Symaptic: os/ossrv/ssl/libcrypto/src/crypto/x509v3/pcy

     1 /* pcy_cache.c */

     2 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL

     3  * project 2004.

     4  */

     5 /* ====================================================================

     6  * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.

     7  *

     8  * Redistribution and use in source and binary forms, with or without

     9  * modification, are permitted provided that the following conditions

    10  * are met:

    11  *

    12  * 1. Redistributions of source code must retain the above copyright

    13  *    notice, this list of conditions and the following disclaimer.

    14  *

    15  * 2. Redistributions in binary form must reproduce the above copyright

    16  *    notice, this list of conditions and the following disclaimer in

    17  *    the documentation and/or other materials provided with the

    18  *    distribution.

    19  *

    20  * 3. All advertising materials mentioning features or use of this

    21  *    software must display the following acknowledgment:

    22  *    "This product includes software developed by the OpenSSL Project

    23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

    24  *

    25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

    26  *    endorse or promote products derived from this software without

    27  *    prior written permission. For written permission, please contact

    28  *    licensing@OpenSSL.org.

    29  *

    30  * 5. Products derived from this software may not be called "OpenSSL"

    31  *    nor may "OpenSSL" appear in their names without prior written

    32  *    permission of the OpenSSL Project.

    33  *

    34  * 6. Redistributions of any form whatsoever must retain the following

    35  *    acknowledgment:

    36  *    "This product includes software developed by the OpenSSL Project

    37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

    38  *

    39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

    40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

    41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

    42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

    43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

    44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

    45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

    46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

    47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

    48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

    49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

    50  * OF THE POSSIBILITY OF SUCH DAMAGE.

    51  * ====================================================================

    52  *

    53  * This product includes cryptographic software written by Eric Young

    54  * (eay@cryptsoft.com).  This product includes software written by Tim

    55  * Hudson (tjh@cryptsoft.com).

    56  *

    57  */

    59 #include "cryptlib.h"

    60 #include <openssl/x509.h>

    61 #include <openssl/x509v3.h>

    63 #include "pcy_int.h"

    65 static int policy_data_cmp(const X509_POLICY_DATA * const *a,

    66 				const X509_POLICY_DATA * const *b);

    67 static int policy_cache_set_int(long *out, ASN1_INTEGER *value);

    69 /* Set cache entry according to CertificatePolicies extension.

    70  * Note: this destroys the passed CERTIFICATEPOLICIES structure.

    71  */

    73 static int policy_cache_create(X509 *x,

    74 			CERTIFICATEPOLICIES *policies, int crit)

    75 	{

    76 	int i;

    77 	int ret = 0;

    78 	X509_POLICY_CACHE *cache = x->policy_cache;

    79 	X509_POLICY_DATA *data = NULL;

    80 	POLICYINFO *policy;

    81 	if (sk_POLICYINFO_num(policies) == 0)

    82 		goto bad_policy;

    83 	cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);

    84 	if (!cache->data)

    85 		goto bad_policy;

    86 	for (i = 0; i < sk_POLICYINFO_num(policies); i++)

    87 		{

    88 		policy = sk_POLICYINFO_value(policies, i);

    89 		data = policy_data_new(policy, NULL, crit);

    90 		if (!data)

    91 			goto bad_policy;

    92 		/* Duplicate policy OIDs are illegal: reject if matches

    93 		 * found.

    94 		 */

    95 		if (OBJ_obj2nid(data->valid_policy) == NID_any_policy)

    96 			{

    97 			if (cache->anyPolicy)

    98 				{

    99 				ret = -1;

   100 				goto bad_policy;

   101 				}

   102 			cache->anyPolicy = data;

   103 			}

   104 		else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1)

   105 			{

   106 			ret = -1;

   107 			goto bad_policy;

   108 			}

   109 		else if (!sk_X509_POLICY_DATA_push(cache->data, data))

   110 			goto bad_policy;

   111 		data = NULL;

   112 		}

   113 	ret = 1;

   114 	bad_policy:

   115 	if (ret == -1)

   116 		x->ex_flags |= EXFLAG_INVALID_POLICY;

   117 	if (data)

   118 		policy_data_free(data);

   119 	sk_POLICYINFO_pop_free(policies, POLICYINFO_free);

   120 	if (ret <= 0)

   121 		{

   122 		sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);

   123 		cache->data = NULL;

   124 		}

   125 	return ret;

   126 	}

   129 static int policy_cache_new(X509 *x)

   130 	{

   131 	X509_POLICY_CACHE *cache;

   132 	ASN1_INTEGER *ext_any = NULL;

   133 	POLICY_CONSTRAINTS *ext_pcons = NULL;

   134 	CERTIFICATEPOLICIES *ext_cpols = NULL;

   135 	POLICY_MAPPINGS *ext_pmaps = NULL;

   136 	int i;

   137 	cache = OPENSSL_malloc(sizeof(X509_POLICY_CACHE));

   138 	if (!cache)

   139 		return 0;

   140 	cache->anyPolicy = NULL;

   141 	cache->data = NULL;

   142 	cache->maps = NULL;

   143 	cache->any_skip = -1;

   144 	cache->explicit_skip = -1;

   145 	cache->map_skip = -1;

   147 	x->policy_cache = cache;

   149 	/* Handle requireExplicitPolicy *first*. Need to process this

   150 	 * even if we don't have any policies.

