/src/openssl/crypto/x509v3/v3_pci.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* v3_pci.c */ |
2 | | /* |
3 | | * Contributed to the OpenSSL Project 2004 by Richard Levitte |
4 | | * (richard@levitte.org) |
5 | | */ |
6 | | /* Copyright (c) 2004 Kungliga Tekniska Högskolan |
7 | | * (Royal Institute of Technology, Stockholm, Sweden). |
8 | | * All rights reserved. |
9 | | * |
10 | | * Redistribution and use in source and binary forms, with or without |
11 | | * modification, are permitted provided that the following conditions |
12 | | * are met: |
13 | | * |
14 | | * 1. Redistributions of source code must retain the above copyright |
15 | | * notice, this list of conditions and the following disclaimer. |
16 | | * |
17 | | * 2. Redistributions in binary form must reproduce the above copyright |
18 | | * notice, this list of conditions and the following disclaimer in the |
19 | | * documentation and/or other materials provided with the distribution. |
20 | | * |
21 | | * 3. Neither the name of the Institute nor the names of its contributors |
22 | | * may be used to endorse or promote products derived from this software |
23 | | * without specific prior written permission. |
24 | | * |
25 | | * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND |
26 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
27 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
28 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE |
29 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
30 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
31 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
32 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
33 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
34 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
35 | | * SUCH DAMAGE. |
36 | | */ |
37 | | |
38 | | #include <stdio.h> |
39 | | #include "cryptlib.h" |
40 | | #include <openssl/conf.h> |
41 | | #include <openssl/x509v3.h> |
42 | | |
43 | | static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext, |
44 | | BIO *out, int indent); |
45 | | static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, |
46 | | X509V3_CTX *ctx, char *str); |
47 | | |
48 | | const X509V3_EXT_METHOD v3_pci = |
49 | | { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION), |
50 | | 0, 0, 0, 0, |
51 | | 0, 0, |
52 | | NULL, NULL, |
53 | | (X509V3_EXT_I2R)i2r_pci, |
54 | | (X509V3_EXT_R2I)r2i_pci, |
55 | | NULL, |
56 | | }; |
57 | | |
58 | | static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, |
59 | | BIO *out, int indent) |
60 | 0 | { |
61 | 0 | BIO_printf(out, "%*sPath Length Constraint: ", indent, ""); |
62 | 0 | if (pci->pcPathLengthConstraint) |
63 | 0 | i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint); |
64 | 0 | else |
65 | 0 | BIO_printf(out, "infinite"); |
66 | 0 | BIO_puts(out, "\n"); |
67 | 0 | BIO_printf(out, "%*sPolicy Language: ", indent, ""); |
68 | 0 | i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage); |
69 | 0 | BIO_puts(out, "\n"); |
70 | 0 | if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data) |
71 | 0 | BIO_printf(out, "%*sPolicy Text: %s\n", indent, "", |
72 | 0 | pci->proxyPolicy->policy->data); |
73 | 0 | return 1; |
74 | 0 | } |
75 | | |
76 | | static int process_pci_value(CONF_VALUE *val, |
77 | | ASN1_OBJECT **language, ASN1_INTEGER **pathlen, |
78 | | ASN1_OCTET_STRING **policy) |
79 | 0 | { |
80 | 0 | int free_policy = 0; |
81 | |
|
82 | 0 | if (strcmp(val->name, "language") == 0) { |
83 | 0 | if (*language) { |
84 | 0 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, |
85 | 0 | X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED); |
86 | 0 | X509V3_conf_err(val); |
87 | 0 | return 0; |
88 | 0 | } |
89 | 0 | if (!(*language = OBJ_txt2obj(val->value, 0))) { |
90 | 0 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, |
91 | 0 | X509V3_R_INVALID_OBJECT_IDENTIFIER); |
