From 9c6118c498c13be6a2fadd7f79ec2b577fb5450f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Thu, 29 Jun 2017 12:38:42 +0200
Subject: [PATCH] Factor one more occurrence of code into function

This may look like a behaviour change because one check has been added to the
function that was previously done in only one of the 3 call sites. However it
is not, because:
- for the 2 call sites in verify(), the test always succeeds as path_cnt is 0.
- for the call site in verify_child(), the same test was done later anyway in
  verify_top()
---
 library/x509_crt.c | 29 ++++++++++-------------------
 1 file changed, 10 insertions(+), 19 deletions(-)

diff --git a/library/x509_crt.c b/library/x509_crt.c
index 1913dd987f..ee79e893c3 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1904,13 +1904,18 @@ static mbedtls_x509_crt *x509_crt_find_parent( mbedtls_x509_crt *child,
 {
     mbedtls_x509_crt *parent;
 
-    (void) self_cnt;
-
     for( parent = candidates; parent != NULL; parent = parent->next )
     {
         if( x509_crt_check_parent( child, parent, top, path_cnt == 0 ) != 0 )
             continue;
 
+        /* +1 because stored max_pathlen is 1 higher that the actual value */
+        if( parent->max_pathlen > 0 &&
+            parent->max_pathlen < 1 + path_cnt - self_cnt )
+        {
+            continue;
+        }
+
         break;
     }
 
@@ -2158,23 +2163,9 @@ static int x509_crt_verify_child(
     else
     {
         /* Look for a grandparent upwards the chain */
-        for( grandparent = parent->next;
-             grandparent != NULL;
-             grandparent = grandparent->next )
-        {
-            /* +2 because the current step is not yet accounted for
-             * and because max_pathlen is one higher than it should be.
-             * Also self signed certificates do not count to the limit. */
-            if( grandparent->max_pathlen > 0 &&
-                grandparent->max_pathlen < 2 + path_cnt - self_cnt )
-            {
-                continue;
-            }
-
-            if( x509_crt_check_parent( parent, grandparent,
-                                       0, path_cnt == 0 ) == 0 )
-                break;
-        }
+        /* path_cnt +1 because current step is not yet accounted for */
+        grandparent = x509_crt_find_parent( parent, parent->next, 0,
+                                            path_cnt + 1, self_cnt );
 
         /* Is our parent part of the chain or at the top? */
         if( grandparent != NULL )