* Look for a grandparent upwards the chain */
-        for( grandparent = parent->next;
-             grandparent != NULL;
-             grandparent = grandparent->next )
-        {
-            /* +2 because the current step is not yet accounted for
-             * and because max_pathlen is one higher than it should be.
-             * Also self signed certificates do not count to the limit. */
-            if( grandparent->max_pathlen > 0 &&
-                grandparent->max_pathlen < 2 + path_cnt - self_cnt )
-            {
-                continue;
-            }
-
-            if( x509_crt_check_parent( parent, grandparent,
-                                       0, path_cnt == 0 ) == 0 )
-                break;
-        }
+        /* path_cnt +1 because current step is not yet accounted for */
+        grandparent = x509_crt_find_parent( parent, parent->next, 0,
+                                            path_cnt + 1, self_cnt );

        /* Is our parent part of the chain or at the top? */
        if( grandparent != NULL )