Coverage Report

Created: 2024-11-21 07:03

/src/openssl/crypto/x509/pcy_tree.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 2004-2024 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
10
#include "internal/cryptlib.h"
11
#include <openssl/trace.h>
12
#include <openssl/x509.h>
13
#include <openssl/x509v3.h>
14
15
#include "pcy_local.h"
16
17
/*
18
 * If the maximum number of nodes in the policy tree isn't defined, set it to
19
 * a generous default of 1000 nodes.
20
 *
21
 * Defining this to be zero means unlimited policy tree growth which opens the
22
 * door on CVE-2023-0464.
23
 */
24
#ifndef OPENSSL_POLICY_TREE_NODES_MAX
25
0
# define OPENSSL_POLICY_TREE_NODES_MAX 1000
26
#endif
27
28
static void exnode_free(X509_POLICY_NODE *node);
29
30
static void expected_print(BIO *channel,
31
                           X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
32
                           int indent)
33
0
{
34
0
    if ((lev->flags & X509_V_FLAG_INHIBIT_MAP)
35
0
        || !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK))
36
0
        BIO_puts(channel, "  Not Mapped\n");
37
0
    else {
38
0
        int i;
39
0
40
0
        STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set;
41
0
        ASN1_OBJECT *oid;
42
0
        BIO_puts(channel, "  Expected: ");
43
0
        for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++) {
44
0
            oid = sk_ASN1_OBJECT_value(pset, i);
45
0
            if (i)
46
0
                BIO_puts(channel, ", ");
47
0
            i2a_ASN1_OBJECT(channel, oid);
48
0
        }
49
0
        BIO_puts(channel, "\n");
50
0
    }
51
0
}
52
53
static void tree_print(BIO *channel,
54
                       char *str, X509_POLICY_TREE *tree,
55
                       X509_POLICY_LEVEL *curr)
56
0
{
57
0
    X509_POLICY_LEVEL *plev;
58
0
59
0
    if (!curr)
60
0
        curr = tree->levels + tree->nlevel;
61
0
    else
62
0
        curr++;
63
0
64
0
    BIO_printf(channel, "Level print after %s\n", str);
65
0
    BIO_printf(channel, "Printing Up to Level %ld\n",
66
0
               (long)(curr - tree->levels));
67
0
    for (plev = tree->levels; plev != curr; plev++) {
68
0
        int i;
69
0
70
0
        BIO_printf(channel, "Level %ld, flags = %x\n",
71
0
                   (long)(plev - tree->levels), plev->flags);
72
0
        for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++) {
73
0
            X509_POLICY_NODE *node =
74
0
                sk_X509_POLICY_NODE_value(plev->nodes, i);
75
0
76
0
            X509_POLICY_NODE_print(channel, node, 2);
77
0
            expected_print(channel, plev, node, 2);
78
0
            BIO_printf(channel, "  Flags: %x\n", node->data->flags);
79
0
        }
80
0
        if (plev->anyPolicy)
81
0
            X509_POLICY_NODE_print(channel, plev->anyPolicy, 2);
82
0
    }
83
0
}
84
85
#define TREE_PRINT(str, tree, curr) \
86
0
    OSSL_TRACE_BEGIN(X509V3_POLICY) { \
87
0
        tree_print(trc_out, "before tree_prune()", tree, curr); \
88
0
    } OSSL_TRACE_END(X509V3_POLICY)
89
90
/*-
91
 * Return value: <= 0 on error, or positive bit mask:
92
 *
93
 * X509_PCY_TREE_VALID: valid tree
94
 * X509_PCY_TREE_EMPTY: empty tree (including bare TA case)
95
 * X509_PCY_TREE_EXPLICIT: explicit policy required
96
 */
97
static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
98
                     unsigned int flags)
99
0
{
100
0
    X509_POLICY_TREE *tree;
101
0
    X509_POLICY_LEVEL *level;
102
0
    const X509_POLICY_CACHE *cache;
103
0
    X509_POLICY_DATA *data = NULL;
104
0
    int ret = X509_PCY_TREE_VALID;
105
0
    int n = sk_X509_num(certs) - 1; /* RFC5280 paths omit the TA */
106
0
    int explicit_policy = (flags & X509_V_FLAG_EXPLICIT_POLICY) ? 0 : n+1;
107
0
    int any_skip = (flags & X509_V_FLAG_INHIBIT_ANY) ? 0 : n+1;
108
0
    int map_skip = (flags & X509_V_FLAG_INHIBIT_MAP) ? 0 : n+1;
109
0
    int i;
110
111
0
    *ptree = NULL;
112
113
0
    if (n < 0)
114
0
        return X509_PCY_TREE_INTERNAL;
115
    /* Can't do anything with just a trust anchor */
116
0
    if (n == 0)
117
0
        return X509_PCY_TREE_EMPTY;
118
119
    /*
120
     * First setup the policy cache in all n non-TA certificates, this will be
121
     * used in X509_verify_cert() which will invoke the verify callback for all
122
     * certificates with invalid policy extensions.
