[331] | 1 | /*
|
---|
| 2 | * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
| 3 | *
|
---|
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
---|
| 6 | * in the file LICENSE in the source distribution or at
|
---|
| 7 | * https://www.openssl.org/source/license.html
|
---|
| 8 | */
|
---|
| 9 |
|
---|
| 10 | #include "internal/cryptlib.h"
|
---|
| 11 | #include <openssl/x509.h>
|
---|
| 12 | #include <openssl/x509v3.h>
|
---|
| 13 | #include "internal/x509_int.h"
|
---|
| 14 |
|
---|
| 15 | #include "pcy_int.h"
|
---|
| 16 |
|
---|
| 17 | static int policy_data_cmp(const X509_POLICY_DATA *const *a,
|
---|
| 18 | const X509_POLICY_DATA *const *b);
|
---|
| 19 | static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
|
---|
| 20 |
|
---|
| 21 | /*
|
---|
| 22 | * Set cache entry according to CertificatePolicies extension. Note: this
|
---|
| 23 | * destroys the passed CERTIFICATEPOLICIES structure.
|
---|
| 24 | */
|
---|
| 25 |
|
---|
| 26 | static int policy_cache_create(X509 *x,
|
---|
| 27 | CERTIFICATEPOLICIES *policies, int crit)
|
---|
| 28 | {
|
---|
| 29 | int i;
|
---|
| 30 | int ret = 0;
|
---|
| 31 | X509_POLICY_CACHE *cache = x->policy_cache;
|
---|
| 32 | X509_POLICY_DATA *data = NULL;
|
---|
| 33 | POLICYINFO *policy;
|
---|
| 34 | if (sk_POLICYINFO_num(policies) == 0)
|
---|
| 35 | goto bad_policy;
|
---|
| 36 | cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
|
---|
| 37 | if (cache->data == NULL)
|
---|
| 38 | goto bad_policy;
|
---|
| 39 | for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
|
---|
| 40 | policy = sk_POLICYINFO_value(policies, i);
|
---|
| 41 | data = policy_data_new(policy, NULL, crit);
|
---|
| 42 | if (data == NULL)
|
---|
| 43 | goto bad_policy;
|
---|
| 44 | /*
|
---|
| 45 | * Duplicate policy OIDs are illegal: reject if matches found.
|
---|
| 46 | */
|
---|
| 47 | if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
|
---|
| 48 | if (cache->anyPolicy) {
|
---|
| 49 | ret = -1;
|
---|
| 50 | goto bad_policy;
|
---|
| 51 | }
|
---|
| 52 | cache->anyPolicy = data;
|
---|
| 53 | } else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) {
|
---|
| 54 | ret = -1;
|
---|
| 55 | goto bad_policy;
|
---|
| 56 | } else if (!sk_X509_POLICY_DATA_push(cache->data, data))
|
---|
| 57 | goto bad_policy;
|
---|
| 58 | data = NULL;
|
---|
| 59 | }
|
---|
| 60 | ret = 1;
|
---|
| 61 | bad_policy:
|
---|
| 62 | if (ret == -1)
|
---|
| 63 | x->ex_flags |= EXFLAG_INVALID_POLICY;
|
---|
| 64 | policy_data_free(data);
|
---|
| 65 | sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
|
---|
| 66 | if (ret <= 0) {
|
---|
| 67 | sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
|
---|
| 68 | cache->data = NULL;
|
---|
| 69 | }
|
---|
| 70 | return ret;
|
---|
| 71 | }
|
---|
| 72 |
|
---|
| 73 | static int policy_cache_new(X509 *x)
|
---|
| 74 | {
|
---|
| 75 | X509_POLICY_CACHE *cache;
|
---|
| 76 | ASN1_INTEGER *ext_any = NULL;
|
---|
| 77 | POLICY_CONSTRAINTS *ext_pcons = NULL;
|
---|
| 78 | CERTIFICATEPOLICIES *ext_cpols = NULL;
|
---|
| 79 | POLICY_MAPPINGS *ext_pmaps = NULL;
|
---|
| 80 | int i;
|
---|
| 81 |
|
---|
| 82 | if (x->policy_cache != NULL)
|
---|
| 83 | return 1;
|
---|
| 84 | cache = OPENSSL_malloc(sizeof(*cache));
|
---|
| 85 | if (cache == NULL)
|
---|
| 86 | return 0;
|
---|
| 87 | cache->anyPolicy = NULL;
|
---|
| 88 | cache->data = NULL;
|
---|
| 89 | cache->any_skip = -1;
|
---|
| 90 | cache->explicit_skip = -1;
|
---|
| 91 | cache->map_skip = -1;
|
---|
| 92 |
|
---|
| 93 | x->policy_cache = cache;
|
---|
| 94 |
|
---|
| 95 | /*
|
---|
| 96 | * Handle requireExplicitPolicy *first*. Need to process this even if we
|
---|
| 97 | * don't have any policies.
