Adapt function signatures to rs_ctx + ret
This commit is contained in:
parent
be4ff42fe4
commit
a4a5d1dbe6
1 changed files with 105 additions and 42 deletions
|
@ -1866,7 +1866,8 @@ static int x509_name_cmp( const mbedtls_x509_name *a, const mbedtls_x509_name *b
|
||||||
* Check the signature of a certificate by its parent
|
* Check the signature of a certificate by its parent
|
||||||
*/
|
*/
|
||||||
static int x509_crt_check_signature( const mbedtls_x509_crt *child,
|
static int x509_crt_check_signature( const mbedtls_x509_crt *child,
|
||||||
mbedtls_x509_crt *parent )
|
mbedtls_x509_crt *parent,
|
||||||
|
mbedtls_x509_crt_restart_ctx *rs_ctx )
|
||||||
{
|
{
|
||||||
const mbedtls_md_info_t *md_info;
|
const mbedtls_md_info_t *md_info;
|
||||||
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
|
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
|
||||||
|
@ -1878,14 +1879,24 @@ static int x509_crt_check_signature( const mbedtls_x509_crt *child,
|
||||||
return( -1 );
|
return( -1 );
|
||||||
}
|
}
|
||||||
|
|
||||||
if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent->pk,
|
/* Skip expensive computation on obvious mismatch */
|
||||||
child->sig_md, hash, mbedtls_md_get_size( md_info ),
|
if( ! mbedtls_pk_can_do( &parent->pk, child->sig_pk ) )
|
||||||
child->sig.p, child->sig.len ) != 0 )
|
|
||||||
{
|
|
||||||
return( -1 );
|
return( -1 );
|
||||||
}
|
|
||||||
|
|
||||||
return( 0 );
|
#if defined(MBEDTLS_ECP_RESTARTABLE)
|
||||||
|
if( rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA )
|
||||||
|
{
|
||||||
|
return( mbedtls_pk_verify_restartable( &parent->pk,
|
||||||
|
child->sig_md, hash, mbedtls_md_get_size( md_info ),
|
||||||
|
child->sig.p, child->sig.len, &rs_ctx->ecdsa ) );
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
(void) rs_ctx;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
return( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent->pk,
|
||||||
|
child->sig_md, hash, mbedtls_md_get_size( md_info ),
|
||||||
|
child->sig.p, child->sig.len ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -1952,17 +1963,19 @@ static int x509_crt_check_parent( const mbedtls_x509_crt *child,
|
||||||
* rely on key identifier extensions). (This is one way users might choose to
|
* rely on key identifier extensions). (This is one way users might choose to
|
||||||
* handle key rollover, another relies on self-issued certs, see [SIRO].)
|
* handle key rollover, another relies on self-issued certs, see [SIRO].)
