PKCS7: centralize memory management more

smuellerDD · smuellerDD · commit 5f3ab983e463 · 2024-12-22T22:49:14.000+01:00
Signed-off-by: Stephan Mueller &lt;smueller@chronox.de&gt;
diff --git a/apps/src/lc_x509_generator_print.c b/apps/src/lc_x509_generator_print.c
@@ -271,7 +271,7 @@ int print_x509_cert(const struct lc_x509_certificate *x509)
 int print_pkcs7_data(const struct lc_pkcs7_message *pkcs7_msg)
 {
 	struct lc_x509_certificate *cert = pkcs7_msg->certs;
-	struct lc_pkcs7_signed_info *sinfos = pkcs7_msg->signed_infos;
+	struct lc_pkcs7_signed_info *sinfos = pkcs7_msg->list_head_signed_infos;
 	const char *hash_name;
 	int ret = 0;
 
diff --git a/asn1/api/lc_pkcs7_common.h b/asn1/api/lc_pkcs7_common.h
@@ -87,7 +87,8 @@ struct lc_pkcs7_message {
 	/*
 	 * Signed information
 	 */
-	struct lc_pkcs7_signed_info *signed_infos;
+	struct lc_pkcs7_signed_info *curr_signed_infos;
+	struct lc_pkcs7_signed_info *list_head_signed_infos;
 	struct lc_pkcs7_signed_info **list_tail_signed_infos;
 	uint8_t version; /* Version of cert (1 -> PKCS#7 or CMS; 3 -> CMS) */
 
diff --git a/asn1/src/pkcs7_generator.c b/asn1/src/pkcs7_generator.c
@@ -1050,13 +1050,14 @@ static inline int pkcs7_initialize_ctx(struct pkcs7_generate_context *ctx,
 	int ret = 0;
 
 	CKNULL(pkcs7->certs, -EINVAL);
-	CKNULL(pkcs7->signed_infos, -EINVAL);
+	CKNULL(pkcs7->list_head_signed_infos, -EINVAL);
 
 	ctx->pkcs7 = pkcs7;
 	ctx->current_x509 = pkcs7->certs;
-	ctx->current_sinfo = pkcs7->signed_infos;
+	ctx->current_sinfo = pkcs7->list_head_signed_infos;
 
-	for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
+	for (sinfo = pkcs7->list_head_signed_infos; sinfo;
+	     sinfo = sinfo->next) {
 		const struct lc_hash *hash;
 
 		if (!ctx->authattr_hash) {
diff --git a/asn1/src/pkcs7_generator_set_data.c b/asn1/src/pkcs7_generator_set_data.c
@@ -108,12 +108,9 @@ LC_INTERFACE_FUNCTION(int, lc_pkcs7_set_signer, struct lc_pkcs7_message *pkcs7,
 	CKINT(pkcs7_add_cert(pkcs7, sinfo->signer));
 
 	/* Now add the filled signed info to the PKCS7 */
-	CKINT(pkcs7_sinfo_add(pkcs7, sinfo));
-
-	sinfo = NULL;
+	CKINT(pkcs7_sinfo_add(pkcs7));
 
 out:
-	pkcs7_sinfo_free(pkcs7, sinfo);
 	return ret;
 }
 
diff --git a/asn1/src/pkcs7_internal.h b/asn1/src/pkcs7_internal.h
@@ -29,8 +29,8 @@ extern "C" {
 
 struct pkcs7_parse_context {
 	struct lc_pkcs7_message *msg; /* Message being constructed */
-	struct lc_pkcs7_signed_info *sinfo; /* SignedInfo being constructed */
-	struct lc_pkcs7_signed_info **ppsinfo; /* linked list of signer info */
+	//struct lc_pkcs7_signed_info *sinfo; /* SignedInfo being constructed */
+	//struct lc_pkcs7_signed_info **ppsinfo; /* linked list of signer info */
 	struct lc_x509_certificate *certs; /* Certificate cache */
 	struct lc_x509_certificate **ppcerts; /* linked list of certs */
 	const uint8_t *data; /* Start of data */
@@ -56,12 +56,10 @@ int pkcs7_find_asymmetric_key(const struct lc_x509_certificate **anchor_cert,
 			      const struct lc_asymmetric_key_id *auth0,
 			      const struct lc_asymmetric_key_id *auth1);
 
