Merge remote-tracking branch 'restricted/pr/584' into baremetal-proposed

* restricted/pr/584: (140 commits) Remove superfluous new line in x509.c Add comment about X.509 name comparison of buffer with itself [Fixup] Add missing PK release call in Cert Verify parsing Fix guard controlling whether nested acquire calls are allowed Add X.509 CRT test for nested calls for CRT frame / PK acquire Don't return threading error on release()-without-acquire() calls Don't allow nested CRT acquire()-calls if MBEDTLS_X509_ALWAYS_FLUSH Make X.509 CRT cache reference counting unconditional Remove memory buffer alloc from i386 test in all.sh Don't mention pk_sign() in the context of public-key contexts Don't use assertion for failures of mbedtls_x509_crt_x_acquire() Fix copy pasta in x509_crt.h Reference copy-less versions of X.509 CRT frame/PK getters x509_crt.c: Add blank line to increase readability [FIXUP] Fix bug in ASN.1 traversal of silently ignored tag [FIXUP] Fix typo in declaration of mbedtls_x509_memcasecmp() Move signature-info extraction out of MBEDTLS_X509_REMOVE_INFO Fix certificate validity checking logic to work with !TIME_DATE Simplify X.509 CRT version check in UID parsing Remove unused variable warning in on-demand X.509 parsing ...
2026-04-04 14:08:39 +00:00 · 2019-07-03 10:03:45 +02:00 · 2019-07-03 10:03:45 +02:00 · 417d2ce076
commit 417d2ce076
parent 4e24c449e2 b1d720c016
37 changed files with 3518 additions and 1120 deletions
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@ -1466,6 +1466,22 @@ int query_config( const char *config )
    }
 #endif /* MBEDTLS_VERSION_FEATURES */

+#if defined(MBEDTLS_X509_ON_DEMAND_PARSING)
+    if( strcmp( "MBEDTLS_X509_ON_DEMAND_PARSING", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_ON_DEMAND_PARSING );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_ON_DEMAND_PARSING */
+
+#if defined(MBEDTLS_X509_ALWAYS_FLUSH)
+    if( strcmp( "MBEDTLS_X509_ALWAYS_FLUSH", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_ALWAYS_FLUSH );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_ALWAYS_FLUSH */
+
 #if defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3)
    if( strcmp( "MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3", config ) == 0 )
    {
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -1067,6 +1067,7 @@ static int ssl_async_start( mbedtls_ssl_context *ssl,
                            const unsigned char *input,
                            size_t input_len )
 {
+    int ret;
    ssl_async_key_context_t *config_data =
        mbedtls_ssl_conf_get_async_config_data( ssl->conf );
    unsigned slot;
@ -1075,9 +1076,17 @@ static int ssl_async_start( mbedtls_ssl_context *ssl,

    {
        char dn[100];
-        if( mbedtls_x509_dn_gets( dn, sizeof( dn ), &cert->subject ) > 0 )
+        mbedtls_x509_name *subject;
+
+        ret = mbedtls_x509_crt_get_subject( cert, &subject );
+        if( ret != 0 )
+            return( ret );
+
+        if( mbedtls_x509_dn_gets( dn, sizeof( dn ), subject ) > 0 )
            mbedtls_printf( "Async %s callback: looking for DN=%s\n",
                            op_name, dn );
+
+        mbedtls_x509_name_free( subject );
    }

    /* Look for a private key that matches the public key in cert.
@ -1086,8 +1095,14 @@ static int ssl_async_start( mbedtls_ssl_context *ssl,
     * public key. */
    for( slot = 0; slot < config_data->slots_used; slot++ )
    {
-        if( mbedtls_pk_check_pair( &cert->pk,
-                                   config_data->slots[slot].pk ) == 0 )
+        mbedtls_pk_context *pk;
+        int match;
+        ret = mbedtls_x509_crt_pk_acquire( cert, &pk );
+        if( ret != 0 )
+            return( ret );
+        match = mbedtls_pk_check_pair( pk, config_data->slots[slot].pk );
+        mbedtls_x509_crt_pk_release( cert );
+        if( match == 0 )
            break;
    }
    if( slot == config_data->slots_used )