From 5f268b3cf672648d423d40e6588bb3dfe1a3d3f4 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 20 May 2019 16:26:34 +0100 Subject: [PATCH] Don't allow change of CRT frame returned by x509_crt_frame_acquire() --- include/mbedtls/x509_crt.h | 2 +- library/ssl_srv.c | 4 ++-- library/x509_crt.c | 24 +++++++++++----------- tests/suites/test_suite_x509parse.function | 2 +- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 2fb26fda6..62429836f 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -792,7 +792,7 @@ int mbedtls_x509_crt_get_ext_key_usage( mbedtls_x509_crt const *crt, int mbedtls_x509_crt_flush_cache( mbedtls_x509_crt const *crt ); static inline int mbedtls_x509_crt_frame_acquire( mbedtls_x509_crt const *crt, - mbedtls_x509_crt_frame **frame_ptr ) + mbedtls_x509_crt_frame const **frame_ptr ) { int ret; #if defined(MBEDTLS_THREADING_C) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 1fd1d310a..1e3c6fa5c 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -874,7 +874,7 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl, mbedtls_md_type_t sig_md; { int ret; - mbedtls_x509_crt_frame *frame; + mbedtls_x509_crt_frame const *frame; ret = mbedtls_x509_crt_frame_acquire( cur->cert, &frame ); if( ret != 0 ) return( ret ); @@ -2996,7 +2996,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) while( crt != NULL && crt->raw.p != NULL ) { - mbedtls_x509_crt_frame *frame; + mbedtls_x509_crt_frame const *frame; ret = mbedtls_x509_crt_frame_acquire( crt, &frame ); if( ret != 0 ) return( ret ); diff --git a/library/x509_crt.c b/library/x509_crt.c index 29b304a6e..04e812556 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -288,7 +288,7 @@ int mbedtls_x509_crt_get_subject_alt_names( mbedtls_x509_crt const *crt, mbedtls_x509_sequence **subj_alt ) { int ret; - mbedtls_x509_crt_frame *frame; + mbedtls_x509_crt_frame const *frame; mbedtls_x509_sequence *seq; ret = mbedtls_x509_crt_frame_acquire( crt, &frame ); @@ -311,7 +311,7 @@ int mbedtls_x509_crt_get_ext_key_usage( mbedtls_x509_crt const *crt, mbedtls_x509_sequence **ext_key_usage ) { int ret; - mbedtls_x509_crt_frame *frame; + mbedtls_x509_crt_frame const *frame; mbedtls_x509_sequence *seq; ret = mbedtls_x509_crt_frame_acquire( crt, &frame ); @@ -334,7 +334,7 @@ int mbedtls_x509_crt_get_subject( mbedtls_x509_crt const *crt, mbedtls_x509_name **subject ) { int ret; - mbedtls_x509_crt_frame *frame; + mbedtls_x509_crt_frame const *frame; mbedtls_x509_name *name; ret = mbedtls_x509_crt_frame_acquire( crt, &frame ); @@ -357,7 +357,7 @@ int mbedtls_x509_crt_get_issuer( mbedtls_x509_crt const *crt, mbedtls_x509_name **issuer ) { int ret; - mbedtls_x509_crt_frame *frame; + mbedtls_x509_crt_frame const *frame; mbedtls_x509_name *name; ret = mbedtls_x509_crt_frame_acquire( crt, &frame ); @@ -380,7 +380,7 @@ int mbedtls_x509_crt_get_frame( mbedtls_x509_crt const *crt, mbedtls_x509_crt_frame *dst ) { int ret; - mbedtls_x509_crt_frame *frame; + mbedtls_x509_crt_frame const *frame; ret = mbedtls_x509_crt_frame_acquire( crt, &frame ); if( ret != 0 ) return( ret ); @@ -2426,7 +2426,7 @@ int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, unsigned int usage ) { int ret; - mbedtls_x509_crt_frame *frame; + mbedtls_x509_crt_frame const *frame; ret = mbedtls_x509_crt_frame_acquire( crt, &frame ); if( ret != 0 ) return( MBEDTLS_ERR_X509_FATAL_ERROR ); @@ -2474,7 +2474,7 @@ int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, size_t usage_len ) { int ret; - mbedtls_x509_crt_frame *frame; + mbedtls_x509_crt_frame const *frame; unsigned ext_types; unsigned char *p, *end; x509_crt_check_ext_key_usage_cb_ctx_t cb_ctx = { usage_oid, usage_len }; @@ -2534,7 +2534,7 @@ int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl ) { int ret; - mbedtls_x509_crt_frame *frame; + mbedtls_x509_crt_frame const *frame; ret = mbedtls_x509_crt_frame_acquire( crt, &frame ); if( ret != 0 ) @@ -2569,7 +2569,7 @@ static int x509_crt_verifycrl( unsigned char *crt_serial, return( flags ); { - mbedtls_x509_crt_frame *ca; + mbedtls_x509_crt_frame const *ca; ret = mbedtls_x509_crt_frame_acquire( ca_crt, &ca ); if( ret != 0 ) return( MBEDTLS_X509_BADCRL_NOT_TRUSTED ); @@ -2846,7 +2846,7 @@ check_signature: parent_valid = parent_match = path_len_ok = 0; { - mbedtls_x509_crt_frame *parent; + mbedtls_x509_crt_frame const *parent; ret = mbedtls_x509_crt_frame_acquire( parent_crt, &parent ); if( ret != 0 ) @@ -3139,7 +3139,7 @@ find_parent: { mbedtls_x509_crt_sig_info child_sig; { - mbedtls_x509_crt_frame *child; + mbedtls_x509_crt_frame const *child; ret = mbedtls_x509_crt_frame_acquire( child_crt, &child ); if( ret != 0 ) @@ -3340,7 +3340,7 @@ static int x509_crt_verify_name( const mbedtls_x509_crt *crt, uint32_t *flags ) { int ret; - mbedtls_x509_crt_frame *frame; + mbedtls_x509_crt_frame const *frame; ret = mbedtls_x509_crt_frame_acquire( crt, &frame ); if( ret != 0 ) diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 87b8b7804..2df187de0 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -143,7 +143,7 @@ int verify_print( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint verify_print_context *ctx = (verify_print_context *) data; char *p = ctx->p; size_t n = ctx->buf + sizeof( ctx->buf ) - ctx->p; - mbedtls_x509_crt_frame *frame; + mbedtls_x509_crt_frame const *frame; mbedtls_x509_name *subject; ((void) flags);