That is when it cannot sort the list and GNUTLS_X509_CRT_LIST_SORT is specified.
* #gnutls_pcert_st structure. The structure must be deinitialized
* afterwards using gnutls_pcert_deinit();
*
+ * In the case %GNUTLS_X509_CRT_LIST_SORT is specified and that
+ * function cannot sort the list, %GNUTLS_E_CERTIFICATE_LIST_UNSORTED
+ * will be returned. Currently sorting can fail if the list size
+ * exceeds an internal constraint (16).
+ *
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
gnutls_x509_crt_t *s;
s = crt;
- if (flags & GNUTLS_X509_CRT_LIST_SORT && *ncrt > 1 && *ncrt < DEFAULT_MAX_VERIFY_DEPTH) {
- s = _gnutls_sort_clist(sorted, crt, ncrt, NULL);
- if (s == crt) {
- gnutls_assert();
- return GNUTLS_E_UNIMPLEMENTED_FEATURE;
+
+ if (flags & GNUTLS_X509_CRT_LIST_SORT && *ncrt > 1) {
+ if (*ncrt > DEFAULT_MAX_VERIFY_DEPTH) {
+ ret = _gnutls_check_if_sorted(crt, *ncrt);
+ if (ret < 0) {
+ gnutls_assert();
+ return GNUTLS_E_CERTIFICATE_LIST_UNSORTED;
+ }
+ } else {
+ s = _gnutls_sort_clist(sorted, crt, ncrt, NULL);
+ if (s == crt) {
+ gnutls_assert();
+ return GNUTLS_E_UNIMPLEMENTED_FEATURE;
+ }
}
}
return 0;
}
-static int check_if_sorted(gnutls_pcert_st * crt, int nr)
-{
- gnutls_x509_crt_t x509;
- gnutls_x509_crt_t prev = NULL;
- int i, ret;
-
- /* check if the X.509 list is ordered */
- if (nr > 1 && crt[0].type == GNUTLS_CRT_X509) {
-
- for (i = 0; i < nr; i++) {
- ret = gnutls_x509_crt_init(&x509);
- if (ret < 0)
- return gnutls_assert_val(ret);
- ret =
- gnutls_x509_crt_import(x509, &crt[i].cert,
- GNUTLS_X509_FMT_DER);
- if (ret < 0) {
- ret = gnutls_assert_val(ret);
- goto cleanup;
- }
-
- if (i > 0) {
- if (gnutls_x509_crt_check_issuer(prev, x509) == 0) {
- ret =
- gnutls_assert_val
- (GNUTLS_E_CERTIFICATE_LIST_UNSORTED);
- goto cleanup;
- }
-
- gnutls_x509_crt_deinit(prev);
- }
-
- prev = x509;
- }
- gnutls_x509_crt_deinit(prev);
- }
-
- return 0;
-
-cleanup:
- gnutls_x509_crt_deinit(prev);
- gnutls_x509_crt_deinit(x509);
- return ret;
-}
-
int
certificate_credential_append_crt_list(gnutls_certificate_credentials_t
res, gnutls_str_array_t names,
{
int ret;
- ret = check_if_sorted(crt, nr);
- if (ret < 0)
- return gnutls_assert_val(ret);
-
res->certs = gnutls_realloc_fast(res->certs,
(1 + res->ncerts) *
sizeof(certs_st));
return sorted;
}
+
+int _gnutls_check_if_sorted(gnutls_x509_crt_t * crt, int nr)
+{
+ void *prev_dn = NULL;
+ void *dn;
+ size_t prev_dn_size = 0, dn_size;
+ int i, ret;
+
+ /* check if the X.509 list is ordered */
+ if (nr > 1) {
+ for (i = 0; i < nr; i++) {
+ if (i > 0) {
+ dn = crt[i]->raw_dn.data;
+ dn_size = crt[i]->raw_dn.size;
+
+ if (dn_size != prev_dn_size
+ || memcmp(dn, prev_dn, dn_size) != 0) {
+ ret =
+ gnutls_assert_val
+ (GNUTLS_E_CERTIFICATE_LIST_UNSORTED);
+ goto cleanup;
+ }
+ }
+
+ prev_dn = crt[i]->raw_issuer_dn.data;
+ prev_dn_size = crt[i]->raw_issuer_dn.size;
+ }
+ }
+ ret = 0;
+
+cleanup:
+ return ret;
+}
unsigned int *clist_size,
gnutls_cert_vfunc func);
+int _gnutls_check_if_sorted(gnutls_x509_crt_t * crt, int nr);
+
#endif
return 0;
}
-static int check_if_sorted(gnutls_x509_crt_t * crt, int nr)
-{
- void *prev_dn = NULL;
- void *dn;
- size_t prev_dn_size = 0, dn_size;
- int i, ret;
-
- /* check if the X.509 list is ordered */
- if (nr > 1) {
- for (i = 0; i < nr; i++) {
- if (i > 0) {
- dn = crt[i]->raw_dn.data;
- dn_size = crt[i]->raw_dn.size;
-
- if (dn_size != prev_dn_size
- || memcmp(dn, prev_dn, dn_size) != 0) {
- ret =
- gnutls_assert_val
- (GNUTLS_E_CERTIFICATE_LIST_UNSORTED);
- goto cleanup;
- }
- }
-
- prev_dn = crt[i]->raw_issuer_dn.data;
- prev_dn_size = crt[i]->raw_issuer_dn.size;
- }
- }
- ret = 0;
-
-cleanup:
- return ret;
-}
-
-
/**
* gnutls_x509_crt_list_import:
* @certs: The structures to store the parsed certificate. Must not be initialized.
}
if (flags & GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED) {
- ret = check_if_sorted(certs, *cert_max);
+ ret = _gnutls_check_if_sorted(certs, *cert_max);
if (ret < 0) {
gnutls_assert();
goto error;
projects / thirdparty / gnutls.git / commitdiff
