[thirdparty/openssl.git] / crypto / x509 / pcy_cache.c

/*
 * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include "internal/cryptlib.h"
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include "crypto/x509.h"

#include "pcy_local.h"

static int policy_data_cmp(const X509_POLICY_DATA *const *a,
                           const X509_POLICY_DATA *const *b);
static int policy_cache_set_int(long *out, ASN1_INTEGER *value);

/*
 * Set cache entry according to CertificatePolicies extension. Note: this
 * destroys the passed CERTIFICATEPOLICIES structure.
 */

static int policy_cache_create(X509 *x,
                               CERTIFICATEPOLICIES *policies, int crit)
{
    int i, num, ret = 0;
    X509_POLICY_CACHE *cache = x->policy_cache;
    X509_POLICY_DATA *data = NULL;
    POLICYINFO *policy;

    if ((num = sk_POLICYINFO_num(policies)) <= 0)
        goto bad_policy;
    cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
    if (cache->data == NULL) {
        ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
        goto just_cleanup;
    }
    for (i = 0; i < num; i++) {
        policy = sk_POLICYINFO_value(policies, i);
        data = ossl_policy_data_new(policy, NULL, crit);
        if (data == NULL) {
            ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
            goto just_cleanup;
        }
        /*
         * Duplicate policy OIDs are illegal: reject if matches found.
         */
        if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
            if (cache->anyPolicy) {
                ret = -1;
                goto bad_policy;
            }
            cache->anyPolicy = data;
        } else if (sk_X509_POLICY_DATA_find(cache->data, data) >=0 ) {
            ret = -1;
            goto bad_policy;
        } else if (!sk_X509_POLICY_DATA_push(cache->data, data)) {
            ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
            goto bad_policy;
        }
        data = NULL;
    }
    ret = 1;

 bad_policy:
    if (ret == -1)
        x->ex_flags |= EXFLAG_INVALID_POLICY;
    ossl_policy_data_free(data);
 just_cleanup:
    sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
    if (ret <= 0) {
        sk_X509_POLICY_DATA_pop_free(cache->data, ossl_policy_data_free);
        cache->data = NULL;
    }
    return ret;
}

static int policy_cache_new(X509 *x)
{
    X509_POLICY_CACHE *cache;
    ASN1_INTEGER *ext_any = NULL;
    POLICY_CONSTRAINTS *ext_pcons = NULL;
    CERTIFICATEPOLICIES *ext_cpols = NULL;
    POLICY_MAPPINGS *ext_pmaps = NULL;
    int i;

    if (x->policy_cache != NULL)
        return 1;
    cache = OPENSSL_malloc(sizeof(*cache));
    if (cache == NULL) {
        ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
        return 0;
    }
    cache->anyPolicy = NULL;
    cache->data = NULL;
    cache->any_skip = -1;
    cache->explicit_skip = -1;
    cache->map_skip = -1;

    x->policy_cache = cache;

    /*
     * Handle requireExplicitPolicy *first*. Need to process this even if we
     * don't have any policies.
     */
    ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);

    if (!ext_pcons) {
        if (i != -1)
            goto bad_cache;
    } else {
        if (!ext_pcons->requireExplicitPolicy
            && !ext_pcons->inhibitPolicyMapping)
            goto bad_cache;
        if (!policy_cache_set_int(&cache->explicit_skip,
                                  ext_pcons->requireExplicitPolicy))
            goto bad_cache;
        if (!policy_cache_set_int(&cache->map_skip,
                                  ext_pcons->inhibitPolicyMapping))
            goto bad_cache;
    }

    /* Process CertificatePolicies */

    ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
    /*
     * If no CertificatePolicies extension or problem decoding then there is
     * no point continuing because the valid policies will be NULL.
     */
    if (!ext_cpols) {
        /* If not absent some problem with extension */
        if (i != -1)
            goto bad_cache;
        return 1;
    }

    i = policy_cache_create(x, ext_cpols, i);

    /* NB: ext_cpols freed by policy_cache_set_policies */

    if (i <= 0)
        return i;

    ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);

    if (!ext_pmaps) {
        /* If not absent some problem with extension */
        if (i != -1)
            goto bad_cache;
    } else {
        i = ossl_policy_cache_set_mapping(x, ext_pmaps);
        if (i <= 0)
            goto bad_cache;
    }

    ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);

    if (!ext_any) {
        if (i != -1)
            goto bad_cache;
    } else if (!policy_cache_set_int(&cache->any_skip, ext_any))
        goto bad_cache;
    goto just_cleanup;

 bad_cache:
    x->ex_flags |= EXFLAG_INVALID_POLICY;

 just_cleanup:
    POLICY_CONSTRAINTS_free(ext_pcons);
    ASN1_INTEGER_free(ext_any);
    return 1;

}

void ossl_policy_cache_free(X509_POLICY_CACHE *cache)
{
    if (!cache)
        return;
    ossl_policy_data_free(cache->anyPolicy);
    sk_X509_POLICY_DATA_pop_free(cache->data, ossl_policy_data_free);
    OPENSSL_free(cache);
}

const X509_POLICY_CACHE *ossl_policy_cache_set(X509 *x)
{

    if (x->policy_cache == NULL) {
        if (!CRYPTO_THREAD_write_lock(x->lock))
            return NULL;
        policy_cache_new(x);
        CRYPTO_THREAD_unlock(x->lock);
    }

    return x->policy_cache;

}

X509_POLICY_DATA *ossl_policy_cache_find_data(const X509_POLICY_CACHE *cache,
                                              const ASN1_OBJECT *id)
{
    int idx;
    X509_POLICY_DATA tmp;
    tmp.valid_policy = (ASN1_OBJECT *)id;
    idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
    return sk_X509_POLICY_DATA_value(cache->data, idx);
}

static int policy_data_cmp(const X509_POLICY_DATA *const *a,
                           const X509_POLICY_DATA *const *b)
{
    return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
}

