[thirdparty/openssl.git] / crypto / x509v3 / pcy_cache.c

/* pcy_cache.c */
/*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
 * 2004.
 */
/* ====================================================================
 * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#include "cryptlib.h"
#include <openssl/x509.h>
#include <openssl/x509v3.h>

#include "pcy_int.h"

static int policy_data_cmp(const X509_POLICY_DATA *const *a,
                           const X509_POLICY_DATA *const *b);
static int policy_cache_set_int(long *out, ASN1_INTEGER *value);

/*
 * Set cache entry according to CertificatePolicies extension. Note: this
 * destroys the passed CERTIFICATEPOLICIES structure.
 */

static int policy_cache_create(X509 *x,
                               CERTIFICATEPOLICIES *policies, int crit)
{
    int i;
    int ret = 0;
    X509_POLICY_CACHE *cache = x->policy_cache;
    X509_POLICY_DATA *data = NULL;
    POLICYINFO *policy;
    if (sk_POLICYINFO_num(policies) == 0)
        goto bad_policy;
    cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
    if (!cache->data)
        goto bad_policy;
    for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
        policy = sk_POLICYINFO_value(policies, i);
        data = policy_data_new(policy, NULL, crit);
        if (!data)
            goto bad_policy;
        /*
         * Duplicate policy OIDs are illegal: reject if matches found.
         */
        if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
            if (cache->anyPolicy) {
                ret = -1;
                goto bad_policy;
            }
            cache->anyPolicy = data;
        } else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) {
            ret = -1;
            goto bad_policy;
        } else if (!sk_X509_POLICY_DATA_push(cache->data, data))
            goto bad_policy;
        data = NULL;
    }
    ret = 1;
 bad_policy:
    if (ret == -1)
        x->ex_flags |= EXFLAG_INVALID_POLICY;
    policy_data_free(data);
    sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
    if (ret <= 0) {
        sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
        cache->data = NULL;
    }
    return ret;
}

static int policy_cache_new(X509 *x)
{
    X509_POLICY_CACHE *cache;
    ASN1_INTEGER *ext_any = NULL;
    POLICY_CONSTRAINTS *ext_pcons = NULL;
    CERTIFICATEPOLICIES *ext_cpols = NULL;
    POLICY_MAPPINGS *ext_pmaps = NULL;
    int i;
    cache = OPENSSL_malloc(sizeof(X509_POLICY_CACHE));
    if (!cache)
        return 0;
    cache->anyPolicy = NULL;
    cache->data = NULL;
    cache->any_skip = -1;
    cache->explicit_skip = -1;
    cache->map_skip = -1;

    x->policy_cache = cache;

    /*
     * Handle requireExplicitPolicy *first*. Need to process this even if we
     * don't have any policies.
     */
    ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);

    if (!ext_pcons) {
        if (i != -1)
            goto bad_cache;
    } else {
        if (!ext_pcons->requireExplicitPolicy
            && !ext_pcons->inhibitPolicyMapping)
            goto bad_cache;
        if (!policy_cache_set_int(&cache->explicit_skip,
                                  ext_pcons->requireExplicitPolicy))
            goto bad_cache;
        if (!policy_cache_set_int(&cache->map_skip,
                                  ext_pcons->inhibitPolicyMapping))
            goto bad_cache;
    }

    /* Process CertificatePolicies */

    ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
    /*
     * If no CertificatePolicies extension or problem decoding then there is
     * no point continuing because the valid policies will be NULL.
     */
    if (!ext_cpols) {
        /* If not absent some problem with extension */
        if (i != -1)
            goto bad_cache;
        return 1;
    }

    i = policy_cache_create(x, ext_cpols, i);

    /* NB: ext_cpols freed by policy_cache_set_policies */

    if (i <= 0)
        return i;

    ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);

    if (!ext_pmaps) {
        /* If not absent some problem with extension */
        if (i != -1)
            goto bad_cache;
    } else {
        i = policy_cache_set_mapping(x, ext_pmaps);
        if (i <= 0)
            goto bad_cache;
    }

    ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);

    if (!ext_any) {
        if (i != -1)
            goto bad_cache;
    } else if (!policy_cache_set_int(&cache->any_skip, ext_any))
        goto bad_cache;
    goto just_cleanup;

 bad_cache:
    x->ex_flags |= EXFLAG_INVALID_POLICY;

 just_cleanup:
    POLICY_CONSTRAINTS_free(ext_pcons);
    ASN1_INTEGER_free(ext_any);
    return 1;

}

void policy_cache_free(X509_POLICY_CACHE *cache)
{
    if (!cache)
        return;
    policy_data_free(cache->anyPolicy);
    sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
    OPENSSL_free(cache);
}

const X509_POLICY_CACHE *policy_cache_set(X509 *x)
{

    if (x->policy_cache == NULL) {
        CRYPTO_w_lock(CRYPTO_LOCK_X509);
        policy_cache_new(x);
        CRYPTO_w_unlock(CRYPTO_LOCK_X509);
    }

    return x->policy_cache;

}

X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
                                         const ASN1_OBJECT *id)
{
    int idx;
    X509_POLICY_DATA tmp;
    tmp.valid_policy = (ASN1_OBJECT *)id;
    idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
    if (idx == -1)
        return NULL;
    return sk_X509_POLICY_DATA_value(cache->data, idx);
}

static int policy_data_cmp(const X509_POLICY_DATA *const *a,
                           const X509_POLICY_DATA *const *b)
{
    return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
}

