Lines Matching full:if
22 #if defined(MBEDTLS_X509_CRT_PARSE_C)
31 #if defined(MBEDTLS_PEM_PARSE_C)
35 #if defined(MBEDTLS_USE_PSA_CRYPTO)
44 #if defined(MBEDTLS_THREADING_C)
48 #if defined(MBEDTLS_HAVE_TIME)
49 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
57 #if defined(MBEDTLS_FS_IO)
59 #if !defined(_WIN32) || defined(EFIX64) || defined(EFI32)
62 #if defined(__MBED__)
94 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
119 #if defined(MBEDTLS_ECP_C)
145 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
168 * Return 0 if md_alg is acceptable for this profile, -1 otherwise
173 if (md_alg == MBEDTLS_MD_NONE) { in x509_profile_check_md_alg()
177 if ((profile->allowed_mds & MBEDTLS_X509_ID_FLAG(md_alg)) != 0) { in x509_profile_check_md_alg()
186 * Return 0 if pk_alg is acceptable for this profile, -1 otherwise
191 if (pk_alg == MBEDTLS_PK_NONE) { in x509_profile_check_pk_alg()
195 if ((profile->allowed_pks & MBEDTLS_X509_ID_FLAG(pk_alg)) != 0) { in x509_profile_check_pk_alg()
204 * Return 0 if pk is acceptable for this profile, -1 otherwise
211 #if defined(MBEDTLS_RSA_C) in x509_profile_check_key()
212 if (pk_alg == MBEDTLS_PK_RSA || pk_alg == MBEDTLS_PK_RSASSA_PSS) { in x509_profile_check_key()
213 if (mbedtls_pk_get_bitlen(pk) >= profile->rsa_min_bitlen) { in x509_profile_check_key()
221 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) in x509_profile_check_key()
222 if (pk_alg == MBEDTLS_PK_ECDSA || in x509_profile_check_key()
227 if (gid == MBEDTLS_ECP_DP_NONE) { in x509_profile_check_key()
231 if ((profile->allowed_curves & MBEDTLS_X509_ID_FLAG(gid)) != 0) { in x509_profile_check_key()
243 * Like memcmp, but case-insensitive and always returns -1 if different
254 if (diff == 0) { in x509_memcasecmp()
258 if (diff == 32 && in x509_memcasecmp()
271 * Return 0 if name matches wildcard, -1 otherwise
278 /* We can't have a match if there is no wildcard to match */ in x509_check_wildcard()
279 if (name->len < 3 || name->p[0] != '*' || name->p[1] != '.') { in x509_check_wildcard()
284 if (cn[i] == '.') { in x509_check_wildcard()
290 if (cn_idx == 0) { in x509_check_wildcard()
294 if (cn_len - cn_idx == name->len - 1 && in x509_check_wildcard()
306 * Return 0 if equal, -1 otherwise.
310 if (a->tag == b->tag && in x509_string_cmp()
316 if ((a->tag == MBEDTLS_ASN1_UTF8_STRING || a->tag == MBEDTLS_ASN1_PRINTABLE_STRING) && in x509_string_cmp()
334 * Return 0 if equal, -1 otherwise.
