cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-11-04 04:32:24 -05:00
Code Issues Packages Projects Releases Wiki Activity

Don't search twice for a non-existing parent

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2017-06-29 11:47:06 +02:00
parent b8acfd2ba8
commit c61e5c9304
1 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
library/x509_crt.c
View File

@ -1906,13 +1906,13 @@ static int x509_crt_check_parent( const mbedtls_x509_crt *child,
* - this happens in cases 1, 2 and 3 of the comment on verify() * - this happens in cases 1, 2 and 3 of the comment on verify()
* - case 1 is special as child and trust_ca point to copies of the same * - case 1 is special as child and trust_ca point to copies of the same
* certificate then * certificate then
* - child was found to have no parent either in the chain or in trusted CAs * - child was found to have no parent either in the chain or in trusted CAs,
* in which case we're called with trust_ca set to NULL
* - this is cases 4 and 5 of the comment on verify() * - this is cases 4 and 5 of the comment on verify()
* *
* For historical reasons, the function currently does not assume that * For historical reasons, the function currently does not assume that
* trust_ca points directly to the right root in the first case, and it * trust_ca points directly to the right root in the first case, so it always
* doesn't know in which case it starts, so it always starts by searching for * starts by searching for a parent in trust_ca.
* a parent in trust_ca.
*/ */
static int x509_crt_verify_top( static int x509_crt_verify_top(
mbedtls_x509_crt *child, mbedtls_x509_crt *trust_ca, mbedtls_x509_crt *child, mbedtls_x509_crt *trust_ca,
@ -1946,6 +1946,10 @@ static int x509_crt_verify_top(
*/ */
*flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED; *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
/* Special case #1: no root, stop here */
if( trust_ca == NULL )
goto callback;
md_info = mbedtls_md_info_from_type( child->sig_md ); md_info = mbedtls_md_info_from_type( child->sig_md );
if( mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ) != 0 ) if( mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ) != 0 )
{ {
@ -2042,6 +2046,7 @@ static int x509_crt_verify_top(
} }
} }
callback:
/* Call callback on top cert */ /* Call callback on top cert */
if( NULL != f_vrfy ) if( NULL != f_vrfy )
{ {
@ -2173,7 +2178,7 @@ static int x509_crt_verify_child(
} }
else else
{ {
ret = x509_crt_verify_top( parent, trust_ca, ca_crl, profile, ret = x509_crt_verify_top( parent, NULL, ca_crl, profile,
path_cnt + 1, self_cnt, &parent_flags, path_cnt + 1, self_cnt, &parent_flags,
f_vrfy, p_vrfy ); f_vrfy, p_vrfy );
if( ret != 0 ) if( ret != 0 )
@ -2349,7 +2354,7 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
} }
else else
{ {
ret = x509_crt_verify_top( crt, trust_ca, ca_crl, profile, ret = x509_crt_verify_top( crt, NULL, ca_crl, profile,
pathlen, selfsigned, flags, f_vrfy, p_vrfy ); pathlen, selfsigned, flags, f_vrfy, p_vrfy );
if( ret != 0 ) if( ret != 0 )
goto exit; goto exit;