static int policy_cache_set_int(long *out, ASN1_INTEGER *value)
{
    if (value == NULL)
        return 1;
    if (value->type == V_ASN1_NEG_INTEGER)
        return 0;
    *out = ASN1_INTEGER_get(value);
    return 1;
}
Commit	Line	Data
4acc3e90	1	/* pcy_cache.c */
0f113f3e MC	2	/*
	3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
	4	* 2004.
4acc3e90 DSH	5	*/
	6	/* ====================================================================
	7	* Copyright (c) 2004 The OpenSSL Project. All rights reserved.
	8	*
	9	* Redistribution and use in source and binary forms, with or without
	10	* modification, are permitted provided that the following conditions
	11	* are met:
	12	*
	13	* 1. Redistributions of source code must retain the above copyright
0f113f3e	14	* notice, this list of conditions and the following disclaimer.
4acc3e90 DSH	15	*
	16	* 2. Redistributions in binary form must reproduce the above copyright
	17	* notice, this list of conditions and the following disclaimer in
	18	* the documentation and/or other materials provided with the
	19	* distribution.
	20	*
	21	* 3. All advertising materials mentioning features or use of this
	22	* software must display the following acknowledgment:
	23	* "This product includes software developed by the OpenSSL Project
	24	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
	25	*
	26	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	27	* endorse or promote products derived from this software without
	28	* prior written permission. For written permission, please contact
	29	* licensing@OpenSSL.org.
	30	*
	31	* 5. Products derived from this software may not be called "OpenSSL"
	32	* nor may "OpenSSL" appear in their names without prior written
	33	* permission of the OpenSSL Project.
	34	*
	35	* 6. Redistributions of any form whatsoever must retain the following
	36	* acknowledgment:
	37	* "This product includes software developed by the OpenSSL Project
	38	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
	39	*
	40	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	41	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	42	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	43	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	44	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	45	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	46	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	47	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	49	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	50	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	51	* OF THE POSSIBILITY OF SUCH DAMAGE.
	52	* ====================================================================
	53	*
	54	* This product includes cryptographic software written by Eric Young
	55	* (eay@cryptsoft.com). This product includes software written by Tim
	56	* Hudson (tjh@cryptsoft.com).
	57	*
	58	*/
	59
	60	#include "cryptlib.h"
	61	#include <openssl/x509.h>
	62	#include <openssl/x509v3.h>
	63
	64	#include "pcy_int.h"
	65
0f113f3e MC	66	static int policy_data_cmp(const X509_POLICY_DATA const a,
0f113f3e MC	67	const X509_POLICY_DATA const b);
4acc3e90 DSH	68	static int policy_cache_set_int(long out, ASN1_INTEGER value);
4acc3e90 DSH	69
0f113f3e MC	70	/*
	71	* Set cache entry according to CertificatePolicies extension. Note: this
	72	* destroys the passed CERTIFICATEPOLICIES structure.
4acc3e90 DSH	73	*/
	74
	75	static int policy_cache_create(X509 *x,
0f113f3e MC	76	CERTIFICATEPOLICIES *policies, int crit)
	77	{
	78	int i;
	79	int ret = 0;
	80	X509_POLICY_CACHE *cache = x->policy_cache;
	81	X509_POLICY_DATA *data = NULL;
	82	POLICYINFO *policy;
	83	if (sk_POLICYINFO_num(policies) == 0)
	84	goto bad_policy;
	85	cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
	86	if (!cache->data)
	87	goto bad_policy;
	88	for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
	89	policy = sk_POLICYINFO_value(policies, i);
	90	data = policy_data_new(policy, NULL, crit);
	91	if (!data)
	92	goto bad_policy;
	93	/*
	94	* Duplicate policy OIDs are illegal: reject if matches found.
	95	*/
	96	if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
	97	if (cache->anyPolicy) {
	98	ret = -1;
	99	goto bad_policy;
	100	}
	101	cache->anyPolicy = data;
	102	} else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) {
	103	ret = -1;
	104	goto bad_policy;
	105	} else if (!sk_X509_POLICY_DATA_push(cache->data, data))
	106	goto bad_policy;
	107	data = NULL;
	108	}
	109	ret = 1;
	110	bad_policy:
	111	if (ret == -1)