340 if (a == NULL || b == NULL) { in x509_name_cmp()
345 if (a->oid.tag != b->oid.tag || in x509_name_cmp()
352 if (x509_string_cmp(&a->val, &b->val) != 0) { in x509_name_cmp()
357 if (a->next_merged != b->next_merged) { in x509_name_cmp()
384 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) in x509_crt_verify_chain_reset()
399 if ((ret = mbedtls_asn1_get_tag(p, end, &len, in x509_get_version()
402 if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { in x509_get_version()
412 if ((ret = mbedtls_asn1_get_int(p, end, ver)) != 0) { in x509_get_version()
416 if (*p != end) { in x509_get_version()
437 if ((ret = mbedtls_asn1_get_tag(p, end, &len, in x509_get_dates()
444 if ((ret = mbedtls_x509_get_time(p, end, from)) != 0) { in x509_get_dates()
448 if ((ret = mbedtls_x509_get_time(p, end, to)) != 0) { in x509_get_dates()
452 if (*p != end) { in x509_get_dates()
469 if (*p == end) { in x509_get_uid()
475 if ((ret = mbedtls_asn1_get_tag(p, end, &uid->len, in x509_get_uid()
478 if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { in x509_get_uid()
507 if ((ret = mbedtls_asn1_get_tag(p, end, &len, in x509_get_basic_constraints()
512 if (*p == end) { in x509_get_basic_constraints()
516 if ((ret = mbedtls_asn1_get_bool(p, end, ca_istrue)) != 0) { in x509_get_basic_constraints()
517 if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { in x509_get_basic_constraints()
521 if (ret != 0) { in x509_get_basic_constraints()
525 if (*ca_istrue != 0) { in x509_get_basic_constraints()
530 if (*p == end) { in x509_get_basic_constraints()
534 if ((ret = mbedtls_asn1_get_int(p, end, max_pathlen)) != 0) { in x509_get_basic_constraints()
538 if (*p != end) { in x509_get_basic_constraints()
545 if (*max_pathlen == INT_MAX) { in x509_get_basic_constraints()
566 if ((ret = mbedtls_asn1_get_sequence_of(p, end, ext_key_usage, MBEDTLS_ASN1_OID)) != 0) { in x509_get_ext_key_usage()
571 if (ext_key_usage->buf.p == NULL) { in x509_get_ext_key_usage()
591 if ((ret = mbedtls_asn1_get_tag(p, end, &len, in x509_get_subject_key_id()
601 if (*p != end) { in x509_get_subject_key_id()
624 if ((ret = mbedtls_asn1_get_tag(p, end, &len, in x509_get_authority_key_id()
629 if (*p + len != end) { in x509_get_authority_key_id()
638 if (ret == 0) { in x509_get_authority_key_id()
647 } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { in x509_get_authority_key_id()
651 if (*p < end) { in x509_get_authority_key_id()
653 if ((ret = mbedtls_asn1_get_tag(p, end, &len, in x509_get_authority_key_id()
664 if (ret != 0) { in x509_get_authority_key_id()
669 if ((ret = mbedtls_asn1_get_tag(p, end, &len, in x509_get_authority_key_id()
679 if (*p != end) { in x509_get_authority_key_id()
748 if (ret != 0) { in x509_get_certificate_policies()
752 if (*p + len != end) { in x509_get_certificate_policies()
760 if (len == 0) { in x509_get_certificate_policies()
772 if ((ret = mbedtls_asn1_get_tag(p, end, &len, in x509_get_certificate_policies()
779 if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len, in x509_get_certificate_policies()
791 if (MBEDTLS_OID_CMP(MBEDTLS_OID_ANY_POLICY, &policy_oid) != 0) { in x509_get_certificate_policies()
800 if (cur->buf.p != NULL) { in x509_get_certificate_policies()
801 if (cur->next != NULL) { in x509_get_certificate_policies()
807 if (cur->next == NULL) { in x509_get_certificate_policies()
823 * If there is an optional qualifier, then *p < policy_end in x509_get_certificate_policies()
826 if (*p < policy_end) { in x509_get_certificate_policies()
