crypto/x509/pcy_cache.c

   1 /*
   2  * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include "internal/cryptlib.h"
  11 #include <openssl/x509.h>
  12 #include <openssl/x509v3.h>
  13 #include "crypto/x509.h"
  14
  15 #include "pcy_int.h"
  16
  17 static int policy_data_cmp(const X509_POLICY_DATA *const *a,
  18                            const X509_POLICY_DATA *const *b);
  19 static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
  20
  21 /*
  22  * Set cache entry according to CertificatePolicies extension. Note: this
  23  * destroys the passed CERTIFICATEPOLICIES structure.
  24  */
  25
  26 static int policy_cache_create(X509 *x,
  27                                CERTIFICATEPOLICIES *policies, int crit)
  28 {
  29     int i, num, ret = 0;
  30     X509_POLICY_CACHE *cache = x->policy_cache;
  31     X509_POLICY_DATA *data = NULL;
  32     POLICYINFO *policy;
  33
  34     if ((num = sk_POLICYINFO_num(policies)) <= 0)
  35         goto bad_policy;
  36     cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
  37     if (cache->data == NULL) {
  38         X509V3err(X509V3_F_POLICY_CACHE_CREATE, ERR_R_MALLOC_FAILURE);
  39         goto just_cleanup;
  40     }
  41     for (i = 0; i < num; i++) {
  42         policy = sk_POLICYINFO_value(policies, i);
  43         data = policy_data_new(policy, NULL, crit);
  44         if (data == NULL) {
  45             X509V3err(X509V3_F_POLICY_CACHE_CREATE, ERR_R_MALLOC_FAILURE);
  46             goto just_cleanup;
  47         }
  48         /*
  49          * Duplicate policy OIDs are illegal: reject if matches found.
  50          */
  51         if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
  52             if (cache->anyPolicy) {
  53                 ret = -1;
  54                 goto bad_policy;
  55             }
  56             cache->anyPolicy = data;
  57         } else if (sk_X509_POLICY_DATA_find(cache->data, data) >=0 ) {
  58             ret = -1;
  59             goto bad_policy;
  60         } else if (!sk_X509_POLICY_DATA_push(cache->data, data)) {
  61             X509V3err(X509V3_F_POLICY_CACHE_CREATE, ERR_R_MALLOC_FAILURE);
  62             goto bad_policy;
  63         }
  64         data = NULL;
  65     }
  66     ret = 1;
  67
  68  bad_policy:
  69     if (ret == -1)
  70         x->ex_flags |= EXFLAG_INVALID_POLICY;
  71     policy_data_free(data);
  72  just_cleanup:
  73     sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
  74     if (ret <= 0) {
  75         sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
  76         cache->data = NULL;
  77     }
  78     return ret;
  79 }
  80
  81 static int policy_cache_new(X509 *x)
  82 {
  83     X509_POLICY_CACHE *cache;
  84     ASN1_INTEGER *ext_any = NULL;
  85     POLICY_CONSTRAINTS *ext_pcons = NULL;
  86     CERTIFICATEPOLICIES *ext_cpols = NULL;
  87     POLICY_MAPPINGS *ext_pmaps = NULL;
  88     int i;
  89
  90     if (x->policy_cache != NULL)
  91         return 1;
  92     cache = OPENSSL_malloc(sizeof(*cache));
  93     if (cache == NULL) {
  94         X509V3err(X509V3_F_POLICY_CACHE_NEW, ERR_R_MALLOC_FAILURE);
  95         return 0;
  96     }
  97     cache->anyPolicy = NULL;
  98     cache->data = NULL;
  99     cache->any_skip = -1;
 100     cache->explicit_skip = -1;
 101     cache->map_skip = -1;
 102
 103     x->policy_cache = cache;
 104
 105     /*
 106      * Handle requireExplicitPolicy *first*. Need to process this even if we
 107      * don't have any policies.
 108      */
 109     ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
 110
 111     if (!ext_pcons) {
 112         if (i != -1)
 113             goto bad_cache;
 114     } else {
 115         if (!ext_pcons->requireExplicitPolicy
 116             && !ext_pcons->inhibitPolicyMapping)
 117             goto bad_cache;
 118         if (!policy_cache_set_int(&cache->explicit_skip,
 119                                   ext_pcons->requireExplicitPolicy))
 120             goto bad_cache;
 121         if (!policy_cache_set_int(&cache->map_skip,
 122                                   ext_pcons->inhibitPolicyMapping))
 123             goto bad_cache;
 124     }
 125
 126     /* Process CertificatePolicies */
 127
 128     ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
 129     /*
 130      * If no CertificatePolicies extension or problem decoding then there is
 131      * no point continuing because the valid policies will be NULL.
 132      */
 133     if (!ext_cpols) {
 134         /* If not absent some problem with extension */
 135         if (i != -1)
 136             goto bad_cache;
 137         return 1;
 138     }
 139
 140     i = policy_cache_create(x, ext_cpols, i);
 141
 142     /* NB: ext_cpols freed by policy_cache_set_policies */
 143
 144     if (i <= 0)
 145         return i;
 146
 147     ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
 148
 149     if (!ext_pmaps) {
 150         /* If not absent some problem with extension */
 151         if (i != -1)
 152             goto bad_cache;
 153     } else {
 154         i = policy_cache_set_mapping(x, ext_pmaps);
 155         if (i <= 0)
 156             goto bad_cache;
 157     }
 158
 159     ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
 160
 161     if (!ext_any) {
 162         if (i != -1)
 163             goto bad_cache;
 164     } else if (!policy_cache_set_int(&cache->any_skip, ext_any))
 165         goto bad_cache;
 166     goto just_cleanup;
 167
 168  bad_cache:
 169     x->ex_flags |= EXFLAG_INVALID_POLICY;
 170
 171  just_cleanup:
 172     POLICY_CONSTRAINTS_free(ext_pcons);
 173     ASN1_INTEGER_free(ext_any);
 174     return 1;
 175
 176 }
 177
 178 void policy_cache_free(X509_POLICY_CACHE *cache)
 179 {
 180     if (!cache)
 181         return;
 182     policy_data_free(cache->anyPolicy);
 183     sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
 184     OPENSSL_free(cache);
 185 }
 186
 187 const X509_POLICY_CACHE *policy_cache_set(X509 *x)
 188 {
 189
 190     if (x->policy_cache == NULL) {
 191         CRYPTO_THREAD_write_lock(x->lock);
 192         policy_cache_new(x);
 193         CRYPTO_THREAD_unlock(x->lock);
 194     }
 195
 196     return x->policy_cache;
 197
 198 }
 199
 200 X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
 201                                          const ASN1_OBJECT *id)
 202 {
 203     int idx;
 204     X509_POLICY_DATA tmp;
 205     tmp.valid_policy = (ASN1_OBJECT *)id;
 206     idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
 207     return sk_X509_POLICY_DATA_value(cache->data, idx);
 208 }
 209
 210 static int policy_data_cmp(const X509_POLICY_DATA *const *a,
 211                            const X509_POLICY_DATA *const *b)
 212 {
 213     return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
 214 }
 215
 216 static int policy_cache_set_int(long *out, ASN1_INTEGER *value)
 217 {
 218     if (value == NULL)
 219         return 1;
 220     if (value->type == V_ASN1_NEG_INTEGER)
 221         return 0;
 222     *out = ASN1_INTEGER_get(value);
 223     return 1;
 224 }