[thirdparty/openssl.git] / crypto / x509v3 / pcy_cache.c

/* pcy_cache.c */
/*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
 * 2004.
 */
/* ====================================================================
 * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#include "internal/cryptlib.h"
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include "internal/x509_int.h"

#include "pcy_int.h"

static int policy_data_cmp(const X509_POLICY_DATA *const *a,
                           const X509_POLICY_DATA *const *b);
static int policy_cache_set_int(long *out, ASN1_INTEGER *value);

/*
 * Set cache entry according to CertificatePolicies extension. Note: this
 * destroys the passed CERTIFICATEPOLICIES structure.
 */

static int policy_cache_create(X509 *x,
                               CERTIFICATEPOLICIES *policies, int crit)
{
    int i;
    int ret = 0;
    X509_POLICY_CACHE *cache = x->policy_cache;
    X509_POLICY_DATA *data = NULL;
    POLICYINFO *policy;
    if (sk_POLICYINFO_num(policies) == 0)
        goto bad_policy;
    cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
    if (cache->data == NULL)
        goto bad_policy;
    for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
        policy = sk_POLICYINFO_value(policies, i);
        data = policy_data_new(policy, NULL, crit);
        if (data == NULL)
            goto bad_policy;
        /*
         * Duplicate policy OIDs are illegal: reject if matches found.
         */
        if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
            if (cache->anyPolicy) {
                ret = -1;
                goto bad_policy;
            }
            cache->anyPolicy = data;
        } else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) {
            ret = -1;
            goto bad_policy;
        } else if (!sk_X509_POLICY_DATA_push(cache->data, data))
            goto bad_policy;
        data = NULL;
    }
    ret = 1;
 bad_policy:
    if (ret == -1)
        x->ex_flags |= EXFLAG_INVALID_POLICY;
    policy_data_free(data);
    sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
    if (ret <= 0) {
        sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
        cache->data = NULL;
    }
    return ret;
}

static int policy_cache_new(X509 *x)
{
    X509_POLICY_CACHE *cache;
    ASN1_INTEGER *ext_any = NULL;
    POLICY_CONSTRAINTS *ext_pcons = NULL;
    CERTIFICATEPOLICIES *ext_cpols = NULL;
    POLICY_MAPPINGS *ext_pmaps = NULL;
    int i;
    cache = OPENSSL_malloc(sizeof(*cache));
    if (cache == NULL)
        return 0;
    cache->anyPolicy = NULL;
    cache->data = NULL;
    cache->any_skip = -1;
    cache->explicit_skip = -1;
    cache->map_skip = -1;

    x->policy_cache = cache;

    /*
     * Handle requireExplicitPolicy *first*. Need to process this even if we
     * don't have any policies.
     */
    ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);

    if (!ext_pcons) {
        if (i != -1)
            goto bad_cache;
    } else {
        if (!ext_pcons->requireExplicitPolicy
            && !ext_pcons->inhibitPolicyMapping)
            goto bad_cache;
        if (!policy_cache_set_int(&cache->explicit_skip,
                                  ext_pcons->requireExplicitPolicy))
            goto bad_cache;
        if (!policy_cache_set_int(&cache->map_skip,
                                  ext_pcons->inhibitPolicyMapping))
            goto bad_cache;
    }

    /* Process CertificatePolicies */

    ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
    /*
     * If no CertificatePolicies extension or problem decoding then there is
     * no point continuing because the valid policies will be NULL.
     */
    if (!ext_cpols) {
        /* If not absent some problem with extension */
        if (i != -1)
            goto bad_cache;
        return 1;
    }

    i = policy_cache_create(x, ext_cpols, i);

    /* NB: ext_cpols freed by policy_cache_set_policies */

    if (i <= 0)
        return i;

    ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);

    if (!ext_pmaps) {
        /* If not absent some problem with extension */
        if (i != -1)
            goto bad_cache;
    } else {
        i = policy_cache_set_mapping(x, ext_pmaps);
        if (i <= 0)
            goto bad_cache;
    }

    ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);

    if (!ext_any) {
        if (i != -1)
            goto bad_cache;
    } else if (!policy_cache_set_int(&cache->any_skip, ext_any))
        goto bad_cache;
    goto just_cleanup;

 bad_cache:
    x->ex_flags |= EXFLAG_INVALID_POLICY;

 just_cleanup:
    POLICY_CONSTRAINTS_free(ext_pcons);
    ASN1_INTEGER_free(ext_any);
    return 1;

}

void policy_cache_free(X509_POLICY_CACHE *cache)
{
    if (!cache)
        return;
    policy_data_free(cache->anyPolicy);
    sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
    OPENSSL_free(cache);
}

const X509_POLICY_CACHE *policy_cache_set(X509 *x)
{

    if (x->policy_cache == NULL) {
        CRYPTO_w_lock(CRYPTO_LOCK_X509);
        policy_cache_new(x);
        CRYPTO_w_unlock(CRYPTO_LOCK_X509);
    }

    return x->policy_cache;

}

X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
                                         const ASN1_OBJECT *id)
{
    int idx;
    X509_POLICY_DATA tmp;
    tmp.valid_policy = (ASN1_OBJECT *)id;
    idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
    if (idx == -1)
        return NULL;
    return sk_X509_POLICY_DATA_value(cache->data, idx);
}

static int policy_data_cmp(const X509_POLICY_DATA *const *a,
                           const X509_POLICY_DATA *const *b)
{
    return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
}