-int pkcs7_sinfo_add(struct lc_pkcs7_message *pkcs7,
-		    struct lc_pkcs7_signed_info *sinfo);
+int pkcs7_sinfo_add(struct lc_pkcs7_message *pkcs7);
 int pkcs7_sinfo_get(struct lc_pkcs7_signed_info **sinfo,
 		    struct lc_pkcs7_message *pkcs7);
-void pkcs7_sinfo_free(struct lc_pkcs7_message *pkcs7,
-		      struct lc_pkcs7_signed_info *sinfo);
+void pkcs7_sinfo_free(struct lc_pkcs7_message *pkcs7);
 
 #ifdef __cplusplus
 }
diff --git a/asn1/src/pkcs7_memory.c b/asn1/src/pkcs7_memory.c
@@ -21,49 +21,52 @@
 #include "lc_memory_support.h"
 #include "pkcs7_internal.h"
 
-void pkcs7_sinfo_free(struct lc_pkcs7_message *pkcs7,
-		      struct lc_pkcs7_signed_info *sinfo)
+void pkcs7_sinfo_free(struct lc_pkcs7_message *pkcs7)
 {
-	(void)pkcs7;
-	if (!sinfo)
-		return;
-	public_key_signature_clear(&sinfo->sig);
-	lc_free(sinfo);
+	struct lc_pkcs7_signed_info *sinfo;
+
+	while (pkcs7->list_head_signed_infos) {
+		sinfo = pkcs7->list_head_signed_infos;
+		pkcs7->list_head_signed_infos = sinfo->next;
+		public_key_signature_clear(&sinfo->sig);
+		lc_free(sinfo);
+	}
+
+	if (pkcs7->curr_signed_infos) {
+		sinfo = pkcs7->curr_signed_infos;
+		public_key_signature_clear(&sinfo->sig);
+		lc_free(sinfo);
+	}
 }
 
-int pkcs7_sinfo_add(struct lc_pkcs7_message *pkcs7,
-		    struct lc_pkcs7_signed_info *sinfo)
+int pkcs7_sinfo_add(struct lc_pkcs7_message *pkcs7)
 {
-	if (!pkcs7->signed_infos) {
-		pkcs7->signed_infos = sinfo;
+	if (!pkcs7->list_head_signed_infos) {
+		pkcs7->list_head_signed_infos = pkcs7->curr_signed_infos;
 	} else {
-		*pkcs7->list_tail_signed_infos = sinfo;
+		*pkcs7->list_tail_signed_infos = pkcs7->curr_signed_infos;
 	}
 
-	pkcs7->list_tail_signed_infos = &sinfo->next;
+	pkcs7->list_tail_signed_infos = &pkcs7->curr_signed_infos->next;
+	pkcs7->curr_signed_infos = NULL;
 
 	return 0;
 }
 
 int pkcs7_sinfo_get(struct lc_pkcs7_signed_info **sinfo,
 		    struct lc_pkcs7_message *pkcs7)
 {
-	struct lc_pkcs7_signed_info *sinfo_tmp = NULL;
-	int ret;
-
-	(void)pkcs7;
+	int ret = 0;
 
 	CKNULL(sinfo, -EINVAL);
 
-	CKINT(lc_alloc_aligned((void **)&sinfo_tmp, 8,
-			       sizeof(struct lc_pkcs7_signed_info)));
-
-	/* Return the signer info */
-	*sinfo = sinfo_tmp;
+	if (!pkcs7->curr_signed_infos) {
+		CKINT(lc_alloc_aligned((void **)&pkcs7->curr_signed_infos, 8,
+				       sizeof(struct lc_pkcs7_signed_info)));
+	}
 