|
||||||
*/
|
*/
|
||||||
static mbedtls_x509_crt *x509_crt_find_parent_in( mbedtls_x509_crt *child,
|
static int x509_crt_find_parent_in(
|
||||||
mbedtls_x509_crt *candidates,
|
mbedtls_x509_crt *child,
|
||||||
int *signature_is_good,
|
mbedtls_x509_crt *candidates,
|
||||||
int top,
|
mbedtls_x509_crt **r_parent,
|
||||||
int path_cnt,
|
int *r_signature_is_good,
|
||||||
int self_cnt )
|
int top,
|
||||||
|
int path_cnt,
|
||||||
|
int self_cnt,
|
||||||
|
mbedtls_x509_crt_restart_ctx *rs_ctx )
|
||||||
{
|
{
|
||||||
|
int ret;
|
||||||
mbedtls_x509_crt *parent, *fallback_parent = NULL;
|
mbedtls_x509_crt *parent, *fallback_parent = NULL;
|
||||||
int fallback_sign_good = 0;
|
int signature_is_good = 0, fallback_sign_good = 0;
|
||||||
|
|
||||||
*signature_is_good = 0;
|
|
||||||
|
|
||||||
for( parent = candidates; parent != NULL; parent = parent->next )
|
for( parent = candidates; parent != NULL; parent = parent->next )
|
||||||
{
|
{
|
||||||
|
@ -1978,8 +1991,17 @@ static mbedtls_x509_crt *x509_crt_find_parent_in( mbedtls_x509_crt *child,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Signature */
|
/* Signature */
|
||||||
*signature_is_good = x509_crt_check_signature( child, parent ) == 0;
|
ret = x509_crt_check_signature( child, parent, rs_ctx );
|
||||||
if( top && ! *signature_is_good )
|
|
||||||
|
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||||
|
if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) {
|
||||||
|
// TODO: stave state
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||||
|
|
||||||
|
signature_is_good = ret == 0;
|
||||||
|
if( top && ! signature_is_good )
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
/* optional time check */
|
/* optional time check */
|
||||||
|
@ -1989,7 +2011,7 @@ static mbedtls_x509_crt *x509_crt_find_parent_in( mbedtls_x509_crt *child,
|
||||||
if( fallback_parent == NULL )
|
if( fallback_parent == NULL )
|
||||||
{
|
{
|
||||||
fallback_parent = parent;
|
fallback_parent = parent;
|
||||||
fallback_sign_good = *signature_is_good;
|
fallback_sign_good = signature_is_good;
|
||||||
}
|
}
|
||||||
|
|
||||||
continue;
|
continue;
|
||||||
|
@ -1998,13 +2020,18 @@ static mbedtls_x509_crt *x509_crt_find_parent_in( mbedtls_x509_crt *child,
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
if( parent == NULL )
|
if( parent != NULL )
|
||||||
{
|
{
|
||||||
parent = fallback_parent;
|
*r_parent = parent;
|
||||||
*signature_is_good = fallback_sign_good;
|
*r_signature_is_good = signature_is_good;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
*r_parent = fallback_parent;
|
||||||
|
*r_signature_is_good = fallback_sign_good;
|
||||||
}
|
}
|
||||||
|
|
||||||
return parent;
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -2013,27 +2040,48 @@ static mbedtls_x509_crt *x509_crt_find_parent_in( mbedtls_x509_crt *child,
|
||||||
* Searches in trusted CAs first, and return the first suitable parent found
|
* Searches in trusted CAs first, and return the first suitable parent found
|
||||||
* (see find_parent_in() for definition of suitable).
|
* (see find_parent_in() for definition of suitable).
|
||||||
*/
|
*/
|
||||||
static mbedtls_x509_crt *x509_crt_find_parent( mbedtls_x509_crt *child,
|
static int x509_crt_find_parent(
|
||||||
mbedtls_x509_crt *trust_ca,
|
mbedtls_x509_crt *child,
|
||||||
int *parent_is_trusted,
|
mbedtls_x509_crt *trust_ca,
|
||||||
int *signature_is_good,
|
mbedtls_x509_crt **parent,
|
||||||
int path_cnt,
|
int *parent_is_trusted,
|
||||||
int self_cnt )
|
int *signature_is_good,
|
||||||
|
int path_cnt,
|
||||||
|
int self_cnt,
|
||||||
|
mbedtls_x509_crt_restart_ctx *rs_ctx )
|
||||||
{
|
{
|
||||||
mbedtls_x509_crt *parent;
|
int ret;
|
||||||
|
|
||||||
/* Look for a parent in trusted CAs */
|
/* Look for a parent in trusted CAs */
|
||||||
*parent_is_trusted = 1;
|
*parent_is_trusted = 1;
