• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2  * project 2004.
3  */
4 /* ====================================================================
5  * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  *
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in
16  *    the documentation and/or other materials provided with the
17  *    distribution.
18  *
19  * 3. All advertising materials mentioning features or use of this
20  *    software must display the following acknowledgment:
21  *    "This product includes software developed by the OpenSSL Project
22  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23  *
24  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25  *    endorse or promote products derived from this software without
26  *    prior written permission. For written permission, please contact
27  *    licensing@OpenSSL.org.
28  *
29  * 5. Products derived from this software may not be called "OpenSSL"
30  *    nor may "OpenSSL" appear in their names without prior written
31  *    permission of the OpenSSL Project.
32  *
33  * 6. Redistributions of any form whatsoever must retain the following
34  *    acknowledgment:
35  *    "This product includes software developed by the OpenSSL Project
36  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37  *
38  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
42  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49  * OF THE POSSIBILITY OF SUCH DAMAGE.
50  * ====================================================================
51  *
52  * This product includes cryptographic software written by Eric Young
53  * (eay@cryptsoft.com).  This product includes software written by Tim
54  * Hudson (tjh@cryptsoft.com).
55  *
56  */
57 
58 #include <string.h>
59 
60 #include <openssl/mem.h>
61 #include <openssl/obj.h>
62 #include <openssl/stack.h>
63 #include <openssl/thread.h>
64 #include <openssl/x509.h>
65 #include <openssl/x509v3.h>
66 
67 #include "pcy_int.h"
68 
69 
70 /* Enable this to print out the complete policy tree at various point during
71  * evaluation.
72  */
73 
74 /*#define OPENSSL_POLICY_DEBUG*/
75 
76 #ifdef OPENSSL_POLICY_DEBUG
77 
expected_print(BIO * err,X509_POLICY_LEVEL * lev,X509_POLICY_NODE * node,int indent)78 static void expected_print(BIO *err, X509_POLICY_LEVEL *lev,
79 				X509_POLICY_NODE *node, int indent)
80 	{
81 	if (	    (lev->flags & X509_V_FLAG_INHIBIT_MAP)
82 		|| !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK))
83 		BIO_puts(err, "  Not Mapped\n");
84 	else
85 		{
86 		int i;
87 		STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set;
88 		ASN1_OBJECT *oid;
89 		BIO_puts(err, "  Expected: ");
90 		for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++)
91 			{
92 			oid = sk_ASN1_OBJECT_value(pset, i);
93 			if (i)
94 				BIO_puts(err, ", ");
95 			i2a_ASN1_OBJECT(err, oid);
96 			}
97 		BIO_puts(err, "\n");
98 		}
99 	}
100 
tree_print(char * str,X509_POLICY_TREE * tree,X509_POLICY_LEVEL * curr)101 static void tree_print(char *str, X509_POLICY_TREE *tree,
102 			X509_POLICY_LEVEL *curr)
103 	{
104 	X509_POLICY_LEVEL *plev;
105 	X509_POLICY_NODE *node;
106 	int i;
107 	BIO *err;
108 	err = BIO_new_fp(stderr, BIO_NOCLOSE);
109 	if (!curr)
110 		curr = tree->levels + tree->nlevel;
111 	else
112 		curr++;
113 	BIO_printf(err, "Level print after %s\n", str);
114 	BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels);
115 	for (plev = tree->levels; plev != curr; plev++)
116 		{
117 		BIO_printf(err, "Level %ld, flags = %x\n",
118 				plev - tree->levels, plev->flags);
119 		for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++)
120 			{
121 			node = sk_X509_POLICY_NODE_value(plev->nodes, i);
122 			X509_POLICY_NODE_print(err, node, 2);
123 			expected_print(err, plev, node, 2);
124 			BIO_printf(err, "  Flags: %x\n", node->data->flags);
125 			}
126 		if (plev->anyPolicy)
127 			X509_POLICY_NODE_print(err, plev->anyPolicy, 2);
128 		}
129 
130 	BIO_free(err);
131 
132 	}
133 #else
134 
135 #define tree_print(a,b,c) /* */
136 
137 #endif
138 
139 /* Initialize policy tree. Return values:
140  *  0 Some internal error occured.
141  * -1 Inconsistent or invalid extensions in certificates.
142  *  1 Tree initialized OK.
143  *  2 Policy tree is empty.
144  *  5 Tree OK and requireExplicitPolicy true.