123
     */
124
0
    for (i = n - 1; i >= 0; i--) {
125
0
        X509 *x = sk_X509_value(certs, i);
126
127
        /* Call for side-effect of computing hash and caching extensions */
128
0
        X509_check_purpose(x, -1, 0);
129
130
        /* If cache is NULL, likely ENOMEM: return immediately */
131
0
        if (ossl_policy_cache_set(x) == NULL)
132
0
            return X509_PCY_TREE_INTERNAL;
133
0
    }
134
135
    /*
136
     * At this point check for invalid policies and required explicit policy.
137
     * Note that the explicit_policy counter is a count-down to zero, with the
138
     * requirement kicking in if and once it does that.  The counter is
139
     * decremented for every non-self-issued certificate in the path, but may
140
     * be further reduced by policy constraints in a non-leaf certificate.
141
     *
142
     * The ultimate policy set is the intersection of all the policies along
143
     * the path, if we hit a certificate with an empty policy set, and explicit
144
     * policy is required we're done.
145
     */
146
0
    for (i = n - 1;
147
0
         i >= 0 && (explicit_policy > 0 || (ret & X509_PCY_TREE_EMPTY) == 0);
148
0
         i--) {
149
0
        X509 *x = sk_X509_value(certs, i);
150
0
        uint32_t ex_flags = X509_get_extension_flags(x);
151
152
        /* All the policies are already cached, we can return early */
153
0
        if (ex_flags & EXFLAG_INVALID_POLICY)
154
0
            return X509_PCY_TREE_INVALID;
155
156
        /* Access the cache which we now know exists */
157
0
        cache = ossl_policy_cache_set(x);
158
159
0
        if ((ret & X509_PCY_TREE_VALID) && cache->data == NULL)
160
0
            ret = X509_PCY_TREE_EMPTY;
161
0
        if (explicit_policy > 0) {
162
0
            if (!(ex_flags & EXFLAG_SI))
163
0
                explicit_policy--;
164
0
            if ((cache->explicit_skip >= 0)
165
0
                && (cache->explicit_skip < explicit_policy))
166
0
                explicit_policy = cache->explicit_skip;
167
0
        }
168
0
    }
169
170
0
    if (explicit_policy == 0)
171
0
        ret |= X509_PCY_TREE_EXPLICIT;
172
0
    if ((ret & X509_PCY_TREE_VALID) == 0)
173
0
        return ret;
174
175
    /* If we get this far initialize the tree */
176
0
    if ((tree = OPENSSL_zalloc(sizeof(*tree))) == NULL)
177
0
        return X509_PCY_TREE_INTERNAL;
178
179
    /* Limit the growth of the tree to mitigate CVE-2023-0464 */
180
0
    tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
181
182
    /*
183
     * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
184
     *
185
     * The top level is implicitly for the trust anchor with valid expected
186
     * policies of anyPolicy.  (RFC 5280 has the TA at depth 0 and the leaf at
187
     * depth n, we have the leaf at depth 0 and the TA at depth n).
188
     */
189
0
    if ((tree->levels = OPENSSL_zalloc(sizeof(*tree->levels)*(n+1))) == NULL) {
190
0
        OPENSSL_free(tree);
191
0
        return X509_PCY_TREE_INTERNAL;
192
0
    }
193
0
    tree->nlevel = n+1;
194
0
    level = tree->levels;
195
0
    if ((data = ossl_policy_data_new(NULL,
196
0
                                     OBJ_nid2obj(NID_any_policy), 0)) == NULL)
197
0
        goto bad_tree;
198
0
    if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) {
199
0
        ossl_policy_data_free(data);
200
0
        goto bad_tree;
201
0
    }
202
203
    /*
204
     * In this pass initialize all the tree levels and whether anyPolicy and
205
     * policy mapping are inhibited at each level.
206
     */
207
0
    for (i = n - 1; i >= 0; i--) {
208
0
        X509 *x = sk_X509_value(certs, i);
209
0
        uint32_t ex_flags = X509_get_extension_flags(x);
210
211
        /* Access the cache which we now know exists */
212
0
        cache = ossl_policy_cache_set(x);
213
214
0
        X509_up_ref(x);
215
0
        (++level)->cert = x;
216
217
0
        if (!cache->anyPolicy)
218
0
            level->flags |= X509_V_FLAG_INHIBIT_ANY;
219
220
        /* Determine inhibit any and inhibit map flags */
221
0
        if (any_skip == 0) {
222
            /*
223
             * Any matching allowed only if certificate is self issued and not
224
             * the last in the chain.
225
             */
226
0
            if (!(ex_flags & EXFLAG_SI) || (i == 0))
227
0
                level->flags |= X509_V_FLAG_INHIBIT_ANY;
228
0
        } else {
229
0
            if (!(ex_flags & EXFLAG_SI))
230
0
                any_skip--;
231
0
            if ((cache->any_skip >= 0) && (cache->any_skip < any_skip))
232
0
                any_skip = cache->any_skip;
233
0
        }
234
235
0
        if (map_skip == 0)
236
0
            level->flags |= X509_V_FLAG_INHIBIT_MAP;
237
0
        else {
238
0
            if (!(ex_flags & EXFLAG_SI))
239
0
                map_skip--;
240
0
            if ((cache->map_skip >= 0) && (cache->map_skip < map_skip))
241
0
                map_skip = cache->map_skip;
242
0
        }
243
0
    }
244
245
0
    *ptree = tree;
246
0
    return ret;
247
248
0
 bad_tree:
249
0
    X509_policy_tree_free(tree);
250
0
    return X509_PCY_TREE_INTERNAL;
251
0
}
252
253
/*
254
 * Return value: 1 on success, 0 otherwise
255
 */
256
static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
257
                                    X509_POLICY_DATA *data,
258
                                    X509_POLICY_TREE *tree)
259
0
{
260
0
    X509_POLICY_LEVEL *last = curr - 1;
261
0
    int i, matched = 0;
262
263
    /* Iterate through all in nodes linking matches */
264
0
    for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
265
0
        X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
266
267
0
        if (ossl_policy_node_match(last, node, data->valid_policy)) {
268
0
            if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL)
269
0
                return 0;
270
0
            matched = 1;
271
0
        }
272
0
    }
273
0
    if (!matched && last->anyPolicy) {
274
0
        if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
275
0
            return 0;
276
0
    }
277
0
    return 1;
278
0
}
279
280
/*
281
 * This corresponds to RFC3280 6.1.3(d)(1): link any data from
282
 * CertificatePolicies onto matching parent or anyPolicy if no match.
283
 *
284
 * Return value: 1 on success, 0 otherwise.
285
 */
286
static int tree_link_nodes(X509_POLICY_LEVEL *curr,
287
                           const X509_POLICY_CACHE *cache,
288
                           X509_POLICY_TREE *tree)
289
0
{
290
0
    int i;
291
292
0
    for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++) {
293
0
        X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
294
295
        /* Look for matching nodes in previous level */
296
0
        if (!tree_link_matching_nodes(curr, data, tree))
297
0
            return 0;
298
0
    }
299
0
    return 1;
300
0
}
301
302
/*
303
 * This corresponds to RFC3280 6.1.3(d)(2): Create new data for any unmatched
304
 * policies in the parent and link to anyPolicy.
305
 *
306
 * Return value: 1 on success, 0 otherwise.