|
||||||
parent = x509_crt_find_parent_in( child, trust_ca, signature_is_good,
|
ret = x509_crt_find_parent_in( child, trust_ca,
|
||||||
1, path_cnt, self_cnt );
|
parent, signature_is_good,
|
||||||
|
1, path_cnt, self_cnt, rs_ctx );
|
||||||
|
|
||||||
if( parent != NULL )
|
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||||
return parent;
|
if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) {
|
||||||
|
// TODO: stave state
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||||
|
|
||||||
|
if( *parent != NULL )
|
||||||
|
return( 0 );
|
||||||
|
|
||||||
/* Look for a parent upwards the chain */
|
/* Look for a parent upwards the chain */
|
||||||
*parent_is_trusted = 0;
|
*parent_is_trusted = 0;
|
||||||
return( x509_crt_find_parent_in( child, child->next, signature_is_good,
|
ret = x509_crt_find_parent_in( child, child->next,
|
||||||
0, path_cnt, self_cnt ) );
|
parent, signature_is_good,
|
||||||
|
0, path_cnt, self_cnt, rs_ctx );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||||
|
if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) {
|
||||||
|
// TODO: stave state
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -2109,8 +2157,10 @@ static int x509_crt_verify_chain(
|
||||||
mbedtls_x509_crl *ca_crl,
|
mbedtls_x509_crl *ca_crl,
|
||||||
const mbedtls_x509_crt_profile *profile,
|
const mbedtls_x509_crt_profile *profile,
|
||||||
x509_crt_verify_chain_item ver_chain[X509_MAX_VERIFY_CHAIN_SIZE],
|
x509_crt_verify_chain_item ver_chain[X509_MAX_VERIFY_CHAIN_SIZE],
|
||||||
size_t *chain_len )
|
size_t *chain_len,
|
||||||
|
mbedtls_x509_crt_restart_ctx *rs_ctx )
|
||||||
{
|
{
|
||||||
|
int ret;
|
||||||
uint32_t *flags;
|
uint32_t *flags;
|
||||||
mbedtls_x509_crt *child;
|
mbedtls_x509_crt *child;
|
||||||
mbedtls_x509_crt *parent;
|
mbedtls_x509_crt *parent;
|
||||||
|
@ -2154,9 +2204,16 @@ static int x509_crt_verify_chain(
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Look for a parent in trusted CAs or up the chain */
|
/* Look for a parent in trusted CAs or up the chain */
|
||||||
parent = x509_crt_find_parent( child, trust_ca,
|
ret = x509_crt_find_parent( child, trust_ca, &parent,
|
||||||
&parent_is_trusted, &signature_is_good,
|
&parent_is_trusted, &signature_is_good,
|
||||||
*chain_len - 1, self_cnt );
|
*chain_len - 1, self_cnt, rs_ctx );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||||
|
if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) {
|
||||||
|
// TODO: stave state
|
||||||
|
return( ret );
|
||||||
|
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||||
|
}
|
||||||
|
|
||||||
/* No parent? We're done here */
|
/* No parent? We're done here */
|
||||||
if( parent == NULL )
|
if( parent == NULL )
|
||||||
|
@ -2351,8 +2408,6 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
|
||||||
size_t chain_len;
|
size_t chain_len;
|
||||||
uint32_t *ee_flags = &ver_chain[0].flags;
|
uint32_t *ee_flags = &ver_chain[0].flags;
|
||||||
|
|
||||||
(void) rs_ctx;
|
|
||||||
|
|
||||||
*flags = 0;
|
*flags = 0;
|
||||||
memset( ver_chain, 0, sizeof( ver_chain ) );
|
memset( ver_chain, 0, sizeof( ver_chain ) );
|
||||||
chain_len = 0;
|
chain_len = 0;
|
||||||
|
@ -2378,7 +2433,15 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
|
||||||
|
|
||||||
/* Check the chain */
|
/* Check the chain */
|
||||||
ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, profile,
|
ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, profile,
|
||||||
ver_chain, &chain_len );
|
ver_chain, &chain_len, rs_ctx );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||||
|
if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) {
|
||||||
|
// TODO: stave state
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||||
|
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
goto exit;
|
goto exit;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue