/src/openssl/crypto/x509/pcy_node.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <openssl/asn1.h> |
11 | | #include <openssl/x509.h> |
12 | | #include <openssl/x509v3.h> |
13 | | #include <openssl/err.h> |
14 | | |
15 | | #include "pcy_local.h" |
16 | | |
17 | | static int node_cmp(const X509_POLICY_NODE *const *a, |
18 | | const X509_POLICY_NODE *const *b) |
19 | 0 | { |
20 | 0 | return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy); |
21 | 0 | } |
22 | | |
23 | | STACK_OF(X509_POLICY_NODE) *ossl_policy_node_cmp_new(void) |
24 | 0 | { |
25 | 0 | return sk_X509_POLICY_NODE_new(node_cmp); |
26 | 0 | } |
27 | | |
28 | | X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes, |
29 | | const ASN1_OBJECT *id) |
30 | 0 | { |
31 | 0 | X509_POLICY_DATA n; |
32 | 0 | X509_POLICY_NODE l; |
33 | 0 | int idx; |
34 | |
|
35 | 0 | n.valid_policy = (ASN1_OBJECT *)id; |
36 | 0 | l.data = &n; |
37 | |
|
38 | 0 | idx = sk_X509_POLICY_NODE_find(nodes, &l); |
39 | 0 | return sk_X509_POLICY_NODE_value(nodes, idx); |
40 | 0 | } |
41 | | |
42 | | X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level, |
43 | | const X509_POLICY_NODE *parent, |
44 | | const ASN1_OBJECT *id) |
45 | 0 | { |
46 | 0 | X509_POLICY_NODE *node; |
47 | 0 | int i; |
48 | 0 | for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { |
49 | 0 | node = sk_X509_POLICY_NODE_value(level->nodes, i); |
50 | 0 | if (node->parent == parent) { |
51 | 0 | if (!OBJ_cmp(node->data->valid_policy, id)) |
52 | 0 | return node; |
53 | 0 | } |
54 | 0 | } |
55 | 0 | return NULL; |
56 | 0 | } |
57 | | |
58 | | X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, |
59 | | X509_POLICY_DATA *data, |
60 | | X509_POLICY_NODE *parent, |
61 | | X509_POLICY_TREE *tree, |
62 | | int extra_data) |
63 | 0 | { |
64 | 0 | X509_POLICY_NODE *node; |
65 | | |
66 | | /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ |
67 | 0 | if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) |
68 | 0 | return NULL; |
69 | | |
70 | 0 | node = OPENSSL_zalloc(sizeof(*node)); |
71 | 0 | if (node == NULL) |
72 | 0 | return NULL; |
73 | 0 | node->data = data; |
74 | 0 | node->parent = parent; |
75 | 0 | if (level != NULL) { |
76 | 0 | if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { |
77 | 0 | if (level->anyPolicy) |
78 | 0 | goto node_error; |
79 | 0 | level->anyPolicy = node; |
80 | 0 | } else { |
81 | |
|
82 | 0 | if (level->nodes == NULL) |
83 | 0 | level->nodes = ossl_policy_node_cmp_new(); |
84 | 0 | if (level->nodes == NULL) { |
85 | 0 | ERR_raise(ERR_LIB_X509V3, ERR_R_X509_LIB); |
86 | 0 | goto node_error; |
87 | 0 | } |
88 | 0 | if (!sk_X509_POLICY_NODE_push(level->nodes, node)) { |
89 | 0 | ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB); |
90 | 0 | goto node_error; |
91 | 0 | } |
92 | 0 | } |
93 | 0 | } |
94 | | |
95 | 0 | if (extra_data) { |
96 | 0 | if (tree->extra_data == NULL) |
97 | 0 | tree->extra_data = sk_X509_POLICY_DATA_new_null(); |
98 | 0 | if (tree->extra_data == NULL) { |
99 | 0 | ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB); |
100 | 0 | goto extra_data_error; |
101 | 0 | } |
102 | 0 | if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) { |
103 | 0 | ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB); |
104 | 0 | goto extra_data_error; |
105 | 0 | } |
106 | 0 | } |
107 | | |
108 | 0 | tree->node_count++; |
109 | 0 | if (parent) |
110 | 0 | parent->nchild++; |
111 | |
|
112 | 0 | return node; |
113 | | |
114 | 0 | extra_data_error: |
115 | 0 | if (level != NULL) { |
116 | 0 | if (level->anyPolicy == node) |
117 | 0 | level->anyPolicy = NULL; |
118 | 0 | else |
119 | 0 | (void)sk_X509_POLICY_NODE_pop(level->nodes); |
120 | 0 | } |
121 | |
|
122 | 0 | node_error: |
123 | 0 | ossl_policy_node_free(node); |
124 | 0 | return NULL; |
125 | 0 | } |
126 | | |
127 | | void ossl_policy_node_free(X509_POLICY_NODE *node) |
128 | 0 | { |
129 | 0 | OPENSSL_free(node); |
130 | 0 | } |
131 | | |
132 | | /* |
133 | | * See if a policy node matches a policy OID. If mapping enabled look through |
134 | | * expected policy set otherwise just valid policy. |
135 | | */ |
136 | | |
137 | | int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, |
138 | | const X509_POLICY_NODE *node, const ASN1_OBJECT *oid) |
139 | 0 | { |
140 | 0 | int i; |
141 | 0 | ASN1_OBJECT *policy_oid; |
142 | 0 | const X509_POLICY_DATA *x = node->data; |
143 | |
|
144 | 0 | if ((lvl->flags & X509_V_FLAG_INHIBIT_MAP) |
145 | 0 | || !(x->flags & POLICY_DATA_FLAG_MAP_MASK)) { |
146 | 0 | if (!OBJ_cmp(x->valid_policy, oid)) |
147 | 0 | return 1; |
148 | 0 | return 0; |
149 | 0 | } |
150 | | |
151 | 0 | for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++) { |
152 | 0 | policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i); |
153 | 0 | if (!OBJ_cmp(policy_oid, oid)) |
154 | 0 | return 1; |
155 | 0 | } |
156 | 0 | return 0; |
157 | 0 | } |