307
 */
308
static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
309
                              const X509_POLICY_CACHE *cache,
310
                              const ASN1_OBJECT *id,
311
                              X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
312
0
{
313
0
    X509_POLICY_DATA *data;
314
315
0
    if (id == NULL)
316
0
        id = node->data->valid_policy;
317
    /*
318
     * Create a new node with qualifiers from anyPolicy and id from unmatched
319
     * node.
320
     */
321
0
    if ((data = ossl_policy_data_new(NULL, id, node_critical(node))) == NULL)
322
0
        return 0;
323
324
    /* Curr may not have anyPolicy */
325
0
    data->qualifier_set = cache->anyPolicy->qualifier_set;
326
0
    data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
327
0
    if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) {
328
0
        ossl_policy_data_free(data);
329
0
        return 0;
330
0
    }
331
0
    return 1;
332
0
}
333
334
/*
335
 * Return value: 1 on success, 0 otherwise.
336
 */
337
static int tree_link_unmatched(X509_POLICY_LEVEL *curr,
338
                               const X509_POLICY_CACHE *cache,
339
                               X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
340
0
{
341
0
    const X509_POLICY_LEVEL *last = curr - 1;
342
0
    int i;
343
344
0
    if ((last->flags & X509_V_FLAG_INHIBIT_MAP)
345
0
        || !(node->data->flags & POLICY_DATA_FLAG_MAPPED)) {
346
        /* If no policy mapping: matched if one child present */
347
0
        if (node->nchild)
348
0
            return 1;
349
0
        if (!tree_add_unmatched(curr, cache, NULL, node, tree))
350
0
            return 0;
351
        /* Add it */
352
0
    } else {
353
        /* If mapping: matched if one child per expected policy set */
354
0
        STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set;
355
0
        if (node->nchild == sk_ASN1_OBJECT_num(expset))
356
0
            return 1;
357
        /* Locate unmatched nodes */
358
0
        for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++) {
359
0
            ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i);
360
0
            if (ossl_policy_level_find_node(curr, node, oid))
361
0
                continue;
362
0
            if (!tree_add_unmatched(curr, cache, oid, node, tree))
363
0
                return 0;
364
0
        }
365
366
0
    }
367
0
    return 1;
368
0
}
369
370
/*
371
 * Return value: 1 on success, 0 otherwise
372
 */
373
static int tree_link_any(X509_POLICY_LEVEL *curr,
374
                         const X509_POLICY_CACHE *cache,
375
                         X509_POLICY_TREE *tree)
376
0
{
377
0
    int i;
378
0
    X509_POLICY_NODE *node;
379
0
    X509_POLICY_LEVEL *last = curr - 1;
380
381
0
    for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
382
0
        node = sk_X509_POLICY_NODE_value(last->nodes, i);
383
384
0
        if (!tree_link_unmatched(curr, cache, node, tree))
385
0
            return 0;
386
0
    }
387
    /* Finally add link to anyPolicy */
388
0
    if (last->anyPolicy &&
389
0
            ossl_policy_level_add_node(curr, cache->anyPolicy,
390
0
                                       last->anyPolicy, tree, 0) == NULL)
391
0
        return 0;
392
0
    return 1;
393
0
}
394
395
/*-
396
 * Prune the tree: delete any child mapped child data on the current level then
397
 * proceed up the tree deleting any data with no children. If we ever have no
398
 * data on a level we can halt because the tree will be empty.