-	sinfo_tmp = NULL;
+	*sinfo = pkcs7->curr_signed_infos;
 
 out:
-	lc_free(sinfo_tmp);
 	return ret;
 }
diff --git a/asn1/src/pkcs7_parser.c b/asn1/src/pkcs7_parser.c
@@ -94,7 +94,7 @@ static int pkcs7_check_authattrs(struct lc_pkcs7_message *msg)
 	struct lc_pkcs7_signed_info *sinfo;
 	unsigned int want = 0;
 
-	sinfo = msg->signed_infos;
+	sinfo = msg->list_head_signed_infos;
 	if (!sinfo)
 		goto inconsistent;
 
@@ -208,15 +208,23 @@ int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen, unsigned char tag,
 			       const uint8_t *value, size_t vlen)
 {
 	struct pkcs7_parse_context *ctx = context;
-	struct lc_pkcs7_signed_info *sinfo = ctx->sinfo;
-	struct lc_public_key_signature *sig = &sinfo->sig;
+	struct lc_pkcs7_message *pkcs7 = ctx->msg;
+	struct lc_pkcs7_signed_info *sinfo;
+	struct lc_public_key_signature *sig;
+	int ret;
 
 	(void)hdrlen;
 	(void)tag;
 	(void)value;
 	(void)vlen;
 
-	return lc_x509_oid_to_hash(ctx->last_oid, &sig->hash_algo);
+	CKINT(pkcs7_sinfo_get(&sinfo, pkcs7));
+
+	sig = &sinfo->sig;
+	CKINT(lc_x509_oid_to_hash(ctx->last_oid, &sig->hash_algo));
+
+out:
+	return ret;
 }
 
 /*
@@ -226,15 +234,23 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen, unsigned char tag,
 			     const uint8_t *value, size_t vlen)
 {
 	struct pkcs7_parse_context *ctx = context;
-	struct lc_pkcs7_signed_info *sinfo = ctx->sinfo;
-	struct lc_public_key_signature *sig = &sinfo->sig;
+	struct lc_pkcs7_message *pkcs7 = ctx->msg;
+	struct lc_pkcs7_signed_info *sinfo;
+	struct lc_public_key_signature *sig;
+	int ret;
 
 	(void)hdrlen;
 	(void)tag;
 	(void)value;
 	(void)vlen;
 
-	return lc_x509_oid_to_sig_type(ctx->last_oid, &sig->pkey_algo);
+	CKINT(pkcs7_sinfo_get(&sinfo, pkcs7));
+
+	sig = &sinfo->sig;
+	CKINT(lc_x509_oid_to_sig_type(ctx->last_oid, &sig->pkey_algo));
+
+out:
+	return ret;
 }
 
 /*
@@ -483,12 +499,16 @@ int pkcs7_sig_note_authenticated_attr(void *context, size_t hdrlen,
 				      size_t vlen)
 {
 	struct pkcs7_parse_context *ctx = context;
-	struct lc_pkcs7_signed_info *sinfo = ctx->sinfo;
+	struct lc_pkcs7_message *pkcs7 = ctx->msg;
+	struct lc_pkcs7_signed_info *sinfo;
 	enum OID content_type;
+	int ret;
 
 	printf_debug("AuthAttr: %02x %zu", tag, vlen);
 	bin2print_debug(value, vlen, stdout, "");
 
+	CKINT(pkcs7_sinfo_get(&sinfo, pkcs7));
+
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Wswitch-enum"
 	switch (ctx->last_oid) {
@@ -565,6 +585,9 @@ int pkcs7_sig_note_authenticated_attr(void *context, size_t hdrlen,
 	/* We permit max one item per AuthenticatedAttribute and no repeats */
 	printf_debug("Repeated/multivalue AuthAttrs not permitted\n");
 	return -EKEYREJECTED;
+
+out:
+	return ret;
 }
 
