mirrors-yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls synced 2024-11-24 13:18:10 +00:00
Code Issues Projects Releases Packages Wiki Activity

Improve handling of md errors in X.509

Browse source 
md() already checks for md_info == NULL. Also, in the future it might also
return other errors (eg hardware errors if acceleration is used), so it make
more sense to check its return value than to check for NULL ourselves and then
assume no other error can occur.

Also, currently, md_info == NULL can never happen except if the MD and OID modules
get out of sync, or if the user messes with members of the x509_crt structure
directly.

This commit does not change the current behaviour, which is to treat MD errors
the same way as a bad signature or no trusted root.
This commit is contained in:
Manuel Pégourié-Gonnard 2017-06-26 12:22:17 +02:00
parent a4a206e834
commit 329e78c7fa
1 changed files with 5 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
library/x509_crt.c
View file

@ -1675,17 +1675,13 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
flags |= MBEDTLS_X509_BADCRL_BAD_PK; flags |= MBEDTLS_X509_BADCRL_BAD_PK;
md_info = mbedtls_md_info_from_type( crl_list->sig_md ); md_info = mbedtls_md_info_from_type( crl_list->sig_md );
if( md_info == NULL ) if( mbedtls_md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ) != 0 )
{ {
/* /* Note: this can't happen except after an internal error */
* Cannot check 'unknown' hash
*/
flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
break; break;
} }
mbedtls_md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash );
if( x509_profile_check_key( profile, crl_list->sig_pk, &ca->pk ) != 0 ) if( x509_profile_check_key( profile, crl_list->sig_pk, &ca->pk ) != 0 )
flags |= MBEDTLS_X509_BADCERT_BAD_KEY; flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
@ -1930,15 +1926,12 @@ static int x509_crt_verify_top(
*flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED; *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
md_info = mbedtls_md_info_from_type( child->sig_md ); md_info = mbedtls_md_info_from_type( child->sig_md );
if( md_info == NULL ) if( mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ) != 0 )
{ {
/* /* Note: this can't happen except after an internal error */
* Cannot check 'unknown', no need to try any CA /* Cannot check signature, no need to try any CA */
*/
trust_ca = NULL; trust_ca = NULL;
} }
else
mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash );
for( /* trust_ca */ ; trust_ca != NULL; trust_ca = trust_ca->next ) for( /* trust_ca */ ; trust_ca != NULL; trust_ca = trust_ca->next )
{ {