399
 *
400
 * Return value: <= 0 error, otherwise one of:
401
 *
402
 * X509_PCY_TREE_VALID: valid tree
403
 * X509_PCY_TREE_EMPTY: empty tree
404
 */
405
static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
406
0
{
407
0
    STACK_OF(X509_POLICY_NODE) *nodes;
408
0
    X509_POLICY_NODE *node;
409
0
    int i;
410
0
    nodes = curr->nodes;
411
0
    if (curr->flags & X509_V_FLAG_INHIBIT_MAP) {
412
0
        for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) {
413
0
            node = sk_X509_POLICY_NODE_value(nodes, i);
414
            /* Delete any mapped data: see RFC3280 XXXX */
415
0
            if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK) {
416
0
                node->parent->nchild--;
417
0
                OPENSSL_free(node);
418
0
                (void)sk_X509_POLICY_NODE_delete(nodes, i);
419
0
            }
420
0
        }
421
0
    }
422
423
0
    for (;;) {
424
0
        --curr;
425
0
        nodes = curr->nodes;
426
0
        for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) {
427
0
            node = sk_X509_POLICY_NODE_value(nodes, i);
428
0
            if (node->nchild == 0) {
429
0
                node->parent->nchild--;
430
0
                OPENSSL_free(node);
431
0
                (void)sk_X509_POLICY_NODE_delete(nodes, i);
432
0
            }
433
0
        }
434
0
        if (curr->anyPolicy && !curr->anyPolicy->nchild) {
435
0
            if (curr->anyPolicy->parent)
436
0
                curr->anyPolicy->parent->nchild--;
437
0
            OPENSSL_free(curr->anyPolicy);
438
0
            curr->anyPolicy = NULL;
439
0
        }
440
0
        if (curr == tree->levels) {
441
            /* If we zapped anyPolicy at top then tree is empty */
442
0
            if (!curr->anyPolicy)
443
0
                return X509_PCY_TREE_EMPTY;
444
0
            break;
445
0
        }
446
0
    }
447
0
    return X509_PCY_TREE_VALID;
448
0
}
449
450
/*
451
 * Return value: 1 on success, 0 otherwise.
452
 */
453
static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes,
454
                              X509_POLICY_NODE *pcy)
455
0
{
456
0
    if (*pnodes == NULL &&
457
0
        (*pnodes = ossl_policy_node_cmp_new()) == NULL)
458
0
        return 0;
459
0
    if (sk_X509_POLICY_NODE_find(*pnodes, pcy) >= 0)
460
0
        return 1;
461
0
    return sk_X509_POLICY_NODE_push(*pnodes, pcy) != 0;
462
0
}
463
464
0
#define TREE_CALC_FAILURE 0
465
0
#define TREE_CALC_OK_NOFREE 1
466
0
#define TREE_CALC_OK_DOFREE 2
467
468
/*-
469
 * Calculate the authority set based on policy tree. The 'pnodes' parameter is
470
 * used as a store for the set of policy nodes used to calculate the user set.
471
 * If the authority set is not anyPolicy then pnodes will just point to the
472
 * authority set. If however the authority set is anyPolicy then the set of
473
 * valid policies (other than anyPolicy) is store in pnodes.
474
 *
475
 * Return value:
476
 *  TREE_CALC_FAILURE on failure,
477
 *  TREE_CALC_OK_NOFREE on success and pnodes need not be freed,
478
 *  TREE_CALC_OK_DOFREE on success and pnodes needs to be freed
479
 */
480
static int tree_calculate_authority_set(X509_POLICY_TREE *tree,
481
                                        STACK_OF(X509_POLICY_NODE) **pnodes)
482
0
{
483
0
    X509_POLICY_LEVEL *curr;
484
0
    X509_POLICY_NODE *node, *anyptr;
485
0
    STACK_OF(X509_POLICY_NODE) **addnodes;
486
0
    int i, j;
487
0
    curr = tree->levels + tree->nlevel - 1;
488
489
    /* If last level contains anyPolicy set is anyPolicy */
490
0
    if (curr->anyPolicy) {
491
0
        if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy))
492
0
            return TREE_CALC_FAILURE;
493
0
        addnodes = pnodes;
494
0
    } else
495
        /* Add policies to authority set */
496
0
        addnodes = &tree->auth_policies;
497
498
0
    curr = tree->levels;
499
0
    for (i = 1; i < tree->nlevel; i++) {
500
        /*
501
         * If no anyPolicy node on this level it can't appear on lower
502
         * levels so end search.
503
         */
504
0
        if ((anyptr = curr->anyPolicy) == NULL)
505
0
            break;
506
0
        curr++;
507
0
        for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++) {
508
0
            node = sk_X509_POLICY_NODE_value(curr->nodes, j);
509
0
            if ((node->parent == anyptr)
510
0
                && !tree_add_auth_node(addnodes, node)) {
511
0
                if (addnodes == pnodes) {
512
0
                    sk_X509_POLICY_NODE_free(*pnodes);
513
0
                    *pnodes = NULL;
514
0
                }
515
0
                return TREE_CALC_FAILURE;
516
0
            }
517
0
        }
518
0
    }
519
0
    if (addnodes == pnodes)
520
0
        return TREE_CALC_OK_DOFREE;
521
522
0
    *pnodes = tree->auth_policies;
523
0
    return TREE_CALC_OK_NOFREE;
524
0
}
525
526
/*
527
 * Return value: 1 on success, 0 otherwise.