827 if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len, in x509_get_certificate_policies()
838 if (*p != policy_end) { in x509_get_certificate_policies()
847 if (*p != end) { in x509_get_certificate_policies()
869 if (*p == end) { in x509_get_crt_ext()
873 if ((ret = mbedtls_x509_get_ext(p, end, &crt->v3_ext, 3)) != 0) { in x509_get_crt_ext()
889 if ((ret = mbedtls_asn1_get_tag(p, end, &len, in x509_get_crt_ext()
897 if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &extn_oid.len, in x509_get_crt_ext()
907 if ((ret = mbedtls_asn1_get_bool(p, end_ext_data, &is_critical)) != 0 && in x509_get_crt_ext()
913 if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len, in x509_get_crt_ext()
921 if (end_ext_octet != end_ext_data) { in x509_get_crt_ext()
931 if (ret != 0) { in x509_get_crt_ext()
932 /* Give the callback (if any) a chance to handle the extension */ in x509_get_crt_ext()
933 if (cb != NULL) { in x509_get_crt_ext()
935 if (ret != 0 && is_critical) { in x509_get_crt_ext()
945 if (is_critical) { in x509_get_crt_ext()
954 if ((crt->ext_types & ext_type) != 0) { in x509_get_crt_ext()
963 if ((ret = x509_get_basic_constraints(p, end_ext_octet, in x509_get_crt_ext()
971 if ((ret = mbedtls_x509_get_key_usage(p, end_ext_octet, in x509_get_crt_ext()
979 if ((ret = x509_get_ext_key_usage(p, end_ext_octet, in x509_get_crt_ext()
987 if ((ret = x509_get_subject_key_id(p, end_ext_data, in x509_get_crt_ext()
995 if ((ret = x509_get_authority_key_id(p, end_ext_octet, in x509_get_crt_ext()
1004 if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_octet, in x509_get_crt_ext()
1012 if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_octet, in x509_get_crt_ext()
1020 if ((ret = x509_get_certificate_policies(p, end_ext_octet, in x509_get_crt_ext()
1022 /* Give the callback (if any) a chance to handle the extension in x509_get_crt_ext()
1023 * if it contains unsupported policies */ in x509_get_crt_ext()
1024 if (ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE && cb != NULL && in x509_get_crt_ext()
1030 if (is_critical) { in x509_get_crt_ext()
1034 * If MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE is returned, then we in x509_get_crt_ext()
1039 if (ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) { in x509_get_crt_ext()
1047 * If this is a non-critical extension, which the oid layer in x509_get_crt_ext()
1051 if (is_critical) { in x509_get_crt_ext()
1059 if (*p != end) { in x509_get_crt_ext()
1089 if (crt == NULL || buf == NULL) { in x509_crt_parse_der_core()
1104 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, in x509_crt_parse_der_core()
1112 if (make_copy != 0) { in x509_crt_parse_der_core()
1115 if (crt->raw.p == NULL) { in x509_crt_parse_der_core()
1134 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, in x509_crt_parse_der_core()
1150 if ((ret = x509_get_version(&p, end, &crt->version)) != 0 || in x509_crt_parse_der_core()
1158 if (crt->version < 0 || crt->version > 2) { in x509_crt_parse_der_core()
1165 if ((ret = mbedtls_x509_get_sig_alg(&crt->sig_oid, &sig_params1, in x509_crt_parse_der_core()
1177 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, in x509_crt_parse_der_core()
1183 if ((ret = mbedtls_x509_get_name(&p, p + len, &crt->issuer)) != 0) { in x509_crt_parse_der_core()
1196 if ((ret = x509_get_dates(&p, end, &crt->valid_from, in x509_crt_parse_der_core()
1207 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, in x509_crt_parse_der_core()
1213 if (len && (ret = mbedtls_x509_get_name(&p, p + len, &crt->subject)) != 0) { in x509_crt_parse_der_core()
1224 if ((ret = mbedtls_pk_parse_subpubkey(&p, end, &crt->pk)) != 0) { in x509_crt_parse_der_core()
1232 * -- If present, version shall be v2 or v3 in x509_crt_parse_der_core()
1234 * -- If present, version shall be v2 or v3 in x509_crt_parse_der_core()
1236 * -- If present, version shall be v3 in x509_crt_parse_der_core()
1238 if (crt->version == 2 || crt->version == 3) { in x509_crt_parse_der_core()
1240 if (ret != 0) { in x509_crt_parse_der_core()
1246 if (crt->version == 2 || crt->version == 3) { in x509_crt_parse_der_core()
1248 if (ret != 0) { in x509_crt_parse_der_core()
1254 if (crt->version == 3) { in x509_crt_parse_der_core()
1256 if (ret != 0) { in x509_crt_parse_der_core()
1262 if (p != end) { in x509_crt_parse_der_core()
1277 if ((ret = mbedtls_x509_get_alg(&p, end, &sig_oid2, &sig_params2)) != 0) { in x509_crt_parse_der_core()
1282 if (crt->sig_oid.len != sig_oid2.len || in x509_crt_parse_der_core()
1292 if ((ret = mbedtls_x509_get_sig(&p, end, &crt->sig)) != 0) { in x509_crt_parse_der_core()
1297 if (p != end) { in x509_crt_parse_der_core()
1323 if (crt == NULL || buf == NULL) { in mbedtls_x509_crt_parse_der_internal()
1333 * Add new certificate on the end of the chain if needed. in mbedtls_x509_crt_parse_der_internal()
1335 if (crt->version != 0 && crt->next == NULL) { in mbedtls_x509_crt_parse_der_internal()
1338 if (crt->next == NULL) { in mbedtls_x509_crt_parse_der_internal()
1348 if (ret != 0) { in mbedtls_x509_crt_parse_der_internal()
1349 if (prev) { in mbedtls_x509_crt_parse_der_internal()
1353 if (crt != chain) { in mbedtls_x509_crt_parse_der_internal()
1395 #if defined(MBEDTLS_PEM_PARSE_C) in mbedtls_x509_crt_parse()
1403 if (chain == NULL || buf == NULL) { in mbedtls_x509_crt_parse()
1411 #if defined(MBEDTLS_PEM_PARSE_C) in mbedtls_x509_crt_parse()
1412 if (buflen != 0 && buf[buflen - 1] == '\0' && in mbedtls_x509_crt_parse()
1417 if (buf_format == MBEDTLS_X509_FORMAT_DER) { in mbedtls_x509_crt_parse()
1424 #if defined(MBEDTLS_PEM_PARSE_C) in mbedtls_x509_crt_parse()
1425 if (buf_format == MBEDTLS_X509_FORMAT_PEM) { in mbedtls_x509_crt_parse()
1434 /* If we get there, we know the string is null-terminated */ in mbedtls_x509_crt_parse()
1440 if (ret == 0) { in mbedtls_x509_crt_parse()
1446 } else if (ret == MBEDTLS_ERR_PEM_BAD_INPUT_DATA) { in mbedtls_x509_crt_parse()
1448 } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) { in mbedtls_x509_crt_parse()
1457 if (first_error == 0) { in mbedtls_x509_crt_parse()
1471 if (ret != 0) { in mbedtls_x509_crt_parse()
1475 if (ret == MBEDTLS_ERR_X509_ALLOC_FAILED) { in mbedtls_x509_crt_parse()
1479 if (first_error == 0) { in mbedtls_x509_crt_parse()
1491 if (success) { in mbedtls_x509_crt_parse()
1493 } else if (first_error) { in mbedtls_x509_crt_parse()
1501 #if defined(MBEDTLS_FS_IO)
1511 if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) { in mbedtls_x509_crt_parse_file()
1525 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) in mbedtls_x509_crt_parse_path()
1535 if (len > MAX_PATH - 3) { in mbedtls_x509_crt_parse_path()
1553 if (w_ret == 0) { in mbedtls_x509_crt_parse_path()
1558 if (hFind == INVALID_HANDLE_VALUE) { in mbedtls_x509_crt_parse_path()
1566 if (file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { in mbedtls_x509_crt_parse_path()
1571 if (w_ret == 0) { in mbedtls_x509_crt_parse_path()
1577 if (w_ret < 0) { in mbedtls_x509_crt_parse_path()