|
---|
| 98 | */
|
---|
| 99 | ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
|
---|
| 100 |
|
---|
| 101 | if (!ext_pcons) {
|
---|
| 102 | if (i != -1)
|
---|
| 103 | goto bad_cache;
|
---|
| 104 | } else {
|
---|
| 105 | if (!ext_pcons->requireExplicitPolicy
|
---|
| 106 | && !ext_pcons->inhibitPolicyMapping)
|
---|
| 107 | goto bad_cache;
|
---|
| 108 | if (!policy_cache_set_int(&cache->explicit_skip,
|
---|
| 109 | ext_pcons->requireExplicitPolicy))
|
---|
| 110 | goto bad_cache;
|
---|
| 111 | if (!policy_cache_set_int(&cache->map_skip,
|
---|
| 112 | ext_pcons->inhibitPolicyMapping))
|
---|
| 113 | goto bad_cache;
|
---|
| 114 | }
|
---|
| 115 |
|
---|
| 116 | /* Process CertificatePolicies */
|
---|
| 117 |
|
---|
| 118 | ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
|
---|
| 119 | /*
|
---|
| 120 | * If no CertificatePolicies extension or problem decoding then there is
|
---|
| 121 | * no point continuing because the valid policies will be NULL.
|
---|
| 122 | */
|
---|
| 123 | if (!ext_cpols) {
|
---|
| 124 | /* If not absent some problem with extension */
|
---|
| 125 | if (i != -1)
|
---|
| 126 | goto bad_cache;
|
---|
| 127 | return 1;
|
---|
| 128 | }
|
---|
| 129 |
|
---|
| 130 | i = policy_cache_create(x, ext_cpols, i);
|
---|
| 131 |
|
---|
| 132 | /* NB: ext_cpols freed by policy_cache_set_policies */
|
---|
| 133 |
|
---|
| 134 | if (i <= 0)
|
---|
| 135 | return i;
|
---|
| 136 |
|
---|
| 137 | ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
|
---|
| 138 |
|
---|
| 139 | if (!ext_pmaps) {
|
---|
| 140 | /* If not absent some problem with extension */
|
---|
| 141 | if (i != -1)
|
---|
| 142 | goto bad_cache;
|
---|
| 143 | } else {
|
---|
| 144 | i = policy_cache_set_mapping(x, ext_pmaps);
|
---|
| 145 | if (i <= 0)
|
---|
| 146 | goto bad_cache;
|
---|
| 147 | }
|
---|
| 148 |
|
---|
| 149 | ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
|
---|
| 150 |
|
---|
| 151 | if (!ext_any) {
|
---|
| 152 | if (i != -1)
|
---|
| 153 | goto bad_cache;
|
---|
| 154 | } else if (!policy_cache_set_int(&cache->any_skip, ext_any))
|
---|
| 155 | goto bad_cache;
|
---|
| 156 | goto just_cleanup;
|
---|
| 157 |
|
---|
| 158 | bad_cache:
|
---|
| 159 | x->ex_flags |= EXFLAG_INVALID_POLICY;
|
---|
| 160 |
|
---|
| 161 | just_cleanup:
|
---|
| 162 | POLICY_CONSTRAINTS_free(ext_pcons);
|
---|
| 163 | ASN1_INTEGER_free(ext_any);
|
---|
| 164 | return 1;
|
---|
| 165 |
|
---|
| 166 | }
|
---|
| 167 |
|
---|
| 168 | void policy_cache_free(X509_POLICY_CACHE *cache)
|
---|
| 169 | {
|
---|
| 170 | if (!cache)
|
---|
| 171 | return;
|
---|
| 172 | policy_data_free(cache->anyPolicy);
|
---|
| 173 | sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
|
---|
| 174 | OPENSSL_free(cache);
|
---|
| 175 | }
|
---|
| 176 |
|
---|
| 177 | const X509_POLICY_CACHE *policy_cache_set(X509 *x)
|
---|
| 178 | {
|
---|
| 179 |
|
---|
| 180 | if (x->policy_cache == NULL) {
|
---|
| 181 | CRYPTO_THREAD_write_lock(x->lock);
|
---|
| 182 | policy_cache_new(x);
|
---|
| 183 | CRYPTO_THREAD_unlock(x->lock);
|
---|
| 184 | }
|
---|
| 185 |
|
---|
| 186 | return x->policy_cache;
|
---|
| 187 |
|
---|
| 188 | }
|
---|
| 189 |
|
---|
| 190 | X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
|
---|
| 191 | const ASN1_OBJECT *id)
|
---|
| 192 | {
|
---|
| 193 | int idx;
|
---|
| 194 | X509_POLICY_DATA tmp;
|
---|
| 195 | tmp.valid_policy = (ASN1_OBJECT *)id;
|
---|
| 196 | idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
|
---|
| 197 | if (idx == -1)
|
---|
| 198 | return NULL;
|
---|
| 199 | return sk_X509_POLICY_DATA_value(cache->data, idx);
|
---|
| 200 | }
|
---|
| 201 |
|
---|
| 202 | static int policy_data_cmp(const X509_POLICY_DATA *const *a,
|
---|
| 203 | const X509_POLICY_DATA *const *b)
|
---|
| 204 | {
|
---|
| 205 | return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
|
---|
| 206 | }
|
---|
| 207 |
|
---|
| 208 | static int policy_cache_set_int(long *out, ASN1_INTEGER *value)
|
---|
| 209 | {
|
---|
| 210 | if (value == NULL)
|
---|
| 211 | return 1;
|
---|
| 212 | if (value->type == V_ASN1_NEG_INTEGER)
|
---|
| 213 | return 0;
|
---|
| 214 | *out = ASN1_INTEGER_get(value);
|
---|
| 215 | return 1;
|
---|
| 216 | }
|
---|