Add internal API for acquire/release of CRT frames and PKs

The goal of the subsequent commits is to remove all direct uses
of the existing `mbedtls_x509_crt` apart from the `raw` buffer
and the linked list `next` pointer.

The approach is the following: Whenever a code-path needs to inspect
a CRT, it can request a frame for the CRT through the API
`x509_crt_frame_acquire()`. On success, this function returns a pointer
to a frame structure for the CRT (the origin of which is flexible and
need not concern the caller) that can be used to inspect the desired
fields. Once done, the caller hands back the frame through an explicit
call to `x509_crt_frame_release()`.

This commit also adds an inefficient dummy implementation for
`x509_crt_frame_acquire()` which always allocates a new
`mbedtls_x509_crt_frame` structure on the heap and parses it
from the raw data underlying the CRT. This will change in subsequent
commits, but it constitutes a valid implementation to test against.

Ultimately, `x509_crt_frame_acquire()` is to compute a frame for the
given CRT only once, and cache it for subsequent calls.

The need for `x509_crt_frame_release()` is the following: When
implementing `x509_crt_frame_acquire()` through a flushable cache
as indicated above, it must be ensured that no thread destroys
a cached frame structure for the time it is needed by another
thread. The `acquire/release` pair allows to explicitly delimit
the lifetime requirements for the returned frame structure.
The frame pointer must not be used after the `release` call anymore;
and in fact, the dummy implementation shows that it would
immediately lead to a memory failure.

Analogously to `x509_crt_frame_{acquire|release}()`, there's also
`x509_crt_pk_{acquire|release}()` which allows to acquire/release
a PK context setup from the public key contained within the CRT.
This commit is contained in:
Hanno Becker 2019-02-25 14:53:14 +00:00
parent 21f5567571
commit 337088aa2d

View file

@ -90,6 +90,51 @@ static int x509_crt_subject_alt_from_frame( mbedtls_x509_crt_frame *frame,
static int x509_crt_ext_key_usage_from_frame( mbedtls_x509_crt_frame *frame,
mbedtls_x509_sequence *ext_key_usage );
static void x509_free_sequence( mbedtls_x509_sequence *seq );
static void x509_free_name( mbedtls_x509_name *name );
static int x509_crt_frame_acquire( mbedtls_x509_crt const *crt,
mbedtls_x509_crt_frame **frame_ptr )
{
int ret;
mbedtls_x509_crt_frame *frame;
frame = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt_frame ) );
if( frame == NULL )
return( MBEDTLS_ERR_X509_ALLOC_FAILED );
ret = x509_crt_parse_frame( crt->raw.p, crt->raw.p + crt->raw.len,
frame );
if( ret != 0 )
return( ret );
*frame_ptr = frame;
return( 0 );
}
static void x509_crt_frame_release( mbedtls_x509_crt const *crt,
mbedtls_x509_crt_frame *frame )
{
((void) crt);
if( frame == NULL )
return;
mbedtls_free( frame );
}
static int x509_crt_pk_acquire( mbedtls_x509_crt *crt,
mbedtls_pk_context **pk )
{
*pk = &crt->pk;
return( 0 );
}
static void x509_crt_pk_release( mbedtls_x509_crt *crt,
mbedtls_pk_context *pk )
{
((void) crt);
((void) pk);
return;
}
/*
* Item in a verification chain: cert and flags for it
*/