1584 if (GetLastError() != ERROR_NO_MORE_FILES) { in mbedtls_x509_crt_parse_path()
1598 if (dir == NULL) { in mbedtls_x509_crt_parse_path()
1602 #if defined(MBEDTLS_THREADING_C) in mbedtls_x509_crt_parse_path()
1603 if ((ret = mbedtls_mutex_lock(&mbedtls_threading_readdir_mutex)) != 0) { in mbedtls_x509_crt_parse_path()
1615 if (snp_ret < 0 || (size_t) snp_ret >= sizeof(entry_name)) { in mbedtls_x509_crt_parse_path()
1618 } else if (stat(entry_name, &sb) == -1) { in mbedtls_x509_crt_parse_path()
1619 if (errno == ENOENT) { in mbedtls_x509_crt_parse_path()
1634 if (!S_ISREG(sb.st_mode)) { in mbedtls_x509_crt_parse_path()
1641 if (t_ret < 0) { in mbedtls_x509_crt_parse_path()
1651 #if defined(MBEDTLS_THREADING_C) in mbedtls_x509_crt_parse_path()
1652 if (mbedtls_mutex_unlock(&mbedtls_threading_readdir_mutex) != 0) { in mbedtls_x509_crt_parse_path()
1663 #if !defined(MBEDTLS_X509_REMOVE_INFO)
1673 if (ns_cert_type & (type)) { \
1680 if (key_usage & (code)) { \
1696 if (mbedtls_oid_get_extended_key_usage(&cur->buf, &desc) != 0) { in x509_info_ext_key_usage()
1725 if (mbedtls_oid_get_certificate_policies(&cur->buf, &desc) != 0) { in x509_info_cert_policies()
1759 if (NULL == crt) { in mbedtls_x509_crt_info()
1808 if ((ret = mbedtls_x509_key_size_helper(key_size_str, BEFORE_COLON, in mbedtls_x509_crt_info()
1821 if (crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS) { in mbedtls_x509_crt_info()
1826 if (crt->max_pathlen > 0) { in mbedtls_x509_crt_info()
1832 if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) { in mbedtls_x509_crt_info()
1836 if ((ret = mbedtls_x509_info_subject_alt_name(&p, &n, in mbedtls_x509_crt_info()
1843 if (crt->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) { in mbedtls_x509_crt_info()
1847 if ((ret = mbedtls_x509_info_cert_type(&p, &n, crt->ns_cert_type)) != 0) { in mbedtls_x509_crt_info()
1852 if (crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) { in mbedtls_x509_crt_info()
1856 if ((ret = mbedtls_x509_info_key_usage(&p, &n, crt->key_usage)) != 0) { in mbedtls_x509_crt_info()
1861 if (crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE) { in mbedtls_x509_crt_info()
1865 if ((ret = x509_info_ext_key_usage(&p, &n, in mbedtls_x509_crt_info()
1871 if (crt->ext_types & MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES) { in mbedtls_x509_crt_info()
1875 if ((ret = x509_info_cert_policies(&p, &n, in mbedtls_x509_crt_info()
1908 if ((flags & cur->code) == 0) { in mbedtls_x509_crt_verify_info()
1917 if (flags != 0) { in mbedtls_x509_crt_verify_info()
1934 if ((crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) == 0) { in mbedtls_x509_crt_check_key_usage()
1940 if (((crt->key_usage & ~may_mask) & usage_must) != usage_must) { in mbedtls_x509_crt_check_key_usage()
1946 if (((crt->key_usage & may_mask) | usage_may) != usage_may) { in mbedtls_x509_crt_check_key_usage()
1960 if ((crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE) == 0) { in mbedtls_x509_crt_check_extended_key_usage()
1970 if (cur_oid->len == usage_len && in mbedtls_x509_crt_check_extended_key_usage()
1975 if (MBEDTLS_OID_CMP(MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE, cur_oid) == 0) { in mbedtls_x509_crt_check_extended_key_usage()
1983 #if defined(MBEDTLS_X509_CRL_PARSE_C)
1985 * Return 1 if the certificate is revoked, or 0 otherwise.
1992 if (crt->serial.len == cur->serial.len && in mbedtls_x509_crt_is_revoked()
2005 * Skip validation if no CRL for the given CA is present.