145  *  6 Tree empty and requireExplicitPolicy true.
146  */
147 
tree_init(X509_POLICY_TREE ** ptree,STACK_OF (X509)* certs,unsigned int flags)148 static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
149 			unsigned int flags)
150 	{
151 	X509_POLICY_TREE *tree;
152 	X509_POLICY_LEVEL *level;
153 	const X509_POLICY_CACHE *cache;
154 	X509_POLICY_DATA *data = NULL;
155 	X509 *x;
156 	int ret = 1;
157 	int i, n;
158 	int explicit_policy;
159 	int any_skip;
160 	int map_skip;
161 	*ptree = NULL;
162 	n = sk_X509_num(certs);
163 
164 #if 0
165 	/* Disable policy mapping for now... */
166 	flags |= X509_V_FLAG_INHIBIT_MAP;
167 #endif
168 
169 	if (flags & X509_V_FLAG_EXPLICIT_POLICY)
170 		explicit_policy = 0;
171 	else
172 		explicit_policy = n + 1;
173 
174 	if (flags & X509_V_FLAG_INHIBIT_ANY)
175 		any_skip = 0;
176 	else
177 		any_skip = n + 1;
178 
179 	if (flags & X509_V_FLAG_INHIBIT_MAP)
180 		map_skip = 0;
181 	else
182 		map_skip = n + 1;
183 
184 	/* Can't do anything with just a trust anchor */
185 	if (n == 1)
186 		return 1;
187 	/* First setup policy cache in all certificates apart from the
188 	 * trust anchor. Note any bad cache results on the way. Also can
189 	 * calculate explicit_policy value at this point.
190 	 */
191 	for (i = n - 2; i >= 0; i--)
192 		{
193 		x = sk_X509_value(certs, i);
194 		X509_check_purpose(x, -1, -1);
195 		cache = policy_cache_set(x);
196 		/* If cache NULL something bad happened: return immediately */
197 		if (cache == NULL)
198 			return 0;
199 		/* If inconsistent extensions keep a note of it but continue */
200 		if (x->ex_flags & EXFLAG_INVALID_POLICY)
201 			ret = -1;
202 		/* Otherwise if we have no data (hence no CertificatePolicies)
203 		 * and haven't already set an inconsistent code note it.
204 		 */
205 		else if ((ret == 1) && !cache->data)
206 			ret = 2;
207 		if (explicit_policy > 0)
208 			{
209 			if (!(x->ex_flags & EXFLAG_SI))
210 				explicit_policy--;
211 			if ((cache->explicit_skip != -1)
212 				&& (cache->explicit_skip < explicit_policy))
213 				explicit_policy = cache->explicit_skip;
214 			}
215 		}
216 
217 	if (ret != 1)
218 		{
219 		if (ret == 2 && !explicit_policy)
220 			return 6;
221 		return ret;
222 		}
223 
224 
225 	/* If we get this far initialize the tree */
226 
227 	tree = OPENSSL_malloc(sizeof(X509_POLICY_TREE));
228 
229 	if (!tree)
230 		return 0;
231 
232 	tree->flags = 0;
233 	tree->levels = OPENSSL_malloc(sizeof(X509_POLICY_LEVEL) * n);
234 	tree->nlevel = 0;
235 	tree->extra_data = NULL;
236 	tree->auth_policies = NULL;
237 	tree->user_policies = NULL;
238 
239 	if (!tree->levels)
240 		{
241 		OPENSSL_free(tree);
242 		return 0;
243 		}
244 
245 	memset(tree->levels, 0, n * sizeof(X509_POLICY_LEVEL));
246 
247 	tree->nlevel = n;
248 
249 	level = tree->levels;
250 
251 	/* Root data: initialize to anyPolicy */
252 
253 	data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0);
254 
255 	if (!data || !level_add_node(level, data, NULL, tree))
256 		goto bad_tree;
257 
258 	for (i = n - 2; i >= 0; i--)
259 		{
260 		level++;
261 		x = sk_X509_value(certs, i);
262 		cache = policy_cache_set(x);
263 		level->cert = X509_up_ref(x);
264 
265 		if (!cache->anyPolicy)
266 				level->flags |= X509_V_FLAG_INHIBIT_ANY;
267 
268 		/* Determine inhibit any and inhibit map flags */
269 		if (any_skip == 0)
270 			{
271 			/* Any matching allowed if certificate is self
272 			 * issued and not the last in the chain.