static int policy_cache_set_int(long *out, ASN1_INTEGER *value)
{
    if (value == NULL)
        return 1;
    if (value->type == V_ASN1_NEG_INTEGER)
        return 0;
    *out = ASN1_INTEGER_get(value);
    return 1;
}
Commit	Line	Data
4acc3e90	1	/* pcy_cache.c */
0f113f3e MC	2	/*
	3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
	4	* 2004.
4acc3e90 DSH	5	*/
	6	/* ====================================================================
	7	* Copyright (c) 2004 The OpenSSL Project. All rights reserved.
	8	*
	9	* Redistribution and use in source and binary forms, with or without
	10	* modification, are permitted provided that the following conditions
	11	* are met:
	12	*
	13	* 1. Redistributions of source code must retain the above copyright
0f113f3e	14	* notice, this list of conditions and the following disclaimer.
4acc3e90 DSH	15	*
	16	* 2. Redistributions in binary form must reproduce the above copyright
	17	* notice, this list of conditions and the following disclaimer in
	18	* the documentation and/or other materials provided with the
	19	* distribution.
	20	*
	21	* 3. All advertising materials mentioning features or use of this
	22	* software must display the following acknowledgment:
	23	* "This product includes software developed by the OpenSSL Project
	24	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
	25	*
	26	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	27	* endorse or promote products derived from this software without
	28	* prior written permission. For written permission, please contact
	29	* licensing@OpenSSL.org.
	30	*
	31	* 5. Products derived from this software may not be called "OpenSSL"
	32	* nor may "OpenSSL" appear in their names without prior written
	33	* permission of the OpenSSL Project.
	34	*
	35	* 6. Redistributions of any form whatsoever must retain the following
	36	* acknowledgment:
	37	* "This product includes software developed by the OpenSSL Project
	38	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
	39	*
	40	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	41	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	42	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	43	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	44	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	45	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	46	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	47	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	49	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	50	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	51	* OF THE POSSIBILITY OF SUCH DAMAGE.
	52	* ====================================================================
	53	*
	54	* This product includes cryptographic software written by Eric Young
	55	* (eay@cryptsoft.com). This product includes software written by Tim
	56	* Hudson (tjh@cryptsoft.com).
	57	*
	58	*/
	59
b39fc560	60	#include "internal/cryptlib.h"
4acc3e90 DSH	61	#include <openssl/x509.h>
4acc3e90 DSH	62	#include <openssl/x509v3.h>
94e84f5e	63	#include "internal/x509_int.h"
4acc3e90 DSH	64
	65	#include "pcy_int.h"
	66
0f113f3e MC	67	static int policy_data_cmp(const X509_POLICY_DATA const a,
0f113f3e MC	68	const X509_POLICY_DATA const b);
4acc3e90 DSH	69	static int policy_cache_set_int(long out, ASN1_INTEGER value);
4acc3e90 DSH	70
0f113f3e MC	71	/*
	72	* Set cache entry according to CertificatePolicies extension. Note: this
	73	* destroys the passed CERTIFICATEPOLICIES structure.
4acc3e90 DSH	74	*/
	75
	76	static int policy_cache_create(X509 *x,
0f113f3e MC	77	CERTIFICATEPOLICIES *policies, int crit)
	78	{
	79	int i;
	80	int ret = 0;
	81	X509_POLICY_CACHE *cache = x->policy_cache;
	82	X509_POLICY_DATA *data = NULL;
	83	POLICYINFO *policy;
	84	if (sk_POLICYINFO_num(policies) == 0)
	85	goto bad_policy;
	86	cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
90945fa3	87	if (cache->data == NULL)
0f113f3e MC	88	goto bad_policy;
	89	for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
	90	policy = sk_POLICYINFO_value(policies, i);
	91	data = policy_data_new(policy, NULL, crit);
90945fa3	92	if (data == NULL)
0f113f3e MC	93	goto bad_policy;
	94	/*
	95	* Duplicate policy OIDs are illegal: reject if matches found.
	96	*/
	97	if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
	98	if (cache->anyPolicy) {
	99	ret = -1;
	100	goto bad_policy;
	101	}
	102	cache->anyPolicy = data;
	103	} else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) {
	104	ret = -1;
	105	goto bad_policy;
	106	} else if (!sk_X509_POLICY_DATA_push(cache->data, data))
	107	goto bad_policy;
	108	data = NULL;
	109	}