2014 #if defined(MBEDTLS_USE_PSA_CRYPTO) in x509_crt_verifycrl()
2021 if (ca == NULL) { in x509_crt_verifycrl()
2026 if (crl_list->version == 0 || in x509_crt_verifycrl()
2033 * Check if the CA is configured to sign CRLs in x509_crt_verifycrl()
2035 if (mbedtls_x509_crt_check_key_usage(ca, in x509_crt_verifycrl()
2042 * Check if CRL is correctly signed by the trusted CA in x509_crt_verifycrl()
2044 if (x509_profile_check_md_alg(profile, crl_list->sig_md) != 0) { in x509_crt_verifycrl()
2048 if (x509_profile_check_pk_alg(profile, crl_list->sig_pk) != 0) { in x509_crt_verifycrl()
2052 #if defined(MBEDTLS_USE_PSA_CRYPTO) in x509_crt_verifycrl()
2054 if (psa_hash_compute(psa_algorithm, in x509_crt_verifycrl()
2067 if (mbedtls_md(md_info, in x509_crt_verifycrl()
2077 if (x509_profile_check_key(profile, &ca->pk) != 0) { in x509_crt_verifycrl()
2081 if (mbedtls_pk_verify_ext(crl_list->sig_pk, crl_list->sig_opts, &ca->pk, in x509_crt_verifycrl()
2088 #if defined(MBEDTLS_HAVE_TIME_DATE) in x509_crt_verifycrl()
2092 if (mbedtls_x509_time_cmp(&crl_list->next_update, now) < 0) { in x509_crt_verifycrl()
2096 if (mbedtls_x509_time_cmp(&crl_list->this_update, now) > 0) { in x509_crt_verifycrl()
2104 * Check if certificate is revoked in x509_crt_verifycrl()
2106 if (mbedtls_x509_crt_is_revoked(crt, crl_list)) { in x509_crt_verifycrl()
2127 #if !defined(MBEDTLS_USE_PSA_CRYPTO) in x509_crt_check_signature()
2133 if (mbedtls_md(md_info, child->tbs.p, child->tbs.len, hash) != 0) { in x509_crt_check_signature()
2146 if (status != PSA_SUCCESS) { in x509_crt_check_signature()
2152 if (!mbedtls_pk_can_do(&parent->pk, child->sig_pk)) { in x509_crt_check_signature()
2156 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) in x509_crt_check_signature()
2157 if (rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA) { in x509_crt_check_signature()
2172 * Check if 'parent' is a suitable parent (signing CA) for 'child'.
2173 * Return 0 if yes, -1 if not.
2184 if (x509_name_cmp(&child->issuer, &parent->subject) != 0) { in x509_crt_check_parent()
2192 if (top && parent->version < 3) { in x509_crt_check_parent()
2196 if (need_ca_bit && !parent->ca_istrue) { in x509_crt_check_parent()
2200 if (need_ca_bit && in x509_crt_check_parent()
2213 * 2. if necessary, the CA bit is set and key usage allows signing certs
2218 * If there's a suitable candidate which is also time-valid, return the first
2219 * such. Otherwise, return the first suitable candidate (or NULL if there is
2226 * only one version, and if it's expired we want the flags to state that
2227 * rather than NOT_TRUSTED, as would be the case if we required it here.
2239 * - [out] r_signature_is_good: 1 if child signature by parent is valid, or 0
2240 * - [in] top: 1 if candidates consists of trusted roots, ie we're at the top
2266 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) in x509_crt_find_parent_in()
2268 if (rs_ctx != NULL && rs_ctx->parent != NULL) { in x509_crt_find_parent_in()
2289 if (x509_crt_check_parent(child, parent, top) != 0) { in x509_crt_find_parent_in()
2294 if (parent->max_pathlen > 0 && in x509_crt_find_parent_in()
2300 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) in x509_crt_find_parent_in()
2305 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) in x509_crt_find_parent_in()
2306 if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { in x509_crt_find_parent_in()
2319 if (top && !signature_is_good) { in x509_crt_find_parent_in()
2323 #if defined(MBEDTLS_HAVE_TIME_DATE) in x509_crt_find_parent_in()
2325 if (mbedtls_x509_time_cmp(&parent->valid_to, now) < 0 || /* past */ in x509_crt_find_parent_in()
2327 if (fallback_parent == NULL) { in x509_crt_find_parent_in()
2344 if (parent == NULL) { in x509_crt_find_parent_in()