92 | 0 | X509V3_conf_err(val); |
93 | 0 | return 0; |
94 | 0 | } |
95 | 0 | } else if (strcmp(val->name, "pathlen") == 0) { |
96 | 0 | if (*pathlen) { |
97 | 0 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, |
98 | 0 | X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED); |
99 | 0 | X509V3_conf_err(val); |
100 | 0 | return 0; |
101 | 0 | } |
102 | 0 | if (!X509V3_get_value_int(val, pathlen)) { |
103 | 0 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, |
104 | 0 | X509V3_R_POLICY_PATH_LENGTH); |
105 | 0 | X509V3_conf_err(val); |
106 | 0 | return 0; |
107 | 0 | } |
108 | 0 | } else if (strcmp(val->name, "policy") == 0) { |
109 | 0 | unsigned char *tmp_data = NULL; |
110 | 0 | long val_len; |
111 | 0 | if (!*policy) { |
112 | 0 | *policy = ASN1_OCTET_STRING_new(); |
113 | 0 | if (!*policy) { |
114 | 0 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_MALLOC_FAILURE); |
115 | 0 | X509V3_conf_err(val); |
116 | 0 | return 0; |
117 | 0 | } |
118 | 0 | free_policy = 1; |
119 | 0 | } |
120 | 0 | if (strncmp(val->value, "hex:", 4) == 0) { |
121 | 0 | unsigned char *tmp_data2 = |
122 | 0 | string_to_hex(val->value + 4, &val_len); |
123 | |
|
124 | 0 | if (!tmp_data2) { |
125 | 0 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, |
126 | 0 | X509V3_R_ILLEGAL_HEX_DIGIT); |
127 | 0 | X509V3_conf_err(val); |
128 | 0 | goto err; |
129 | 0 | } |
130 | | |
131 | 0 | tmp_data = OPENSSL_realloc((*policy)->data, |
132 | 0 | (*policy)->length + val_len + 1); |
133 | 0 | if (tmp_data) { |
134 | 0 | (*policy)->data = tmp_data; |
135 | 0 | memcpy(&(*policy)->data[(*policy)->length], |
136 | 0 | tmp_data2, val_len); |
137 | 0 | (*policy)->length += val_len; |
138 | 0 | (*policy)->data[(*policy)->length] = '\0'; |
139 | 0 | } else { |
140 | 0 | OPENSSL_free(tmp_data2); |
141 | | /* |
142 | | * realloc failure implies the original data space is b0rked |
143 | | * too! |
144 | | */ |
145 | 0 | (*policy)->data = NULL; |
146 | 0 | (*policy)->length = 0; |
147 | 0 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_MALLOC_FAILURE); |
148 | 0 | X509V3_conf_err(val); |
149 | 0 | goto err; |
150 | 0 | } |
151 | 0 | OPENSSL_free(tmp_data2); |
152 | 0 | } else if (strncmp(val->value, "file:", 5) == 0) { |
153 | 0 | unsigned char buf[2048]; |
154 | 0 | int n; |
155 | 0 | BIO *b = BIO_new_file(val->value + 5, "r"); |
156 | 0 | if (!b) { |
157 | 0 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_BIO_LIB); |
158 | 0 | X509V3_conf_err(val); |
159 | 0 | goto err; |
160 | 0 | } |
161 | 0 | while ((n = BIO_read(b, buf, sizeof(buf))) > 0 |
162 | 0 | || (n == 0 && BIO_should_retry(b))) { |
163 | 0 | if (!n) |
164 | 0 | continue; |
165 | | |
166 | 0 | tmp_data = OPENSSL_realloc((*policy)->data, |
167 | 0 | (*policy)->length + n + 1); |
168 | |
|
169 | 0 | if (!tmp_data) |
170 | 0 | break; |
171 | | |
172 | 0 | (*policy)->data = tmp_data; |
173 | 0 | memcpy(&(*policy)->data[(*policy)->length], buf, n); |
174 | 0 | (*policy)->length += n; |
175 | 0 | (*policy)->data[(*policy)->length] = '\0'; |
176 | 0 | } |
177 | 0 | BIO_free_all(b); |
178 | |
|
179 | 0 | if (n < 0) { |
180 | 0 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_BIO_LIB); |
181 | 0 | X509V3_conf_err(val); |
182 | 0 | goto err; |
183 | 0 | } |
184 | 0 | } else if (strncmp(val->value, "text:", 5) == 0) { |
185 | 0 | val_len = strlen(val->value + 5); |
186 | 0 | tmp_data = OPENSSL_realloc((*policy)->data, |
187 | 0 | (*policy)->length + val_len + 1); |
188 | 0 | if (tmp_data) { |
189 | 0 | (*policy)->data = tmp_data; |
190 | 0 | memcpy(&(*policy)->data[(*policy)->length], |
191 | 0 | val->value + 5, val_len); |
192 | 0 | (*policy)->length += val_len; |
193 | 0 | (*policy)->data[(*policy)->length] = '\0'; |
194 | 0 | } else { |
195 | | /* |
196 | | * realloc failure implies the original data space is b0rked |
197 | | * too! |
198 | | */ |
199 | 0 | (*policy)->data = NULL; |
200 | 0 | (*policy)->length = 0; |