273 			 */
274 			if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
275 				level->flags |= X509_V_FLAG_INHIBIT_ANY;
276 			}
277 		else
278 			{
279 			if (!(x->ex_flags & EXFLAG_SI))
280 				any_skip--;
281 			if ((cache->any_skip >= 0)
282 				&& (cache->any_skip < any_skip))
283 				any_skip = cache->any_skip;
284 			}
285 
286 		if (map_skip == 0)
287 			level->flags |= X509_V_FLAG_INHIBIT_MAP;
288 		else
289 			{
290 			if (!(x->ex_flags & EXFLAG_SI))
291 				map_skip--;
292 			if ((cache->map_skip >= 0)
293 				&& (cache->map_skip < map_skip))
294 				map_skip = cache->map_skip;
295 			}
296 
297 		}
298 
299 	*ptree = tree;
300 
301 	if (explicit_policy)
302 		return 1;
303 	else
304 		return 5;
305 
306 	bad_tree:
307 
308 	X509_policy_tree_free(tree);
309 
310 	return 0;
311 
312 	}
313 
tree_link_matching_nodes(X509_POLICY_LEVEL * curr,const X509_POLICY_DATA * data)314 static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
315 				const X509_POLICY_DATA *data)
316 	{
317 	X509_POLICY_LEVEL *last = curr - 1;
318 	X509_POLICY_NODE *node;
319 	int matched = 0;
320 	size_t i;
321 	/* Iterate through all in nodes linking matches */
322 	for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++)
323 		{
324 		node = sk_X509_POLICY_NODE_value(last->nodes, i);
325 		if (policy_node_match(last, node, data->valid_policy))
326 			{
327 			if (!level_add_node(curr, data, node, NULL))
328 				return 0;
329 			matched = 1;
330 			}
331 		}
332 	if (!matched && last->anyPolicy)
333 		{
334 		if (!level_add_node(curr, data, last->anyPolicy, NULL))
335 			return 0;
336 		}
337 	return 1;
338 	}
339 
340 /* This corresponds to RFC3280 6.1.3(d)(1):
341  * link any data from CertificatePolicies onto matching parent
342  * or anyPolicy if no match.
343  */
344 
tree_link_nodes(X509_POLICY_LEVEL * curr,const X509_POLICY_CACHE * cache)345 static int tree_link_nodes(X509_POLICY_LEVEL *curr,
346 				const X509_POLICY_CACHE *cache)
347 	{
348 	size_t i;
349 	X509_POLICY_DATA *data;
350 
351 	for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++)
352 		{
353 		data = sk_X509_POLICY_DATA_value(cache->data, i);
354 		/* If a node is mapped any it doesn't have a corresponding
355 		 * CertificatePolicies entry.
356 		 * However such an identical node would be created
357 		 * if anyPolicy matching is enabled because there would be
358 		 * no match with the parent valid_policy_set. So we create
359 		 * link because then it will have the mapping flags
360 		 * right and we can prune it later.
361 		 */
362 #if 0
363 		if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY)
364 			&& !(curr->flags & X509_V_FLAG_INHIBIT_ANY))
365 			continue;
366 #endif
367 		/* Look for matching nodes in previous level */
368 		if (!tree_link_matching_nodes(curr, data))
369 				return 0;
370 		}
371 	return 1;
372 	}
373 
374 /* This corresponds to RFC3280 6.1.3(d)(2):
375  * Create new data for any unmatched policies in the parent and link
376  * to anyPolicy.
377  */
378 
tree_add_unmatched(X509_POLICY_LEVEL * curr,const X509_POLICY_CACHE * cache,const ASN1_OBJECT * id,X509_POLICY_NODE * node,X509_POLICY_TREE * tree)379 static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
380 			const X509_POLICY_CACHE *cache,
381 			const ASN1_OBJECT *id,
382 			X509_POLICY_NODE *node,
383 			X509_POLICY_TREE *tree)
384 	{
385 	X509_POLICY_DATA *data;
386 	if (id == NULL)
387 		id = node->data->valid_policy;
388 	/* Create a new node with qualifiers from anyPolicy and
389 	 * id from unmatched node.
