pcy_node.c 4.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159
  1. /*
  2. * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/asn1.h>
  10. #include <openssl/x509.h>
  11. #include <openssl/x509v3.h>
  12. #include <openssl/err.h>
  13. #include "pcy_local.h"
  14. static int node_cmp(const X509_POLICY_NODE *const *a,
  15. const X509_POLICY_NODE *const *b)
  16. {
  17. return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy);
  18. }
  19. STACK_OF(X509_POLICY_NODE) *ossl_policy_node_cmp_new(void)
  20. {
  21. return sk_X509_POLICY_NODE_new(node_cmp);
  22. }
  23. X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes,
  24. const ASN1_OBJECT *id)
  25. {
  26. X509_POLICY_DATA n;
  27. X509_POLICY_NODE l;
  28. int idx;
  29. n.valid_policy = (ASN1_OBJECT *)id;
  30. l.data = &n;
  31. idx = sk_X509_POLICY_NODE_find(nodes, &l);
  32. return sk_X509_POLICY_NODE_value(nodes, idx);
  33. }
  34. X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level,
  35. const X509_POLICY_NODE *parent,
  36. const ASN1_OBJECT *id)
  37. {
  38. X509_POLICY_NODE *node;
  39. int i;
  40. for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
  41. node = sk_X509_POLICY_NODE_value(level->nodes, i);
  42. if (node->parent == parent) {
  43. if (!OBJ_cmp(node->data->valid_policy, id))
  44. return node;
  45. }
  46. }
  47. return NULL;
  48. }
  49. X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
  50. X509_POLICY_DATA *data,
  51. X509_POLICY_NODE *parent,
  52. X509_POLICY_TREE *tree,
  53. int extra_data)
  54. {
  55. X509_POLICY_NODE *node;
  56. /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */
  57. if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
  58. return NULL;
  59. node = OPENSSL_zalloc(sizeof(*node));
  60. if (node == NULL)
  61. return NULL;
  62. node->data = data;
  63. node->parent = parent;
  64. if (level != NULL) {
  65. if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
  66. if (level->anyPolicy)
  67. goto node_error;
  68. level->anyPolicy = node;
  69. } else {
  70. if (level->nodes == NULL)
  71. level->nodes = ossl_policy_node_cmp_new();
  72. if (level->nodes == NULL) {
  73. ERR_raise(ERR_LIB_X509V3, ERR_R_X509_LIB);
  74. goto node_error;
  75. }
  76. if (!sk_X509_POLICY_NODE_push(level->nodes, node)) {
  77. ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
  78. goto node_error;
  79. }
  80. }
  81. }
  82. if (extra_data) {
  83. if (tree->extra_data == NULL)
  84. tree->extra_data = sk_X509_POLICY_DATA_new_null();
  85. if (tree->extra_data == NULL) {
  86. ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
  87. goto extra_data_error;
  88. }
  89. if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) {
  90. ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
  91. goto extra_data_error;
  92. }
  93. }
  94. tree->node_count++;
  95. if (parent)
  96. parent->nchild++;
  97. return node;
  98. extra_data_error:
  99. if (level != NULL) {
  100. if (level->anyPolicy == node)
  101. level->anyPolicy = NULL;
  102. else
  103. (void) sk_X509_POLICY_NODE_pop(level->nodes);
  104. }
  105. node_error:
  106. ossl_policy_node_free(node);
  107. return NULL;
  108. }
  109. void ossl_policy_node_free(X509_POLICY_NODE *node)
  110. {
  111. OPENSSL_free(node);
  112. }
  113. /*
  114. * See if a policy node matches a policy OID. If mapping enabled look through
  115. * expected policy set otherwise just valid policy.
  116. */
  117. int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl,
  118. const X509_POLICY_NODE *node, const ASN1_OBJECT *oid)
  119. {
  120. int i;
  121. ASN1_OBJECT *policy_oid;
  122. const X509_POLICY_DATA *x = node->data;
  123. if ((lvl->flags & X509_V_FLAG_INHIBIT_MAP)
  124. || !(x->flags & POLICY_DATA_FLAG_MAP_MASK)) {
  125. if (!OBJ_cmp(x->valid_policy, oid))
  126. return 1;
  127. return 0;
  128. }
  129. for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++) {
  130. policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i);
  131. if (!OBJ_cmp(policy_oid, oid))
  132. return 1;
  133. }
  134. return 0;
  135. }