	112	x->ex_flags \|= EXFLAG_INVALID_POLICY;
25aaa98a	113	policy_data_free(data);
0f113f3e MC	114	sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
	115	if (ret <= 0) {
	116	sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
	117	cache->data = NULL;
	118	}
	119	return ret;
	120	}
4acc3e90	121
4acc3e90	122	static int policy_cache_new(X509 *x)
0f113f3e MC	123	{
	124	X509_POLICY_CACHE *cache;
	125	ASN1_INTEGER *ext_any = NULL;
	126	POLICY_CONSTRAINTS *ext_pcons = NULL;
	127	CERTIFICATEPOLICIES *ext_cpols = NULL;
	128	POLICY_MAPPINGS *ext_pmaps = NULL;
	129	int i;
	130	cache = OPENSSL_malloc(sizeof(X509_POLICY_CACHE));
	131	if (!cache)
	132	return 0;
	133	cache->anyPolicy = NULL;
	134	cache->data = NULL;
	135	cache->any_skip = -1;
	136	cache->explicit_skip = -1;
	137	cache->map_skip = -1;
4acc3e90	138
0f113f3e	139	x->policy_cache = cache;
4acc3e90	140
0f113f3e MC	141	/*
	142	* Handle requireExplicitPolicy first. Need to process this even if we
	143	* don't have any policies.
	144	*/
	145	ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
4acc3e90	146
0f113f3e MC	147	if (!ext_pcons) {
	148	if (i != -1)
	149	goto bad_cache;
	150	} else {
	151	if (!ext_pcons->requireExplicitPolicy
	152	&& !ext_pcons->inhibitPolicyMapping)
	153	goto bad_cache;
	154	if (!policy_cache_set_int(&cache->explicit_skip,
	155	ext_pcons->requireExplicitPolicy))
	156	goto bad_cache;
	157	if (!policy_cache_set_int(&cache->map_skip,
	158	ext_pcons->inhibitPolicyMapping))
	159	goto bad_cache;
	160	}
4acc3e90	161
0f113f3e	162	/* Process CertificatePolicies */
4acc3e90	163
0f113f3e MC	164	ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
	165	/*
	166	* If no CertificatePolicies extension or problem decoding then there is
	167	* no point continuing because the valid policies will be NULL.
	168	*/
	169	if (!ext_cpols) {
	170	/* If not absent some problem with extension */
	171	if (i != -1)
	172	goto bad_cache;
	173	return 1;
	174	}
4acc3e90	175
0f113f3e	176	i = policy_cache_create(x, ext_cpols, i);
4acc3e90	177
0f113f3e	178	/* NB: ext_cpols freed by policy_cache_set_policies */
4acc3e90	179
0f113f3e MC	180	if (i <= 0)
0f113f3e MC	181	return i;
4acc3e90	182
0f113f3e	183	ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
4acc3e90	184
0f113f3e MC	185	if (!ext_pmaps) {
	186	/* If not absent some problem with extension */
	187	if (i != -1)
	188	goto bad_cache;
	189	} else {
	190	i = policy_cache_set_mapping(x, ext_pmaps);
	191	if (i <= 0)
	192	goto bad_cache;
	193	}
4acc3e90	194
0f113f3e	195	ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
4acc3e90	196
0f113f3e MC	197	if (!ext_any) {
	198	if (i != -1)
	199	goto bad_cache;
	200	} else if (!policy_cache_set_int(&cache->any_skip, ext_any))
	201	goto bad_cache;
66696478	202	goto just_cleanup;
4acc3e90	203
0f113f3e	204	bad_cache:
66696478	205	x->ex_flags \|= EXFLAG_INVALID_POLICY;
4acc3e90	206
66696478	207	just_cleanup:
25aaa98a	208	POLICY_CONSTRAINTS_free(ext_pcons);
2ace7450	209	ASN1_INTEGER_free(ext_any);
0f113f3e	210	return 1;
4acc3e90	211
4acc3e90 DSH	212	}
	213
	214	void policy_cache_free(X509_POLICY_CACHE *cache)
0f113f3e MC	215	{
	216	if (!cache)
	217	return;
25aaa98a	218	policy_data_free(cache->anyPolicy);
222561fe	219	sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
0f113f3e MC	220	OPENSSL_free(cache);
0f113f3e MC	221	}
4acc3e90 DSH	222
4acc3e90 DSH	223	const X509_POLICY_CACHE policy_cache_set(X509 x)
0f113f3e	224	{
4acc3e90	225
0f113f3e MC	226	if (x->policy_cache == NULL) {
	227	CRYPTO_w_lock(CRYPTO_LOCK_X509);
	228	policy_cache_new(x);
	229	CRYPTO_w_unlock(CRYPTO_LOCK_X509);
	230	}
4acc3e90	231
0f113f3e	232	return x->policy_cache;
4acc3e90	233
0f113f3e	234	}
4acc3e90 DSH	235
4acc3e90 DSH	236	X509_POLICY_DATA policy_cache_find_data(const X509_POLICY_CACHE cache,
0f113f3e MC	237	const ASN1_OBJECT *id)
	238	{
	239	int idx;
	240	X509_POLICY_DATA tmp;
	241	tmp.valid_policy = (ASN1_OBJECT *)id;
	242	idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
	243	if (idx == -1)
	244	return NULL;
	245	return sk_X509_POLICY_DATA_value(cache->data, idx);
	246	}
4acc3e90	247
0f113f3e MC	248	static int policy_data_cmp(const X509_POLICY_DATA const a,
	249	const X509_POLICY_DATA const b)
	250	{
	251	return OBJ_cmp((a)->valid_policy, (b)->valid_policy);
	252	}
4acc3e90 DSH	253
4acc3e90 DSH	254	static int policy_cache_set_int(long out, ASN1_INTEGER value)
0f113f3e MC	255	{
	256	if (value == NULL)
	257	return 1;
	258	if (value->type == V_ASN1_NEG_INTEGER)
	259	return 0;
	260	*out = ASN1_INTEGER_get(value);
	261	return 1;
	262	}