528
 */
529
static int tree_calculate_user_set(X509_POLICY_TREE *tree,
530
                                   STACK_OF(ASN1_OBJECT) *policy_oids,
531
                                   STACK_OF(X509_POLICY_NODE) *auth_nodes)
532
0
{
533
0
    int i;
534
0
    X509_POLICY_NODE *node;
535
0
    ASN1_OBJECT *oid;
536
0
    X509_POLICY_NODE *anyPolicy;
537
0
    X509_POLICY_DATA *extra;
538
539
    /*
540
     * Check if anyPolicy present in authority constrained policy set: this
541
     * will happen if it is a leaf node.
542
     */
543
0
    if (sk_ASN1_OBJECT_num(policy_oids) <= 0)
544
0
        return 1;
545
546
0
    anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy;
547
548
0
    for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) {
549
0
        oid = sk_ASN1_OBJECT_value(policy_oids, i);
550
0
        if (OBJ_obj2nid(oid) == NID_any_policy) {
551
0
            tree->flags |= POLICY_FLAG_ANY_POLICY;
552
0
            return 1;
553
0
        }
554
0
    }
555
556
0
    for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) {
557
0
        oid = sk_ASN1_OBJECT_value(policy_oids, i);
558
0
        node = ossl_policy_tree_find_sk(auth_nodes, oid);
559
0
        if (!node) {
560
0
            if (!anyPolicy)
561
0
                continue;
562
            /*
563
             * Create a new node with policy ID from user set and qualifiers
564
             * from anyPolicy.
565
             */
566
0
            extra = ossl_policy_data_new(NULL, oid, node_critical(anyPolicy));
567
0
            if (extra == NULL)
568
0
                return 0;
569
0
            extra->qualifier_set = anyPolicy->data->qualifier_set;
570
0
            extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
571
0
                | POLICY_DATA_FLAG_EXTRA_NODE;
572
0
            node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent,
573
0
                                              tree, 1);
574
0
            if (node == NULL) {
575
0
                ossl_policy_data_free(extra);
576
0
                return 0;
577
0
            }
578
0
        }
579
0
        if (!tree->user_policies) {
580
0
            tree->user_policies = sk_X509_POLICY_NODE_new_null();
581
0
            if (!tree->user_policies) {
582
0
                exnode_free(node);
583
0
                return 0;
584
0
            }
585
0
        }
586
0
        if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) {
587
0
            exnode_free(node);
588
0
            return 0;
589
0
        }
590
0
    }
591
0
    return 1;
592
0
}
593
594
/*-
595
 * Return value: <= 0 error, otherwise one of:
596
 *  X509_PCY_TREE_VALID: valid tree
597
 *  X509_PCY_TREE_EMPTY: empty tree
598
 * (see tree_prune()).
599
 */
600
static int tree_evaluate(X509_POLICY_TREE *tree)
601
0
{
602
0
    int ret, i;
603
0
    X509_POLICY_LEVEL *curr = tree->levels + 1;
604
0
    const X509_POLICY_CACHE *cache;
605
606
0
    for (i = 1; i < tree->nlevel; i++, curr++) {
607
0
        cache = ossl_policy_cache_set(curr->cert);
608
0
        if (!tree_link_nodes(curr, cache, tree))
609
0
            return X509_PCY_TREE_INTERNAL;
610
611
0
        if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
612
0
            && !tree_link_any(curr, cache, tree))
613
0
            return X509_PCY_TREE_INTERNAL;
614
0
        TREE_PRINT("before tree_prune()", tree, curr);
615
0
        ret = tree_prune(tree, curr);
616
0
        if (ret != X509_PCY_TREE_VALID)
617
0
            return ret;
618
0
    }
619
0
    return X509_PCY_TREE_VALID;
620
0
}
621
622
static void exnode_free(X509_POLICY_NODE *node)
623
0
{
624
0
    if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE))
625
0
        OPENSSL_free(node);
626
0
}
627
628
void X509_policy_tree_free(X509_POLICY_TREE *tree)
629
0
{
630
0
    X509_POLICY_LEVEL *curr;
631
0
    int i;
632
633
0
    if (!tree)
634
0
        return;
635
636
0
    sk_X509_POLICY_NODE_free(tree->auth_policies);
637
0
    sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
638
639
0
    for (i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++) {
640
0
        X509_free(curr->cert);
641
0
        sk_X509_POLICY_NODE_pop_free(curr->nodes, ossl_policy_node_free);
642
0
        ossl_policy_node_free(curr->anyPolicy);
643
0
    }
644
645
0
    sk_X509_POLICY_DATA_pop_free(tree->extra_data, ossl_policy_data_free);
646
0
    OPENSSL_free(tree->levels);
647
0
    OPENSSL_free(tree);
648
649
0
}
650
651
/*-
652
 * Application policy checking function.
