1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/os/ossrv/ssl/libcrypto/src/crypto/x509v3/pcy_cache.c Fri Jun 15 03:10:57 2012 +0200
1.3 @@ -0,0 +1,287 @@
1.4 +/* pcy_cache.c */
1.5 +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
1.6 + * project 2004.
1.7 + */
1.8 +/* ====================================================================
1.9 + * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
1.10 + *
1.11 + * Redistribution and use in source and binary forms, with or without
1.12 + * modification, are permitted provided that the following conditions
1.13 + * are met:
1.14 + *
1.15 + * 1. Redistributions of source code must retain the above copyright
1.16 + * notice, this list of conditions and the following disclaimer.
1.17 + *
1.18 + * 2. Redistributions in binary form must reproduce the above copyright
1.19 + * notice, this list of conditions and the following disclaimer in
1.20 + * the documentation and/or other materials provided with the
1.21 + * distribution.
1.22 + *
1.23 + * 3. All advertising materials mentioning features or use of this
1.24 + * software must display the following acknowledgment:
1.25 + * "This product includes software developed by the OpenSSL Project
1.26 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
1.27 + *
1.28 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
1.29 + * endorse or promote products derived from this software without
1.30 + * prior written permission. For written permission, please contact
1.31 + * licensing@OpenSSL.org.
1.32 + *
1.33 + * 5. Products derived from this software may not be called "OpenSSL"
1.34 + * nor may "OpenSSL" appear in their names without prior written
1.35 + * permission of the OpenSSL Project.
1.36 + *
1.37 + * 6. Redistributions of any form whatsoever must retain the following
1.38 + * acknowledgment:
1.39 + * "This product includes software developed by the OpenSSL Project
1.40 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
1.41 + *
1.42 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
1.43 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.44 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1.45 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
1.46 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1.47 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1.48 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
1.49 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.50 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1.51 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1.52 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1.53 + * OF THE POSSIBILITY OF SUCH DAMAGE.
1.54 + * ====================================================================
1.55 + *
1.56 + * This product includes cryptographic software written by Eric Young
1.57 + * (eay@cryptsoft.com). This product includes software written by Tim
1.58 + * Hudson (tjh@cryptsoft.com).
1.59 + *
1.60 + */
1.61 +
1.62 +#include "cryptlib.h"
1.63 +#include <openssl/x509.h>
1.64 +#include <openssl/x509v3.h>
1.65 +
1.66 +#include "pcy_int.h"
1.67 +
1.68 +static int policy_data_cmp(const X509_POLICY_DATA * const *a,
1.69 + const X509_POLICY_DATA * const *b);
1.70 +static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
1.71 +
1.72 +/* Set cache entry according to CertificatePolicies extension.
1.73 + * Note: this destroys the passed CERTIFICATEPOLICIES structure.
1.74 + */
1.75 +
1.76 +static int policy_cache_create(X509 *x,
1.77 + CERTIFICATEPOLICIES *policies, int crit)
1.78 + {
1.79 + int i;
1.80 + int ret = 0;
1.81 + X509_POLICY_CACHE *cache = x->policy_cache;
1.82 + X509_POLICY_DATA *data = NULL;
1.83 + POLICYINFO *policy;
1.84 + if (sk_POLICYINFO_num(policies) == 0)
1.85 + goto bad_policy;
1.86 + cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
1.87 + if (!cache->data)
1.88 + goto bad_policy;
1.89 + for (i = 0; i < sk_POLICYINFO_num(policies); i++)
1.90 + {
1.91 + policy = sk_POLICYINFO_value(policies, i);
1.92 + data = policy_data_new(policy, NULL, crit);
1.93 + if (!data)
1.94 + goto bad_policy;
1.95 + /* Duplicate policy OIDs are illegal: reject if matches
1.96 + * found.
1.97 + */
1.98 + if (OBJ_obj2nid(data->valid_policy) == NID_any_policy)
1.99 + {
1.100 + if (cache->anyPolicy)
1.101 + {
1.102 + ret = -1;
1.103 + goto bad_policy;
1.104 + }
1.105 + cache->anyPolicy = data;
1.106 + }
1.107 + else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1)
1.108 + {
1.109 + ret = -1;
1.110 + goto bad_policy;
1.111 + }
1.112 + else if (!sk_X509_POLICY_DATA_push(cache->data, data))
1.113 + goto bad_policy;
1.114 + data = NULL;
1.115 + }
1.116 + ret = 1;
1.117 + bad_policy:
1.118 + if (ret == -1)
1.119 + x->ex_flags |= EXFLAG_INVALID_POLICY;
1.120 + if (data)
1.121 + policy_data_free(data);
1.122 + sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
1.123 + if (ret <= 0)
1.124 + {
1.125 + sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
1.126 + cache->data = NULL;
1.127 + }
1.128 + return ret;
1.129 + }
1.130 +
1.131 +
1.132 +static int policy_cache_new(X509 *x)
1.133 + {
1.134 + X509_POLICY_CACHE *cache;
1.135 + ASN1_INTEGER *ext_any = NULL;
1.136 + POLICY_CONSTRAINTS *ext_pcons = NULL;
1.137 + CERTIFICATEPOLICIES *ext_cpols = NULL;
1.138 + POLICY_MAPPINGS *ext_pmaps = NULL;
1.139 + int i;
1.140 + cache = OPENSSL_malloc(sizeof(X509_POLICY_CACHE));
1.141 + if (!cache)
1.142 + return 0;
1.143 + cache->anyPolicy = NULL;
1.144 + cache->data = NULL;
1.145 + cache->maps = NULL;
1.146 + cache->any_skip = -1;
1.147 + cache->explicit_skip = -1;
1.148 + cache->map_skip = -1;
1.149 +
1.150 + x->policy_cache = cache;
1.151 +
1.152 + /* Handle requireExplicitPolicy *first*. Need to process this
1.153 + * even if we don't have any policies.