201 | 0 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_MALLOC_FAILURE); |
202 | 0 | X509V3_conf_err(val); |
203 | 0 | goto err; |
204 | 0 | } |
205 | 0 | } else { |
206 | 0 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, |
207 | 0 | X509V3_R_INCORRECT_POLICY_SYNTAX_TAG); |
208 | 0 | X509V3_conf_err(val); |
209 | 0 | goto err; |
210 | 0 | } |
211 | 0 | if (!tmp_data) { |
212 | 0 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_MALLOC_FAILURE); |
213 | 0 | X509V3_conf_err(val); |
214 | 0 | goto err; |
215 | 0 | } |
216 | 0 | } |
217 | 0 | return 1; |
218 | 0 | err: |
219 | 0 | if (free_policy) { |
220 | 0 | ASN1_OCTET_STRING_free(*policy); |
221 | 0 | *policy = NULL; |
222 | 0 | } |
223 | 0 | return 0; |
224 | 0 | } |
225 | | |
226 | | static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, |
227 | | X509V3_CTX *ctx, char *value) |
228 | 0 | { |
229 | 0 | PROXY_CERT_INFO_EXTENSION *pci = NULL; |
230 | 0 | STACK_OF(CONF_VALUE) *vals; |
231 | 0 | ASN1_OBJECT *language = NULL; |
232 | 0 | ASN1_INTEGER *pathlen = NULL; |
233 | 0 | ASN1_OCTET_STRING *policy = NULL; |
234 | 0 | int i, j; |
235 | |
|
236 | 0 | vals = X509V3_parse_list(value); |
237 | 0 | for (i = 0; i < sk_CONF_VALUE_num(vals); i++) { |
238 | 0 | CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i); |
239 | 0 | if (!cnf->name || (*cnf->name != '@' && !cnf->value)) { |
240 | 0 | X509V3err(X509V3_F_R2I_PCI, |
241 | 0 | X509V3_R_INVALID_PROXY_POLICY_SETTING); |
242 | 0 | X509V3_conf_err(cnf); |
243 | 0 | goto err; |
244 | 0 | } |
245 | 0 | if (*cnf->name == '@') { |
246 | 0 | STACK_OF(CONF_VALUE) *sect; |
247 | 0 | int success_p = 1; |
248 | |
|
249 | 0 | sect = X509V3_get_section(ctx, cnf->name + 1); |
250 | 0 | if (!sect) { |
251 | 0 | X509V3err(X509V3_F_R2I_PCI, X509V3_R_INVALID_SECTION); |
252 | 0 | X509V3_conf_err(cnf); |
253 | 0 | goto err; |
254 | 0 | } |
255 | 0 | for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++) { |
256 | 0 | success_p = |
257 | 0 | process_pci_value(sk_CONF_VALUE_value(sect, j), |
258 | 0 | &language, &pathlen, &policy); |
259 | 0 | } |
260 | 0 | X509V3_section_free(ctx, sect); |
261 | 0 | if (!success_p) |
262 | 0 | goto err; |
263 | 0 | } else { |
264 | 0 | if (!process_pci_value(cnf, &language, &pathlen, &policy)) { |
265 | 0 | X509V3_conf_err(cnf); |
266 | 0 | goto err; |
267 | 0 | } |
268 | 0 | } |
269 | 0 | } |
270 | | |
271 | | /* Language is mandatory */ |
272 | 0 | if (!language) { |
273 | 0 | X509V3err(X509V3_F_R2I_PCI, |
274 | 0 | X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED); |
275 | 0 | goto err; |
276 | 0 | } |
277 | 0 | i = OBJ_obj2nid(language); |
278 | 0 | if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) { |
279 | 0 | X509V3err(X509V3_F_R2I_PCI, |
280 | 0 | X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY); |
281 | 0 | goto err; |
282 | 0 | } |
283 | | |
284 | 0 | pci = PROXY_CERT_INFO_EXTENSION_new(); |
285 | 0 | if (!pci) { |
286 | 0 | X509V3err(X509V3_F_R2I_PCI, ERR_R_MALLOC_FAILURE); |
287 | 0 | goto err; |
288 | 0 | } |
289 | | |
290 | 0 | pci->proxyPolicy->policyLanguage = language; |
291 | 0 | language = NULL; |
292 | 0 | pci->proxyPolicy->policy = policy; |
293 | 0 | policy = NULL; |
294 | 0 | pci->pcPathLengthConstraint = pathlen; |
295 | 0 | pathlen = NULL; |
296 | 0 | goto end; |
297 | 0 | err: |
298 | 0 | if (language) { |
299 | 0 | ASN1_OBJECT_free(language); |
300 | 0 | language = NULL; |
301 | 0 | } |
302 | 0 | if (pathlen) { |
303 | 0 | ASN1_INTEGER_free(pathlen); |
304 | 0 | pathlen = NULL; |
305 | 0 | } |
306 | 0 | if (policy) { |
307 | 0 | ASN1_OCTET_STRING_free(policy); |
308 | 0 | policy = NULL; |
309 | 0 | } |
310 | 0 | if (pci) { |
311 | 0 | PROXY_CERT_INFO_EXTENSION_free(pci); |
312 | 0 | pci = NULL; |
313 | 0 | } |
314 | 0 | end: |
315 | 0 | sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); |
316 | 0 | return pci; |
317 | 0 | } |