2363 * - [out] parent_is_trusted: 1 if returned `parent` is trusted, or 0
2364 * - [out] signature_is_good: 1 if child signature by parent is valid, or 0
2390 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) in x509_crt_find_parent()
2391 /* restore then clear saved state if we have some stored */ in x509_crt_find_parent()
2392 if (rs_ctx != NULL && rs_ctx->parent_is_trusted != -1) { in x509_crt_find_parent()
2406 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) in x509_crt_find_parent()
2407 if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { in x509_crt_find_parent()
2416 /* stop here if found or already in second iteration */ in x509_crt_find_parent()
2417 if (*parent != NULL || *parent_is_trusted == 0) { in x509_crt_find_parent()
2426 if (*parent == NULL) { in x509_crt_find_parent()
2435 * Check if an end-entity certificate is locally trusted
2447 if (x509_name_cmp(&crt->issuer, &crt->subject) != 0) { in x509_crt_check_ee_locally_trusted()
2453 if (crt->raw.len == cur->raw.len && in x509_crt_check_ee_locally_trusted()
2483 * - if relevant: EE untrusted
2484 * - if relevant: EE -> intermediate, untrusted
2499 * - non-zero if the chain could not be fully built and examined
2501 * even if it was found to be invalid
2527 #if defined(MBEDTLS_HAVE_TIME_DATE) in x509_crt_verify_chain()
2528 if (mbedtls_x509_time_gmtime(mbedtls_time(NULL), &now) != 0) { in x509_crt_verify_chain()
2533 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) in x509_crt_verify_chain()
2534 /* resume if we had an operation in progress */ in x509_crt_verify_chain()
2535 if (rs_ctx != NULL && rs_ctx->in_progress == x509_crt_rs_find_parent) { in x509_crt_verify_chain()
2562 #if defined(MBEDTLS_HAVE_TIME_DATE) in x509_crt_verify_chain()
2564 if (mbedtls_x509_time_cmp(&child->valid_to, &now) < 0) { in x509_crt_verify_chain()
2568 if (mbedtls_x509_time_cmp(&child->valid_from, &now) > 0) { in x509_crt_verify_chain()
2574 if (child_is_trusted) { in x509_crt_verify_chain()
2579 if (x509_profile_check_md_alg(profile, child->sig_md) != 0) { in x509_crt_verify_chain()
2583 if (x509_profile_check_pk_alg(profile, child->sig_pk) != 0) { in x509_crt_verify_chain()
2588 if (ver_chain->len == 1 && in x509_crt_verify_chain()
2593 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) in x509_crt_verify_chain()
2599 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) in x509_crt_verify_chain()
2600 if (f_ca_cb != NULL) { in x509_crt_verify_chain()
2606 if (ret != 0) { in x509_crt_verify_chain()
2625 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) in x509_crt_verify_chain()
2626 if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { in x509_crt_verify_chain()
2639 if (parent == NULL) { in x509_crt_verify_chain()
2647 if (ver_chain->len != 1 && in x509_crt_verify_chain()
2653 * and if parent is trusted it's not an intermediate CA */ in x509_crt_verify_chain()
2654 if (!parent_is_trusted && in x509_crt_verify_chain()
2661 if (!signature_is_good) { in x509_crt_verify_chain()
2666 if (x509_profile_check_key(profile, &parent->pk) != 0) { in x509_crt_verify_chain()
2670 #if defined(MBEDTLS_X509_CRL_PARSE_C) in x509_crt_verify_chain()
2700 #if __has_include(<sys/socket.h>)
2703 #if __has_include(<arpa/inet.h>)
2715 * Also, as a coarse heuristic, use the local implementation if the compiler
2716 * does not support __has_include(), or if the definition of AF_INET6 is not
2720 #if !defined(AF_INET6) || defined(MBEDTLS_TEST_SW_INET_PTON) //no-check-names
2736 if (li_cton(*p, digit) == 0) { in x509_inet_pton_ipv6()
2742 if (num_digits != 0) { in x509_inet_pton_ipv6()
2745 if (*p == '\0') { in x509_inet_pton_ipv6()
2747 } else if (*p == '.') { in x509_inet_pton_ipv6()