390 	 */
391 	data = policy_data_new(NULL, id, node_critical(node));
392 
393 	if (data == NULL)
394 		return 0;
395 	/* Curr may not have anyPolicy */
396 	data->qualifier_set = cache->anyPolicy->qualifier_set;
397 	data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
398 	if (!level_add_node(curr, data, node, tree))
399 		{
400 		policy_data_free(data);
401 		return 0;
402 		}
403 
404 	return 1;
405 	}
406 
tree_link_unmatched(X509_POLICY_LEVEL * curr,const X509_POLICY_CACHE * cache,X509_POLICY_NODE * node,X509_POLICY_TREE * tree)407 static int tree_link_unmatched(X509_POLICY_LEVEL *curr,
408 			const X509_POLICY_CACHE *cache,
409 			X509_POLICY_NODE *node,
410 			X509_POLICY_TREE *tree)
411 	{
412 	const X509_POLICY_LEVEL *last = curr - 1;
413 	size_t i;
414 
415 	if (	    (last->flags & X509_V_FLAG_INHIBIT_MAP)
416 		|| !(node->data->flags & POLICY_DATA_FLAG_MAPPED))
417 		{
418 		/* If no policy mapping: matched if one child present */
419 		if (node->nchild)
420 			return 1;
421 		if (!tree_add_unmatched(curr, cache, NULL, node, tree))
422 			return 0;
423 		/* Add it */
424 		}
425 	else
426 		{
427 		/* If mapping: matched if one child per expected policy set */
428 		STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set;
429 		if ((size_t) node->nchild == sk_ASN1_OBJECT_num(expset))
430 			return 1;
431 		/* Locate unmatched nodes */
432 		for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++)
433 			{
434 			ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i);
435 			if (level_find_node(curr, node, oid))
436 				continue;
437 			if (!tree_add_unmatched(curr, cache, oid, node, tree))
438 				return 0;
439 			}
440 
441 		}
442 
443 	return 1;
444 
445 	}
446 
tree_link_any(X509_POLICY_LEVEL * curr,const X509_POLICY_CACHE * cache,X509_POLICY_TREE * tree)447 static int tree_link_any(X509_POLICY_LEVEL *curr,
448 			const X509_POLICY_CACHE *cache,
449 			X509_POLICY_TREE *tree)
450 	{
451 	size_t i;
452 	/*X509_POLICY_DATA *data;*/
453 	X509_POLICY_NODE *node;
454 	X509_POLICY_LEVEL *last = curr - 1;
455 
456 	for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++)
457 		{
458 		node = sk_X509_POLICY_NODE_value(last->nodes, i);
459 
460 		if (!tree_link_unmatched(curr, cache, node, tree))
461 			return 0;
462 
463 #if 0
464 
465 		/* Skip any node with any children: we only want unmathced
466 		 * nodes.
467 		 *
468 		 * Note: need something better for policy mapping
469 		 * because each node may have multiple children
470 		 */
471 		if (node->nchild)
472 			continue;
473 
474 		/* Create a new node with qualifiers from anyPolicy and
475 		 * id from unmatched node.
476 		 */
477 		data = policy_data_new(NULL, node->data->valid_policy,
478 						node_critical(node));
479 
480 		if (data == NULL)
481 			return 0;
482 		/* Curr may not have anyPolicy */
483 		data->qualifier_set = cache->anyPolicy->qualifier_set;
484 		data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
485 		if (!level_add_node(curr, data, node, tree))
486 			{
487 			policy_data_free(data);
488 			return 0;
489 			}
490 
491 #endif
492 
493 		}
494 	/* Finally add link to anyPolicy */
495 	if (last->anyPolicy)
496 		{
497 		if (!level_add_node(curr, cache->anyPolicy,
498 						last->anyPolicy, NULL))
499 			return 0;
500 		}
501 	return 1;
502 	}
503 
504 /* Prune the tree: delete any child mapped child data on the current level
505  * then proceed up the tree deleting any data with no children. If we ever
506  * have no data on a level we can halt because the tree will be empty.