	110	ret = 1;
	111	bad_policy:
	112	if (ret == -1)
	113	x->ex_flags \|= EXFLAG_INVALID_POLICY;
25aaa98a	114	policy_data_free(data);
0f113f3e MC	115	sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
	116	if (ret <= 0) {
	117	sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
	118	cache->data = NULL;
	119	}
	120	return ret;
	121	}
4acc3e90	122
4acc3e90	123	static int policy_cache_new(X509 *x)
0f113f3e MC	124	{
	125	X509_POLICY_CACHE *cache;
	126	ASN1_INTEGER *ext_any = NULL;
	127	POLICY_CONSTRAINTS *ext_pcons = NULL;
	128	CERTIFICATEPOLICIES *ext_cpols = NULL;
	129	POLICY_MAPPINGS *ext_pmaps = NULL;
	130	int i;
b4faea50	131	cache = OPENSSL_malloc(sizeof(*cache));
90945fa3	132	if (cache == NULL)
0f113f3e MC	133	return 0;
	134	cache->anyPolicy = NULL;
	135	cache->data = NULL;
	136	cache->any_skip = -1;
	137	cache->explicit_skip = -1;
	138	cache->map_skip = -1;
4acc3e90	139
0f113f3e	140	x->policy_cache = cache;
4acc3e90	141
0f113f3e MC	142	/*
	143	* Handle requireExplicitPolicy first. Need to process this even if we
	144	* don't have any policies.
	145	*/
	146	ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
4acc3e90	147
0f113f3e MC	148	if (!ext_pcons) {
	149	if (i != -1)
	150	goto bad_cache;
	151	} else {
	152	if (!ext_pcons->requireExplicitPolicy
	153	&& !ext_pcons->inhibitPolicyMapping)
	154	goto bad_cache;
	155	if (!policy_cache_set_int(&cache->explicit_skip,
	156	ext_pcons->requireExplicitPolicy))
	157	goto bad_cache;
	158	if (!policy_cache_set_int(&cache->map_skip,
	159	ext_pcons->inhibitPolicyMapping))
	160	goto bad_cache;
	161	}
4acc3e90	162
0f113f3e	163	/* Process CertificatePolicies */
4acc3e90	164
0f113f3e MC	165	ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
	166	/*
	167	* If no CertificatePolicies extension or problem decoding then there is
	168	* no point continuing because the valid policies will be NULL.
	169	*/
	170	if (!ext_cpols) {
	171	/* If not absent some problem with extension */
	172	if (i != -1)
	173	goto bad_cache;
	174	return 1;
	175	}
4acc3e90	176
0f113f3e	177	i = policy_cache_create(x, ext_cpols, i);
4acc3e90	178
0f113f3e	179	/* NB: ext_cpols freed by policy_cache_set_policies */
4acc3e90	180
0f113f3e MC	181	if (i <= 0)
0f113f3e MC	182	return i;
4acc3e90	183
0f113f3e	184	ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
4acc3e90	185
0f113f3e MC	186	if (!ext_pmaps) {
	187	/* If not absent some problem with extension */
	188	if (i != -1)
	189	goto bad_cache;
	190	} else {
	191	i = policy_cache_set_mapping(x, ext_pmaps);
	192	if (i <= 0)
	193	goto bad_cache;
	194	}
4acc3e90	195
0f113f3e	196	ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
4acc3e90	197
0f113f3e MC	198	if (!ext_any) {
	199	if (i != -1)
	200	goto bad_cache;
	201	} else if (!policy_cache_set_int(&cache->any_skip, ext_any))
	202	goto bad_cache;
66696478	203	goto just_cleanup;
4acc3e90	204
0f113f3e	205	bad_cache:
66696478	206	x->ex_flags \|= EXFLAG_INVALID_POLICY;
4acc3e90	207
66696478	208	just_cleanup:
25aaa98a	209	POLICY_CONSTRAINTS_free(ext_pcons);
2ace7450	210	ASN1_INTEGER_free(ext_any);
0f113f3e	211	return 1;
4acc3e90	212
4acc3e90 DSH	213	}
	214
	215	void policy_cache_free(X509_POLICY_CACHE *cache)
0f113f3e MC	216	{
	217	if (!cache)
	218	return;
25aaa98a	219	policy_data_free(cache->anyPolicy);
222561fe	220	sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
0f113f3e MC	221	OPENSSL_free(cache);
0f113f3e MC	222	}
4acc3e90 DSH	223
4acc3e90 DSH	224	const X509_POLICY_CACHE policy_cache_set(X509 x)
0f113f3e	225	{
4acc3e90	226
0f113f3e MC	227	if (x->policy_cache == NULL) {
	228	CRYPTO_w_lock(CRYPTO_LOCK_X509);
	229	policy_cache_new(x);
	230	CRYPTO_w_unlock(CRYPTO_LOCK_X509);
	231	}
4acc3e90	232
0f113f3e	233	return x->policy_cache;
4acc3e90	234
0f113f3e	235	}
4acc3e90 DSH	236
4acc3e90 DSH	237	X509_POLICY_DATA policy_cache_find_data(const X509_POLICY_CACHE cache,
0f113f3e MC	238	const ASN1_OBJECT *id)
	239	{
	240	int idx;
	241	X509_POLICY_DATA tmp;
	242	tmp.valid_policy = (ASN1_OBJECT *)id;
	243	idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
	244	if (idx == -1)
	245	return NULL;
	246	return sk_X509_POLICY_DATA_value(cache->data, idx);
	247	}
4acc3e90	248
0f113f3e MC	249	static int policy_data_cmp(const X509_POLICY_DATA const a,
	250	const X509_POLICY_DATA const b)
	251	{
	252	return OBJ_cmp((a)->valid_policy, (b)->valid_policy);
	253	}
4acc3e90 DSH	254
4acc3e90 DSH	255	static int policy_cache_set_int(long out, ASN1_INTEGER value)
0f113f3e MC	256	{
	257	if (value == NULL)
	258	return 1;
	259	if (value->type == V_ASN1_NEG_INTEGER)
	260	return 0;
	261	*out = ASN1_INTEGER_get(value);
	262	return 1;
	263	}