static int policy_cache_set_int(long *out, ASN1_INTEGER *value)
{
    if (value == NULL)
        return 1;
    if (value->type == V_ASN1_NEG_INTEGER)
        return 0;
    *out = ASN1_INTEGER_get(value);
    return 1;
}
Commit	Line	Data
0f113f3e	1	/*
3c2bdd7d	2	* Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
4acc3e90	3	*
4286ca47	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
d2e9e320 RS	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
4acc3e90 DSH	8	*/
4acc3e90 DSH	9
b39fc560	10	#include "internal/cryptlib.h"
4acc3e90 DSH	11	#include <openssl/x509.h>
4acc3e90 DSH	12	#include <openssl/x509v3.h>
25f2138b	13	#include "crypto/x509.h"
4acc3e90	14
706457b7	15	#include "pcy_local.h"
4acc3e90	16
0f113f3e MC	17	static int policy_data_cmp(const X509_POLICY_DATA const a,
0f113f3e MC	18	const X509_POLICY_DATA const b);
4acc3e90 DSH	19	static int policy_cache_set_int(long out, ASN1_INTEGER value);
4acc3e90 DSH	20
0f113f3e MC	21	/*
	22	* Set cache entry according to CertificatePolicies extension. Note: this
	23	* destroys the passed CERTIFICATEPOLICIES structure.
4acc3e90 DSH	24	*/
	25
	26	static int policy_cache_create(X509 *x,
0f113f3e MC	27	CERTIFICATEPOLICIES *policies, int crit)
0f113f3e MC	28	{
5b37fef0	29	int i, num, ret = 0;
0f113f3e MC	30	X509_POLICY_CACHE *cache = x->policy_cache;
	31	X509_POLICY_DATA *data = NULL;
	32	POLICYINFO *policy;
7fcdbd83	33
5b37fef0	34	if ((num = sk_POLICYINFO_num(policies)) <= 0)
0f113f3e MC	35	goto bad_policy;
0f113f3e MC	36	cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
7fcdbd83	37	if (cache->data == NULL) {
9311d0c4	38	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
7fcdbd83 F	39	goto just_cleanup;
7fcdbd83 F	40	}
5b37fef0	41	for (i = 0; i < num; i++) {
0f113f3e	42	policy = sk_POLICYINFO_value(policies, i);
b54cab31	43	data = ossl_policy_data_new(policy, NULL, crit);
7fcdbd83	44	if (data == NULL) {
9311d0c4	45	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
7fcdbd83 F	46	goto just_cleanup;
7fcdbd83 F	47	}
0f113f3e MC	48	/*
	49	* Duplicate policy OIDs are illegal: reject if matches found.
	50	*/
	51	if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
	52	if (cache->anyPolicy) {
	53	ret = -1;
	54	goto bad_policy;
	55	}
	56	cache->anyPolicy = data;
5b37fef0	57	} else if (sk_X509_POLICY_DATA_find(cache->data, data) >=0 ) {
0f113f3e MC	58	ret = -1;
0f113f3e MC	59	goto bad_policy;
7fcdbd83	60	} else if (!sk_X509_POLICY_DATA_push(cache->data, data)) {
9311d0c4	61	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
0f113f3e	62	goto bad_policy;
7fcdbd83	63	}
0f113f3e MC	64	data = NULL;
	65	}
	66	ret = 1;
7fcdbd83	67
0f113f3e MC	68	bad_policy:
	69	if (ret == -1)
	70	x->ex_flags \|= EXFLAG_INVALID_POLICY;
b54cab31	71	ossl_policy_data_free(data);
7fcdbd83	72	just_cleanup:
0f113f3e MC	73	sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
0f113f3e MC	74	if (ret <= 0) {
b54cab31	75	sk_X509_POLICY_DATA_pop_free(cache->data, ossl_policy_data_free);
0f113f3e MC	76	cache->data = NULL;
	77	}
	78	return ret;
	79	}
4acc3e90	80
4acc3e90	81	static int policy_cache_new(X509 *x)
0f113f3e MC	82	{
	83	X509_POLICY_CACHE *cache;
	84	ASN1_INTEGER *ext_any = NULL;
	85	POLICY_CONSTRAINTS *ext_pcons = NULL;
	86	CERTIFICATEPOLICIES *ext_cpols = NULL;
	87	POLICY_MAPPINGS *ext_pmaps = NULL;
	88	int i;
7d6df9e9 P	89
	90	if (x->policy_cache != NULL)
	91	return 1;
b4faea50	92	cache = OPENSSL_malloc(sizeof(*cache));
7fcdbd83	93	if (cache == NULL) {
9311d0c4	94	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
0f113f3e	95	return 0;
7fcdbd83	96	}
0f113f3e MC	97	cache->anyPolicy = NULL;
	98	cache->data = NULL;
	99	cache->any_skip = -1;
	100	cache->explicit_skip = -1;
	101	cache->map_skip = -1;
4acc3e90	102
0f113f3e	103	x->policy_cache = cache;
4acc3e90	104
0f113f3e MC	105	/*