507  */
508 
tree_prune(X509_POLICY_TREE * tree,X509_POLICY_LEVEL * curr)509 static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
510 	{
511 	STACK_OF(X509_POLICY_NODE) *nodes;
512 	X509_POLICY_NODE *node;
513 	int i;
514 	nodes = curr->nodes;
515 	if (curr->flags & X509_V_FLAG_INHIBIT_MAP)
516 		{
517 		for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--)
518 			{
519 			node = sk_X509_POLICY_NODE_value(nodes, i);
520 			/* Delete any mapped data: see RFC3280 XXXX */
521 			if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK)
522 				{
523 				node->parent->nchild--;
524 				OPENSSL_free(node);
525 				(void)sk_X509_POLICY_NODE_delete(nodes,i);
526 				}
527 			}
528 		}
529 
530 	for(;;)	{
531 		--curr;
532 		nodes = curr->nodes;
533 		for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--)
534 			{
535 			node = sk_X509_POLICY_NODE_value(nodes, i);
536 			if (node->nchild == 0)
537 				{
538 				node->parent->nchild--;
539 				OPENSSL_free(node);
540 				(void)sk_X509_POLICY_NODE_delete(nodes, i);
541 				}
542 			}
543 		if (curr->anyPolicy && !curr->anyPolicy->nchild)
544 			{
545 			if (curr->anyPolicy->parent)
546 				curr->anyPolicy->parent->nchild--;
547 			OPENSSL_free(curr->anyPolicy);
548 			curr->anyPolicy = NULL;
549 			}
550 		if (curr == tree->levels)
551 			{
552 			/* If we zapped anyPolicy at top then tree is empty */
553 			if (!curr->anyPolicy)
554 					return 2;
555 			return 1;
556 			}
557 		}
558 
559 	}
560 
tree_add_auth_node(STACK_OF (X509_POLICY_NODE)** pnodes,X509_POLICY_NODE * pcy)561 static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes,
562 						 X509_POLICY_NODE *pcy)
563 	{
564 	if (!*pnodes)
565 		{
566 		*pnodes = policy_node_cmp_new();
567 		if (!*pnodes)
568 			return 0;
569 		}
570 	else if (sk_X509_POLICY_NODE_find(*pnodes, NULL, pcy))
571 		return 1;
572 
573 	if (!sk_X509_POLICY_NODE_push(*pnodes, pcy))
574 		return 0;
575 
576 	return 1;
577 
578 	}
579 
580 /* Calculate the authority set based on policy tree.
581  * The 'pnodes' parameter is used as a store for the set of policy nodes
582  * used to calculate the user set. If the authority set is not anyPolicy
583  * then pnodes will just point to the authority set. If however the authority
584  * set is anyPolicy then the set of valid policies (other than anyPolicy)
585  * is store in pnodes. The return value of '2' is used in this case to indicate
586  * that pnodes should be freed.
587  */
588 
tree_calculate_authority_set(X509_POLICY_TREE * tree,STACK_OF (X509_POLICY_NODE)** pnodes)589 static int tree_calculate_authority_set(X509_POLICY_TREE *tree,
590 					STACK_OF(X509_POLICY_NODE) **pnodes)
591 	{
592 	X509_POLICY_LEVEL *curr;
593 	X509_POLICY_NODE *node, *anyptr;
594 	STACK_OF(X509_POLICY_NODE) **addnodes;
595 	int i;
596 	size_t j;
597 	curr = tree->levels + tree->nlevel - 1;
598 
599 	/* If last level contains anyPolicy set is anyPolicy */
600 	if (curr->anyPolicy)
601 		{
602 		if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy))
603 			return 0;
604 		addnodes = pnodes;
605 		}
606 	else
607 		/* Add policies to authority set */
608 		addnodes = &tree->auth_policies;
609 
610 	curr = tree->levels;
611 	for (i = 1; i < tree->nlevel; i++)
612 		{
613 		/* If no anyPolicy node on this this level it can't
614 		 * appear on lower levels so end search.
615 		 */
616 		if (!(anyptr = curr->anyPolicy))
617 			break;
618 		curr++;
619 		for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++)
620 			{
621 			node = sk_X509_POLICY_NODE_value(curr->nodes, j);
622 			if ((node->parent == anyptr)
623 				&& !tree_add_auth_node(addnodes, node))
624 					return 0;
625 			}
626 		}
627 
628 	if (addnodes == pnodes)
629 		return 2;
630 
631 	*pnodes = tree->auth_policies;
632 
633 	return 1;
634 	}
635 
tree_calculate_user_set(X509_POLICY_TREE * tree,STACK_OF (ASN1_OBJECT)* policy_oids,STACK_OF (X509_POLICY_NODE)* auth_nodes)636 static int tree_calculate_user_set(X509_POLICY_TREE *tree,
637 				STACK_OF(ASN1_OBJECT) *policy_oids,
638 				STACK_OF(X509_POLICY_NODE) *auth_nodes)
639 	{
640 	size_t i;
641 	X509_POLICY_NODE *node;
642 	ASN1_OBJECT *oid;
643 
644 	X509_POLICY_NODE *anyPolicy;
645 	X509_POLICY_DATA *extra;
646 
647 	/* Check if anyPolicy present in authority constrained policy set:
648 	 * this will happen if it is a leaf node.