   151 	 */

   152 	ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);

   154 	if (!ext_pcons)

   155 		{

   156 		if (i != -1)

   157 			goto bad_cache;

   158 		}

   159 	else

   160 		{

   161 		if (!ext_pcons->requireExplicitPolicy

   162 			&& !ext_pcons->inhibitPolicyMapping)

   163 			goto bad_cache;

   164 		if (!policy_cache_set_int(&cache->explicit_skip,

   165 			ext_pcons->requireExplicitPolicy))

   166 			goto bad_cache;

   167 		if (!policy_cache_set_int(&cache->map_skip,

   168 			ext_pcons->inhibitPolicyMapping))

   169 			goto bad_cache;

   170 		}

   172 	/* Process CertificatePolicies */

   174 	ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);

   175 	/* If no CertificatePolicies extension or problem decoding then

   176 	 * there is no point continuing because the valid policies will be

   177 	 * NULL.

   178 	 */

   179 	if (!ext_cpols)

   180 		{

   181 		/* If not absent some problem with extension */

   182 		if (i != -1)

   183 			goto bad_cache;

   184 		return 1;

   185 		}

   187 	i = policy_cache_create(x, ext_cpols, i);

   189 	/* NB: ext_cpols freed by policy_cache_set_policies */

   191 	if (i <= 0)

   192 		return i;

   194 	ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);

   196 	if (!ext_pmaps)

   197 		{

   198 		/* If not absent some problem with extension */

   199 		if (i != -1)

   200 			goto bad_cache;

   201 		}

   202 	else

   203 		{

   204 		i = policy_cache_set_mapping(x, ext_pmaps);

   205 		if (i <= 0)

   206 			goto bad_cache;

   207 		}

   209 	ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);

   211 	if (!ext_any)

   212 		{

   213 		if (i != -1)

   214 			goto bad_cache;

   215 		}

   216 	else if (!policy_cache_set_int(&cache->any_skip, ext_any))

   217 			goto bad_cache;

   219 	if (0)

   220 		{

   221 		bad_cache:

   222 		x->ex_flags |= EXFLAG_INVALID_POLICY;

   223 		}

   225 	if(ext_pcons)

   226 		POLICY_CONSTRAINTS_free(ext_pcons);

   228 	if (ext_any)

   229 		ASN1_INTEGER_free(ext_any);

   231 	return 1;

   234 }

   236 EXPORT_C void policy_cache_free(X509_POLICY_CACHE *cache)

   237 	{

   238 	if (!cache)

   239 		return;

   240 	if (cache->anyPolicy)

   241 		policy_data_free(cache->anyPolicy);

   242 	if (cache->data)

   243 		sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);

   244 	OPENSSL_free(cache);

   245 	}

   247 EXPORT_C const X509_POLICY_CACHE *policy_cache_set(X509 *x)

   248 	{

   250 	if (x->policy_cache == NULL)

   251 		{

   252 		CRYPTO_w_lock(CRYPTO_LOCK_X509);

   253 			policy_cache_new(x);

   254 		CRYPTO_w_unlock(CRYPTO_LOCK_X509);

   255 		}

   257 	return x->policy_cache;

   259 	}

   261 EXPORT_C X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,

   262 						const ASN1_OBJECT *id)

   263 	{

   264 	int idx;

   265 	X509_POLICY_DATA tmp;

   266 	tmp.valid_policy = (ASN1_OBJECT *)id;

   267 	idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);

   268 	if (idx == -1)

   269 		return NULL;

   270 	return sk_X509_POLICY_DATA_value(cache->data, idx);

   271 	}

   273 static int policy_data_cmp(const X509_POLICY_DATA * const *a,

   274 				const X509_POLICY_DATA * const *b)

   275 	{

   276 	return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);

   277 	}

   279 static int policy_cache_set_int(long *out, ASN1_INTEGER *value)

   280 	{

   281 	if (value == NULL)

   282 		return 1;

   283 	if (value->type == V_ASN1_NEG_INTEGER)

   284 		return 0;

   285 	*out = ASN1_INTEGER_get(value);

   286 	return 1;

   287 	}

author	sl
	Tue, 10 Jun 2014 14:32:02 +0200
changeset 1	260cb5ec6c19
permissions	-rw-r--r--