commit 5f268b3cf672648d423d40e6588bb3dfe1a3d3f4
author Hanno Becker <hanno.becker@arm.com> Mon May 20 16:26:34 2019 +0100
committer Hanno Becker <hanno.becker@arm.com> Tue Jun 25 09:10:57 2019 +0100
tree 4111f9e9eeeb0e5915796faaf8f3c1272ac67368
parent 9219f9e7b8035ee020e645626dd7baaa52946d52

Don't allow change of CRT frame returned by x509_crt_frame_acquire()

include/mbedtls/x509_crt.h

diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 2fb26fd..6242983 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -792,7 +792,7 @@
 int mbedtls_x509_crt_flush_cache( mbedtls_x509_crt const *crt );
 
 static inline int mbedtls_x509_crt_frame_acquire( mbedtls_x509_crt const *crt,
-                                                  mbedtls_x509_crt_frame **frame_ptr )
+                                                  mbedtls_x509_crt_frame const **frame_ptr )
 {
     int ret;
 #if defined(MBEDTLS_THREADING_C)

library/ssl_srv.c

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 1fd1d31..1e3c6fa 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -874,7 +874,7 @@
             mbedtls_md_type_t sig_md;
             {
                 int ret;
-                mbedtls_x509_crt_frame *frame;
+                mbedtls_x509_crt_frame const *frame;
                 ret = mbedtls_x509_crt_frame_acquire( cur->cert, &frame );
                 if( ret != 0 )
                     return( ret );
@@ -2996,7 +2996,7 @@
 
         while( crt != NULL && crt->raw.p != NULL )
         {
-            mbedtls_x509_crt_frame *frame;
+            mbedtls_x509_crt_frame const *frame;
             ret = mbedtls_x509_crt_frame_acquire( crt, &frame );
             if( ret != 0 )
                 return( ret );

library/x509_crt.c

diff --git a/library/x509_crt.c b/library/x509_crt.c
index 29b304a..04e8125 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -288,7 +288,7 @@
                                             mbedtls_x509_sequence **subj_alt )
 {
     int ret;
-    mbedtls_x509_crt_frame *frame;
+    mbedtls_x509_crt_frame const *frame;
     mbedtls_x509_sequence *seq;
 
     ret = mbedtls_x509_crt_frame_acquire( crt, &frame );
@@ -311,7 +311,7 @@
                                         mbedtls_x509_sequence **ext_key_usage )
 {
     int ret;
-    mbedtls_x509_crt_frame *frame;
+    mbedtls_x509_crt_frame const *frame;
     mbedtls_x509_sequence *seq;
 
     ret = mbedtls_x509_crt_frame_acquire( crt, &frame );
@@ -334,7 +334,7 @@
                                   mbedtls_x509_name **subject )
 {
     int ret;
-    mbedtls_x509_crt_frame *frame;
+    mbedtls_x509_crt_frame const *frame;
     mbedtls_x509_name *name;
 
     ret = mbedtls_x509_crt_frame_acquire( crt, &frame );
@@ -357,7 +357,7 @@
                                  mbedtls_x509_name **issuer )
 {
     int ret;
-    mbedtls_x509_crt_frame *frame;
+    mbedtls_x509_crt_frame const *frame;
     mbedtls_x509_name *name;
 
     ret = mbedtls_x509_crt_frame_acquire( crt, &frame );
@@ -380,7 +380,7 @@
                                 mbedtls_x509_crt_frame *dst )
 {
     int ret;
-    mbedtls_x509_crt_frame *frame;
+    mbedtls_x509_crt_frame const *frame;
     ret = mbedtls_x509_crt_frame_acquire( crt, &frame );
     if( ret != 0 )
         return( ret );
@@ -2426,7 +2426,7 @@
                                       unsigned int usage )
 {
     int ret;
-    mbedtls_x509_crt_frame *frame;
+    mbedtls_x509_crt_frame const *frame;
     ret = mbedtls_x509_crt_frame_acquire( crt, &frame );
     if( ret != 0 )
         return( MBEDTLS_ERR_X509_FATAL_ERROR );
@@ -2474,7 +2474,7 @@
                                                size_t usage_len )
 {
     int ret;
-    mbedtls_x509_crt_frame *frame;
+    mbedtls_x509_crt_frame const *frame;
     unsigned ext_types;
     unsigned char *p, *end;
     x509_crt_check_ext_key_usage_cb_ctx_t cb_ctx = { usage_oid, usage_len };
@@ -2534,7 +2534,7 @@
                                  const mbedtls_x509_crl *crl )
 {
     int ret;
-    mbedtls_x509_crt_frame *frame;
+    mbedtls_x509_crt_frame const *frame;
 
     ret = mbedtls_x509_crt_frame_acquire( crt, &frame );
     if( ret != 0 )
@@ -2569,7 +2569,7 @@
         return( flags );
 
     {
-        mbedtls_x509_crt_frame *ca;
+        mbedtls_x509_crt_frame const *ca;
         ret = mbedtls_x509_crt_frame_acquire( ca_crt, &ca );
         if( ret != 0 )
             return( MBEDTLS_X509_BADCRL_NOT_TRUSTED );
@@ -2846,7 +2846,7 @@
 
         parent_valid = parent_match = path_len_ok = 0;
         {
-            mbedtls_x509_crt_frame *parent;
+            mbedtls_x509_crt_frame const *parent;
 
             ret = mbedtls_x509_crt_frame_acquire( parent_crt, &parent );
             if( ret != 0 )
@@ -3139,7 +3139,7 @@
         {
             mbedtls_x509_crt_sig_info child_sig;
             {
-                mbedtls_x509_crt_frame *child;
+                mbedtls_x509_crt_frame const *child;
 
                 ret = mbedtls_x509_crt_frame_acquire( child_crt, &child );
                 if( ret != 0 )
@@ -3340,7 +3340,7 @@
                                  uint32_t *flags )
 {
     int ret;
-    mbedtls_x509_crt_frame *frame;
+    mbedtls_x509_crt_frame const *frame;
 
     ret = mbedtls_x509_crt_frame_acquire( crt, &frame );
     if( ret != 0 )

tests/suites/test_suite_x509parse.function

diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 87b8b78..2df187d 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -143,7 +143,7 @@
     verify_print_context *ctx = (verify_print_context *) data;
     char *p = ctx->p;
     size_t n = ctx->buf + sizeof( ctx->buf ) - ctx->p;
-    mbedtls_x509_crt_frame *frame;
+    mbedtls_x509_crt_frame const *frame;
     mbedtls_x509_name *subject;
     ((void) flags);