Add internal API for acquire/release of CRT frames and PKs

The goal of the subsequent commits is to remove all direct uses of the existing `mbedtls_x509_crt` apart from the `raw` buffer and the linked list `next` pointer. The approach is the following: Whenever a code-path needs to inspect a CRT, it can request a frame for the CRT through the API `x509_crt_frame_acquire()`. On success, this function returns a pointer to a frame structure for the CRT (the origin of which is flexible and need not concern the caller) that can be used to inspect the desired fields. Once done, the caller hands back the frame through an explicit call to `x509_crt_frame_release()`. This commit also adds an inefficient dummy implementation for `x509_crt_frame_acquire()` which always allocates a new `mbedtls_x509_crt_frame` structure on the heap and parses it from the raw data underlying the CRT. This will change in subsequent commits, but it constitutes a valid implementation to test against. Ultimately, `x509_crt_frame_acquire()` is to compute a frame for the given CRT only once, and cache it for subsequent calls. The need for `x509_crt_frame_release()` is the following: When implementing `x509_crt_frame_acquire()` through a flushable cache as indicated above, it must be ensured that no thread destroys a cached frame structure for the time it is needed by another thread. The `acquire/release` pair allows to explicitly delimit the lifetime requirements for the returned frame structure. The frame pointer must not be used after the `release` call anymore; and in fact, the dummy implementation shows that it would immediately lead to a memory failure. Analogously to `x509_crt_frame_{acquire|release}()`, there's also `x509_crt_pk_{acquire|release}()` which allows to acquire/release a PK context setup from the public key contained within the CRT.
2025-01-23 17:41:03 +00:00 · 2019-02-25 14:53:14 +00:00 · 2019-02-25 14:53:14 +00:00 · 337088aa2d
parent 21f5567571
commit 337088aa2d
1 changed files with 45 additions and 0 deletions
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -90,6 +90,51 @@ static int x509_crt_subject_alt_from_frame( mbedtls_x509_crt_frame *frame,
 static int x509_crt_ext_key_usage_from_frame( mbedtls_x509_crt_frame *frame,
                                        mbedtls_x509_sequence *ext_key_usage );

+static void x509_free_sequence( mbedtls_x509_sequence *seq );
+static void x509_free_name( mbedtls_x509_name *name );
+
+static int x509_crt_frame_acquire( mbedtls_x509_crt const *crt,
+                                   mbedtls_x509_crt_frame **frame_ptr )
+{
+    int ret;
+    mbedtls_x509_crt_frame *frame;
+
+    frame = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt_frame ) );
+    if( frame == NULL )
+        return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+    ret = x509_crt_parse_frame( crt->raw.p, crt->raw.p + crt->raw.len,
+                                frame );
+    if( ret != 0 )
+        return( ret );
+
+    *frame_ptr = frame;
+    return( 0 );
+}
+
+static void x509_crt_frame_release( mbedtls_x509_crt const *crt,
+                                    mbedtls_x509_crt_frame *frame )
+{
+    ((void) crt);
+    if( frame == NULL )
+        return;
+    mbedtls_free( frame );
+}
+static int x509_crt_pk_acquire( mbedtls_x509_crt *crt,
+                                mbedtls_pk_context **pk )
+{
+    *pk = &crt->pk;
+    return( 0 );
+}
+
+static void x509_crt_pk_release( mbedtls_x509_crt *crt,
+                                 mbedtls_pk_context *pk )
+{
+    ((void) crt);
+    ((void) pk);
+    return;
+}
+
 /*
 * Item in a verification chain: cert and flags for it
 */