 /*
@@ -575,10 +598,14 @@ int pkcs7_sig_note_set_of_authattrs(void *context, size_t hdrlen,
 				    size_t vlen)
 {
 	struct pkcs7_parse_context *ctx = context;
-	struct lc_pkcs7_signed_info *sinfo = ctx->sinfo;
+	struct lc_pkcs7_message *pkcs7 = ctx->msg;
+	struct lc_pkcs7_signed_info *sinfo;
+	int ret;
 
 	(void)tag;
 
+	CKINT(pkcs7_sinfo_get(&sinfo, pkcs7));
+
 	if (!(sinfo->aa_set & sinfo_has_content_type) ||
 	    !(sinfo->aa_set & sinfo_has_message_digest)) {
 		printf_debug("Missing required AuthAttr\n");
@@ -595,7 +622,8 @@ int pkcs7_sig_note_set_of_authattrs(void *context, size_t hdrlen,
 	sinfo->authattrs = value - (hdrlen - 1);
 	sinfo->authattrs_len = vlen + (hdrlen - 1);
 
-	return 0;
+out:
+	return ret;
 }
 
 /*
@@ -655,18 +683,24 @@ int pkcs7_sig_note_signature(void *context, size_t hdrlen, unsigned char tag,
 			     const uint8_t *value, size_t vlen)
 {
 	struct pkcs7_parse_context *ctx = context;
+	struct lc_pkcs7_message *pkcs7 = ctx->msg;
+	struct lc_pkcs7_signed_info *sinfo;
+	int ret;
 
 	(void)hdrlen;
 	(void)tag;
 
+	CKINT(pkcs7_sinfo_get(&sinfo, pkcs7));
+
 	/* Do not allocate twice */
-	if (ctx->sinfo->sig.s)
+	if (sinfo->sig.s)
 		return -EOVERFLOW;
 
-	ctx->sinfo->sig.s = value;
-	ctx->sinfo->sig.s_size = vlen;
+	sinfo->sig.s = value;
+	sinfo->sig.s_size = vlen;
 
-	return 0;
+out:
+	return ret;
 }
 
 /*
@@ -677,19 +711,23 @@ int pkcs7_note_signed_info(void *context, size_t hdrlen, unsigned char tag,
 {
 	struct pkcs7_parse_context *ctx = context;
 	struct lc_pkcs7_message *pkcs7 = ctx->msg;
-	struct lc_pkcs7_signed_info *sinfo = ctx->sinfo;
+	struct lc_pkcs7_signed_info *sinfo;
 	int ret;
 
 	(void)hdrlen;
 	(void)tag;
 	(void)value;
 	(void)vlen;
 
+	CKINT(pkcs7_sinfo_get(&sinfo, pkcs7));
+
 	if (ctx->msg->data_type == OID_msIndirectData && !sinfo->authattrs) {
 		printf_debug("Authenticode requires AuthAttrs\n");
 		return -EBADMSG;
 	}
 
+	CKINT(pkcs7_sinfo_get(&sinfo, pkcs7));
+
 	/* Generate cert issuer + serial number key ID */
 	if (!ctx->expect_skid) {
 		CKINT(asymmetric_key_generate_id(
@@ -708,10 +746,7 @@ int pkcs7_note_signed_info(void *context, size_t hdrlen, unsigned char tag,
 	sinfo->index = ++ctx->sinfo_index;
 