653
 * Return codes:
654
 *  X509_PCY_TREE_FAILURE:  Failure to satisfy explicit policy
655
 *  X509_PCY_TREE_INVALID:  Inconsistent or invalid extensions
656
 *  X509_PCY_TREE_INTERNAL: Internal error, most likely malloc
657
 *  X509_PCY_TREE_VALID:    Success (null tree if empty or bare TA)
658
 */
659
int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
660
                      STACK_OF(X509) *certs,
661
                      STACK_OF(ASN1_OBJECT) *policy_oids, unsigned int flags)
662
0
{
663
0
    int init_ret;
664
0
    int ret;
665
0
    int calc_ret;
666
0
    X509_POLICY_TREE *tree = NULL;
667
0
    STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
668
669
0
    *ptree = NULL;
670
0
    *pexplicit_policy = 0;
671
0
    init_ret = tree_init(&tree, certs, flags);
672
673
0
    if (init_ret <= 0)
674
0
        return init_ret;
675
676
0
    if ((init_ret & X509_PCY_TREE_EXPLICIT) == 0) {
677
0
        if (init_ret & X509_PCY_TREE_EMPTY) {
678
0
            X509_policy_tree_free(tree);
679
0
            return X509_PCY_TREE_VALID;
680
0
        }
681
0
    } else {
682
0
        *pexplicit_policy = 1;
683
        /* Tree empty and requireExplicit True: Error */
684
0
        if (init_ret & X509_PCY_TREE_EMPTY)
685
0
            return X509_PCY_TREE_FAILURE;
686
0
    }
687
688
0
    ret = tree_evaluate(tree);
689
0
    TREE_PRINT("tree_evaluate()", tree, NULL);
690
0
    if (ret <= 0)
691
0
        goto error;
692
693
0
    if (ret == X509_PCY_TREE_EMPTY) {
694
0
        X509_policy_tree_free(tree);
695
0
        if (init_ret & X509_PCY_TREE_EXPLICIT)
696
0
            return X509_PCY_TREE_FAILURE;
697
0
        return X509_PCY_TREE_VALID;
698
0
    }
699
700
    /* Tree is not empty: continue */
701
702
0
    if ((calc_ret = tree_calculate_authority_set(tree, &auth_nodes)) == 0)
703
0
        goto error;
704
0
    sk_X509_POLICY_NODE_sort(auth_nodes);
705
0
    ret = tree_calculate_user_set(tree, policy_oids, auth_nodes);
706
0
    if (calc_ret == TREE_CALC_OK_DOFREE)
707
0
        sk_X509_POLICY_NODE_free(auth_nodes);
708
0
    if (!ret)
709
0
        goto error;
710
711
0
    *ptree = tree;
712
713
0
    if (init_ret & X509_PCY_TREE_EXPLICIT) {
714
0
        nodes = X509_policy_tree_get0_user_policies(tree);
715
0
        if (sk_X509_POLICY_NODE_num(nodes) <= 0)
716
0
            return X509_PCY_TREE_FAILURE;
717
0
    }
718
0
    return X509_PCY_TREE_VALID;
719
720
0
 error:
721
0
    X509_policy_tree_free(tree);
722
0
    return X509_PCY_TREE_INTERNAL;
723
0
}