/src/openssl31/crypto/x509/pcy_node.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <openssl/asn1.h> |
11 | | #include <openssl/x509.h> |
12 | | #include <openssl/x509v3.h> |
13 | | #include <openssl/err.h> |
14 | | |
15 | | #include "pcy_local.h" |
16 | | |
17 | | static int node_cmp(const X509_POLICY_NODE *const *a, |
18 | | const X509_POLICY_NODE *const *b) |
19 | 0 | { |
20 | 0 | return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy); |
21 | 0 | } |
22 | | |
23 | | STACK_OF(X509_POLICY_NODE) *ossl_policy_node_cmp_new(void) |
24 | 0 | { |
25 | 0 | return sk_X509_POLICY_NODE_new(node_cmp); |
26 | 0 | } |
27 | | |
28 | | X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes, |
29 | | const ASN1_OBJECT *id) |
30 | 0 | { |
31 | 0 | X509_POLICY_DATA n; |
32 | 0 | X509_POLICY_NODE l; |
33 | 0 | int idx; |
34 | |
|
35 | 0 | n.valid_policy = (ASN1_OBJECT *)id; |
36 | 0 | l.data = &n; |
37 | |
|
38 | 0 | idx = sk_X509_POLICY_NODE_find(nodes, &l); |
39 | 0 | return sk_X509_POLICY_NODE_value(nodes, idx); |
40 | |
|
41 | 0 | } |
42 | | |
43 | | X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level, |
44 | | const X509_POLICY_NODE *parent, |
45 | | const ASN1_OBJECT *id) |
46 | 0 | { |
47 | 0 | X509_POLICY_NODE *node; |
48 | 0 | int i; |
49 | 0 | for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { |
50 | 0 | node = sk_X509_POLICY_NODE_value(level->nodes, i); |
51 | 0 | if (node->parent == parent) { |
52 | 0 | if (!OBJ_cmp(node->data->valid_policy, id)) |
53 | 0 | return node; |
54 | 0 | } |
55 | 0 | } |
56 | 0 | return NULL; |
57 | 0 | } |
58 | | |
59 | | X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, |
60 | | X509_POLICY_DATA *data, |
61 | | X509_POLICY_NODE *parent, |
62 | | X509_POLICY_TREE *tree, |
63 | | int extra_data) |
64 | 0 | { |
65 | 0 | X509_POLICY_NODE *node; |
66 | | |
67 | | /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ |
68 | 0 | if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) |
69 | 0 | return NULL; |
70 | | |
71 | 0 | node = OPENSSL_zalloc(sizeof(*node)); |
72 | 0 | if (node == NULL) { |
73 | 0 | ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); |
74 | 0 | return NULL; |
75 | 0 | } |
76 | 0 | node->data = data; |
77 | 0 | node->parent = parent; |
78 | 0 | if (level != NULL) { |
79 | 0 | if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { |
80 | 0 | if (level->anyPolicy) |
81 | 0 | goto node_error; |
82 | 0 | level->anyPolicy = node; |
83 | 0 | } else { |
84 | |
|
85 | 0 | if (level->nodes == NULL) |
86 | 0 | level->nodes = ossl_policy_node_cmp_new(); |
87 | 0 | if (level->nodes == NULL) { |
88 | 0 | ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); |
89 | 0 | goto node_error; |
90 | 0 | } |
91 | 0 | if (!sk_X509_POLICY_NODE_push(level->nodes, node)) { |
92 | 0 | ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); |
93 | 0 | goto node_error; |
94 | 0 | } |
95 | 0 | } |
96 | 0 | } |
97 | | |
98 | 0 | if (extra_data) { |
99 | 0 | if (tree->extra_data == NULL) |
100 | 0 | tree->extra_data = sk_X509_POLICY_DATA_new_null(); |
101 | 0 | if (tree->extra_data == NULL){ |
102 | 0 | ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); |
103 | 0 | goto extra_data_error; |
104 | 0 | } |
105 | 0 | if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) { |
106 | 0 | ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); |
107 | 0 | goto extra_data_error; |
108 | 0 | } |
109 | 0 | } |
110 | | |
111 | 0 | tree->node_count++; |
112 | 0 | if (parent) |
113 | 0 | parent->nchild++; |
114 | |
|
115 | 0 | return node; |
116 | | |
117 | 0 | extra_data_error: |
118 | 0 | if (level != NULL) { |
119 | 0 | if (level->anyPolicy == node) |
120 | 0 | level->anyPolicy = NULL; |
121 | 0 | else |
122 | 0 | (void) sk_X509_POLICY_NODE_pop(level->nodes); |
123 | 0 | } |
124 | |
|
125 | 0 | node_error: |
126 | 0 | ossl_policy_node_free(node); |
127 | 0 | return NULL; |
128 | 0 | } |
129 | | |
130 | | void ossl_policy_node_free(X509_POLICY_NODE *node) |
131 | 0 | { |
132 | 0 | OPENSSL_free(node); |
133 | 0 | } |
134 | | |
135 | | /* |
136 | | * See if a policy node matches a policy OID. If mapping enabled look through |
137 | | * expected policy set otherwise just valid policy. |
138 | | */ |
139 | | |
140 | | int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, |
141 | | const X509_POLICY_NODE *node, const ASN1_OBJECT *oid) |
142 | 0 | { |
143 | 0 | int i; |
144 | 0 | ASN1_OBJECT *policy_oid; |
145 | 0 | const X509_POLICY_DATA *x = node->data; |
146 | |
|
147 | 0 | if ((lvl->flags & X509_V_FLAG_INHIBIT_MAP) |
148 | 0 | || !(x->flags & POLICY_DATA_FLAG_MAP_MASK)) { |
149 | 0 | if (!OBJ_cmp(x->valid_policy, oid)) |
150 | 0 | return 1; |
151 | 0 | return 0; |
152 | 0 | } |
153 | | |
154 | 0 | for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++) { |
155 | 0 | policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i); |
156 | 0 | if (!OBJ_cmp(policy_oid, oid)) |
157 | 0 | return 1; |
158 | 0 | } |
159 | 0 | return 0; |
160 | |
|
161 | 0 | } |