 	/* Now add the filled signed info to the PKCS7 */
-	CKINT(pkcs7_sinfo_add(pkcs7, sinfo));
-
-	CKINT(pkcs7_sinfo_get(&ctx->sinfo, pkcs7));
-
+	CKINT(pkcs7_sinfo_add(pkcs7));
 
 out:
 	return ret;
@@ -741,7 +776,6 @@ LC_INTERFACE_FUNCTION(void, lc_pkcs7_message_clear,
 		      struct lc_pkcs7_message *pkcs7)
 {
 	struct lc_x509_certificate *cert;
-	struct lc_pkcs7_signed_info *sinfo;
 
 	if (pkcs7) {
 		while (pkcs7->certs) {
@@ -755,11 +789,7 @@ LC_INTERFACE_FUNCTION(void, lc_pkcs7_message_clear,
 			pkcs7->crl = cert->next;
 			lc_x509_cert_clear(cert);
 		}
-		while (pkcs7->signed_infos) {
-			sinfo = pkcs7->signed_infos;
-			pkcs7->signed_infos = sinfo->next;
-			pkcs7_sinfo_free(pkcs7, sinfo);
-		}
+		pkcs7_sinfo_free(pkcs7);
 
 		lc_memset_secure(pkcs7, 0, sizeof(struct lc_pkcs7_message));
 	}
@@ -777,13 +807,10 @@ LC_INTERFACE_FUNCTION(int, lc_pkcs7_message_parse,
 
 	lc_memset_secure(pkcs7, 0, sizeof(struct lc_pkcs7_message));
 
-	CKINT(pkcs7_sinfo_get(&ctx.sinfo, pkcs7));
-
 	ctx.msg = pkcs7;
 
 	ctx.data = data;
 	ctx.ppcerts = &ctx.certs;
-	ctx.ppsinfo = &ctx.msg->signed_infos;
 
 	/* Attempt to decode the signature */
 	CKINT(asn1_ber_decoder(&pkcs7_decoder, &ctx, data, datalen));
@@ -799,7 +826,6 @@ LC_INTERFACE_FUNCTION(int, lc_pkcs7_message_parse,
 		lc_free(cert);
 	}
 
-	pkcs7_sinfo_free(pkcs7, ctx.sinfo);
 	if (ret)
 		lc_pkcs7_message_clear(ctx.msg);
 
diff --git a/asn1/src/pkcs7_verify.c b/asn1/src/pkcs7_verify.c
@@ -438,7 +438,7 @@ LC_INTERFACE_FUNCTION(int, lc_pkcs7_get_digest, struct lc_pkcs7_message *pkcs7,
 		      size_t *message_digest_len,
 		      const struct lc_hash **hash_algo)
 {
-	struct lc_pkcs7_signed_info *sinfo = pkcs7->signed_infos;
+	struct lc_pkcs7_signed_info *sinfo = pkcs7->list_head_signed_infos;
 	int ret;
 
 	CKNULL(message_digest, -EBADMSG);
@@ -485,7 +485,8 @@ LC_INTERFACE_FUNCTION(int, lc_pkcs7_verify, struct lc_pkcs7_message *pkcs7,
 		return -ENODATA;
 	}
 
-	for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
+	for (sinfo = pkcs7->list_head_signed_infos; sinfo;
+	     sinfo = sinfo->next) {
 		ret = pkcs7_verify_one(pkcs7, trust_store, sinfo, verify_rules);
 		switch (ret) {
 		case -ENOKEY:

Original file line number	Diff line number	Diff line change
`@@ -271,7 +271,7 @@ int print_x509_cert(const struct lc_x509_certificate *x509)`
`271`	`271`	`int print_pkcs7_data(const struct lc_pkcs7_message *pkcs7_msg)`
`272`	`272`	`{`
`273`	`273`	`struct lc_x509_certificate *cert = pkcs7_msg->certs;`
`274`		`- struct lc_pkcs7_signed_info *sinfos = pkcs7_msg->signed_infos;`
	`274`	`+ struct lc_pkcs7_signed_info *sinfos = pkcs7_msg->list_head_signed_infos;`
`275`	`275`	`const char *hash_name;`
`276`	`276`	`int ret = 0;`
`277`	`277`