2749 if ((nonzero_groups == 0 && zero_group_start == -1) || in x509_inet_pton_ipv6()
2761 if (*p != ':') { in x509_inet_pton_ipv6()
2766 if (x509_inet_pton_ipv4((const char *) p, in x509_inet_pton_ipv6()
2774 } else if (*p != ':') { in x509_inet_pton_ipv6()
2779 if (zero_group_start != -1 || *p != ':') { in x509_inet_pton_ipv6()
2785 if (zero_group_start == 0 && *++p != ':') { in x509_inet_pton_ipv6()
2789 if (p[1] == '\0') { in x509_inet_pton_ipv6()
2797 if (*p != '\0') { in x509_inet_pton_ipv6()
2801 if (zero_group_start != -1) { in x509_inet_pton_ipv6()
2802 if (nonzero_groups > 6) { in x509_inet_pton_ipv6()
2809 if (groups_after_zero) { in x509_inet_pton_ipv6()
2816 if (nonzero_groups != 8) { in x509_inet_pton_ipv6()
2836 if (digit > 9) { in x509_inet_pton_ipv4()
2842 if (octet == 0 && num_digits > 0) { in x509_inet_pton_ipv4()
2851 if (octet >= 256 || num_digits > 3 || num_digits == 0) { in x509_inet_pton_ipv4()
2888 if (name->len == cn_len && in x509_crt_check_cn()
2894 if (x509_check_wildcard(cn, name) == 0) { in x509_crt_check_cn()
2906 if (cn_len == 0) { in x509_crt_check_san_ip()
2913 if (san_type == MBEDTLS_X509_SAN_IP_ADDRESS && in x509_crt_check_san_ip()
2928 if (san_type == MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER && in x509_crt_check_san_uri()
2949 if (x509_crt_check_cn(&cur->buf, cn, cn_len) == 0) { in x509_crt_check_san()
2964 if (san_ip) { in x509_crt_check_san()
2965 if (x509_crt_check_san_ip(san, cn, cn_len) == 0) { in x509_crt_check_san()
2969 if (san_uri) { in x509_crt_check_san()
2970 if (x509_crt_check_san_uri(san, cn, cn_len) == 0) { in x509_crt_check_san()
2979 * Verify the requested CN - only call this if cn is not NULL!
2988 if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) { in x509_crt_verify_name()
2989 if (x509_crt_check_san(&crt->subject_alt_names, cn, cn_len) == 0) { in x509_crt_verify_name()
2994 if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid) == 0 && in x509_crt_verify_name()
3023 if (NULL != f_vrfy) { in x509_crt_merge_flags_with_cb()
3024 if ((ret = f_vrfy(p_vrfy, cur->crt, (int) i-1, &cur_flags)) != 0) { in x509_crt_merge_flags_with_cb()
3039 * - checks the requested CN (if any)
3046 * are mutually exclusive: If `f_ca_cb != NULL`, it will be used by the
3075 if (profile == NULL) { in x509_crt_verify_restartable_ca_cb()
3080 /* check name if requested */ in x509_crt_verify_restartable_ca_cb()
3081 if (cn != NULL) { in x509_crt_verify_restartable_ca_cb()
3088 if (x509_profile_check_pk_alg(profile, pk_type) != 0) { in x509_crt_verify_restartable_ca_cb()
3092 if (x509_profile_check_key(profile, &crt->pk) != 0) { in x509_crt_verify_restartable_ca_cb()
3101 if (ret != 0) { in x509_crt_verify_restartable_ca_cb()
3108 /* Build final flags, calling callback on the way if any */ in x509_crt_verify_restartable_ca_cb()
3113 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) in x509_crt_verify_restartable_ca_cb()
3119 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) in x509_crt_verify_restartable_ca_cb()
3120 if (rs_ctx != NULL && ret != MBEDTLS_ERR_ECP_IN_PROGRESS) { in x509_crt_verify_restartable_ca_cb()
3128 if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) { in x509_crt_verify_restartable_ca_cb()
3132 if (ret != 0) { in x509_crt_verify_restartable_ca_cb()
3137 if (*flags != 0) { in x509_crt_verify_restartable_ca_cb()
3179 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
3234 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) in mbedtls_x509_crt_free()
3245 if (cert_cur->raw.p != NULL && cert_cur->own_buffer) { in mbedtls_x509_crt_free()
3253 if (cert_prv != crt) { in mbedtls_x509_crt_free()
3259 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
3283 if (ctx == NULL) { in mbedtls_x509_crt_restart_free()