	106	* Handle requireExplicitPolicy first. Need to process this even if we
	107	* don't have any policies.
	108	*/
	109	ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
4acc3e90	110
0f113f3e MC	111	if (!ext_pcons) {
	112	if (i != -1)
	113	goto bad_cache;
	114	} else {
	115	if (!ext_pcons->requireExplicitPolicy
	116	&& !ext_pcons->inhibitPolicyMapping)
	117	goto bad_cache;
	118	if (!policy_cache_set_int(&cache->explicit_skip,
	119	ext_pcons->requireExplicitPolicy))
	120	goto bad_cache;
	121	if (!policy_cache_set_int(&cache->map_skip,
	122	ext_pcons->inhibitPolicyMapping))
	123	goto bad_cache;
	124	}
4acc3e90	125
0f113f3e	126	/* Process CertificatePolicies */
4acc3e90	127
0f113f3e MC	128	ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
	129	/*
	130	* If no CertificatePolicies extension or problem decoding then there is
	131	* no point continuing because the valid policies will be NULL.
	132	*/
	133	if (!ext_cpols) {
	134	/* If not absent some problem with extension */
	135	if (i != -1)
	136	goto bad_cache;
	137	return 1;
	138	}
4acc3e90	139
0f113f3e	140	i = policy_cache_create(x, ext_cpols, i);
4acc3e90	141
0f113f3e	142	/* NB: ext_cpols freed by policy_cache_set_policies */
4acc3e90	143
0f113f3e MC	144	if (i <= 0)
0f113f3e MC	145	return i;
4acc3e90	146
0f113f3e	147	ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
4acc3e90	148
0f113f3e MC	149	if (!ext_pmaps) {
	150	/* If not absent some problem with extension */
	151	if (i != -1)
	152	goto bad_cache;
	153	} else {
b54cab31	154	i = ossl_policy_cache_set_mapping(x, ext_pmaps);
0f113f3e MC	155	if (i <= 0)
	156	goto bad_cache;
	157	}
4acc3e90	158
0f113f3e	159	ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
4acc3e90	160
0f113f3e MC	161	if (!ext_any) {
	162	if (i != -1)
	163	goto bad_cache;
	164	} else if (!policy_cache_set_int(&cache->any_skip, ext_any))
	165	goto bad_cache;
66696478	166	goto just_cleanup;
4acc3e90	167
0f113f3e	168	bad_cache:
66696478	169	x->ex_flags \|= EXFLAG_INVALID_POLICY;
4acc3e90	170
66696478	171	just_cleanup:
25aaa98a	172	POLICY_CONSTRAINTS_free(ext_pcons);
2ace7450	173	ASN1_INTEGER_free(ext_any);
0f113f3e	174	return 1;
4acc3e90	175
4acc3e90 DSH	176	}
4acc3e90 DSH	177
b54cab31	178	void ossl_policy_cache_free(X509_POLICY_CACHE *cache)
0f113f3e MC	179	{
	180	if (!cache)
	181	return;
b54cab31 SL	182	ossl_policy_data_free(cache->anyPolicy);
b54cab31 SL	183	sk_X509_POLICY_DATA_pop_free(cache->data, ossl_policy_data_free);
0f113f3e MC	184	OPENSSL_free(cache);
0f113f3e MC	185	}
4acc3e90	186
b54cab31	187	const X509_POLICY_CACHE ossl_policy_cache_set(X509 x)
0f113f3e	188	{
4acc3e90	189
0f113f3e	190	if (x->policy_cache == NULL) {
cd3f8c1b RS	191	if (!CRYPTO_THREAD_write_lock(x->lock))
cd3f8c1b RS	192	return NULL;
0f113f3e	193	policy_cache_new(x);
c001ce33	194	CRYPTO_THREAD_unlock(x->lock);
0f113f3e	195	}
4acc3e90	196
0f113f3e	197	return x->policy_cache;
4acc3e90	198
0f113f3e	199	}
4acc3e90	200
b54cab31 SL	201	X509_POLICY_DATA ossl_policy_cache_find_data(const X509_POLICY_CACHE cache,
b54cab31 SL	202	const ASN1_OBJECT *id)
0f113f3e MC	203	{
	204	int idx;
	205	X509_POLICY_DATA tmp;
	206	tmp.valid_policy = (ASN1_OBJECT *)id;
	207	idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
0f113f3e MC	208	return sk_X509_POLICY_DATA_value(cache->data, idx);
0f113f3e MC	209	}
4acc3e90	210
0f113f3e MC	211	static int policy_data_cmp(const X509_POLICY_DATA const a,
	212	const X509_POLICY_DATA const b)
	213	{
	214	return OBJ_cmp((a)->valid_policy, (b)->valid_policy);
	215	}
4acc3e90 DSH	216
4acc3e90 DSH	217	static int policy_cache_set_int(long out, ASN1_INTEGER value)
0f113f3e MC	218	{
	219	if (value == NULL)
	220	return 1;
	221	if (value->type == V_ASN1_NEG_INTEGER)
	222	return 0;
	223	*out = ASN1_INTEGER_get(value);
	224	return 1;
	225	}