1.154 + */
1.155 + ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
1.156 +
1.157 + if (!ext_pcons)
1.158 + {
1.159 + if (i != -1)
1.160 + goto bad_cache;
1.161 + }
1.162 + else
1.163 + {
1.164 + if (!ext_pcons->requireExplicitPolicy
1.165 + && !ext_pcons->inhibitPolicyMapping)
1.166 + goto bad_cache;
1.167 + if (!policy_cache_set_int(&cache->explicit_skip,
1.168 + ext_pcons->requireExplicitPolicy))
1.169 + goto bad_cache;
1.170 + if (!policy_cache_set_int(&cache->map_skip,
1.171 + ext_pcons->inhibitPolicyMapping))
1.172 + goto bad_cache;
1.173 + }
1.174 +
1.175 + /* Process CertificatePolicies */
1.176 +
1.177 + ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
1.178 + /* If no CertificatePolicies extension or problem decoding then
1.179 + * there is no point continuing because the valid policies will be
1.180 + * NULL.
1.181 + */
1.182 + if (!ext_cpols)
1.183 + {
1.184 + /* If not absent some problem with extension */
1.185 + if (i != -1)
1.186 + goto bad_cache;
1.187 + return 1;
1.188 + }
1.189 +
1.190 + i = policy_cache_create(x, ext_cpols, i);
1.191 +
1.192 + /* NB: ext_cpols freed by policy_cache_set_policies */
1.193 +
1.194 + if (i <= 0)
1.195 + return i;
1.196 +
1.197 + ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
1.198 +
1.199 + if (!ext_pmaps)
1.200 + {
1.201 + /* If not absent some problem with extension */
1.202 + if (i != -1)
1.203 + goto bad_cache;
1.204 + }
1.205 + else
1.206 + {
1.207 + i = policy_cache_set_mapping(x, ext_pmaps);
1.208 + if (i <= 0)
1.209 + goto bad_cache;
1.210 + }
1.211 +
1.212 + ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
1.213 +
1.214 + if (!ext_any)
1.215 + {
1.216 + if (i != -1)
1.217 + goto bad_cache;
1.218 + }
1.219 + else if (!policy_cache_set_int(&cache->any_skip, ext_any))
1.220 + goto bad_cache;
1.221 +
1.222 + if (0)
1.223 + {
1.224 + bad_cache:
1.225 + x->ex_flags |= EXFLAG_INVALID_POLICY;
1.226 + }
1.227 +
1.228 + if(ext_pcons)
1.229 + POLICY_CONSTRAINTS_free(ext_pcons);
1.230 +
1.231 + if (ext_any)
1.232 + ASN1_INTEGER_free(ext_any);
1.233 +
1.234 + return 1;
1.235 +
1.236 +
1.237 +}
1.238 +
1.239 +EXPORT_C void policy_cache_free(X509_POLICY_CACHE *cache)
1.240 + {
1.241 + if (!cache)
1.242 + return;
1.243 + if (cache->anyPolicy)
1.244 + policy_data_free(cache->anyPolicy);
1.245 + if (cache->data)
1.246 + sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
1.247 + OPENSSL_free(cache);
1.248 + }
1.249 +
1.250 +EXPORT_C const X509_POLICY_CACHE *policy_cache_set(X509 *x)
1.251 + {
1.252 +
1.253 + if (x->policy_cache == NULL)
1.254 + {
1.255 + CRYPTO_w_lock(CRYPTO_LOCK_X509);
1.256 + policy_cache_new(x);
1.257 + CRYPTO_w_unlock(CRYPTO_LOCK_X509);
1.258 + }
1.259 +
1.260 + return x->policy_cache;
1.261 +
1.262 + }
1.263 +
1.264 +EXPORT_C X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
1.265 + const ASN1_OBJECT *id)
1.266 + {
1.267 + int idx;
1.268 + X509_POLICY_DATA tmp;
1.269 + tmp.valid_policy = (ASN1_OBJECT *)id;
1.270 + idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
1.271 + if (idx == -1)
1.272 + return NULL;
1.273 + return sk_X509_POLICY_DATA_value(cache->data, idx);
1.274 + }
1.275 +
1.276 +static int policy_data_cmp(const X509_POLICY_DATA * const *a,
1.277 + const X509_POLICY_DATA * const *b)
1.278 + {
1.279 + return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
1.280 + }
1.281 +
1.282 +static int policy_cache_set_int(long *out, ASN1_INTEGER *value)
1.283 + {
1.284 + if (value == NULL)
1.285 + return 1;
1.286 + if (value->type == V_ASN1_NEG_INTEGER)
1.287 + return 0;
1.288 + *out = ASN1_INTEGER_get(value);
1.289 + return 1;
1.290 + }