649 	 */
650 
651 	if (sk_ASN1_OBJECT_num(policy_oids) <= 0)
652 		return 1;
653 
654 	anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy;
655 
656 	for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++)
657 		{
658 		oid = sk_ASN1_OBJECT_value(policy_oids, i);
659 		if (OBJ_obj2nid(oid) == NID_any_policy)
660 			{
661 			tree->flags |= POLICY_FLAG_ANY_POLICY;
662 			return 1;
663 			}
664 		}
665 
666 	for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++)
667 		{
668 		oid = sk_ASN1_OBJECT_value(policy_oids, i);
669 		node = tree_find_sk(auth_nodes, oid);
670 		if (!node)
671 			{
672 			if (!anyPolicy)
673 				continue;
674 			/* Create a new node with policy ID from user set
675 			 * and qualifiers from anyPolicy.
676 			 */
677 			extra = policy_data_new(NULL, oid,
678 						node_critical(anyPolicy));
679 			if (!extra)
680 				return 0;
681 			extra->qualifier_set = anyPolicy->data->qualifier_set;
682 			extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
683 						| POLICY_DATA_FLAG_EXTRA_NODE;
684 			node = level_add_node(NULL, extra, anyPolicy->parent,
685 						tree);
686 			}
687 		if (!tree->user_policies)
688 			{
689 			tree->user_policies = sk_X509_POLICY_NODE_new_null();
690 			if (!tree->user_policies)
691 				return 1;
692 			}
693 		if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
694 			return 0;
695 		}
696 	return 1;
697 
698 	}
699 
tree_evaluate(X509_POLICY_TREE * tree)700 static int tree_evaluate(X509_POLICY_TREE *tree)
701 	{
702 	int ret, i;
703 	X509_POLICY_LEVEL *curr = tree->levels + 1;
704 	const X509_POLICY_CACHE *cache;
705 
706 	for(i = 1; i < tree->nlevel; i++, curr++)
707 		{
708 		cache = policy_cache_set(curr->cert);
709 		if (!tree_link_nodes(curr, cache))
710 			return 0;
711 
712 		if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
713 			&& !tree_link_any(curr, cache, tree))
714 			return 0;
715 	tree_print("before tree_prune()", tree, curr);
716 		ret = tree_prune(tree, curr);
717 		if (ret != 1)
718 			return ret;
719 		}
720 
721 	return 1;
722 
723 	}
724 
exnode_free(X509_POLICY_NODE * node)725 static void exnode_free(X509_POLICY_NODE *node)
726 	{
727 	if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE))
728 		OPENSSL_free(node);
729 	}
730 
731 
X509_policy_tree_free(X509_POLICY_TREE * tree)732 void X509_policy_tree_free(X509_POLICY_TREE *tree)
733 	{
734 	X509_POLICY_LEVEL *curr;
735 	int i;
736 
737 	if (!tree)
738 		return;
739 
740 	sk_X509_POLICY_NODE_free(tree->auth_policies);
741 	sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
742 
743 	for(i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++)
744 		{
745 		if (curr->cert)
746 			X509_free(curr->cert);
747 		if (curr->nodes)
748 			sk_X509_POLICY_NODE_pop_free(curr->nodes,
749 						policy_node_free);
750 		if (curr->anyPolicy)
751 			policy_node_free(curr->anyPolicy);
752 		}
753 
754 	if (tree->extra_data)
755 		sk_X509_POLICY_DATA_pop_free(tree->extra_data,
756 						policy_data_free);
757 
758 	OPENSSL_free(tree->levels);
759 	OPENSSL_free(tree);
760 
761 	}
762 
763 /* Application policy checking function.
764  * Return codes:
765  *  0 	Internal Error.
766  *  1   Successful.
767  * -1   One or more certificates contain invalid or inconsistent extensions
768  * -2	User constrained policy set empty and requireExplicit true.
769  */
770 
X509_policy_check(X509_POLICY_TREE ** ptree,int * pexplicit_policy,STACK_OF (X509)* certs,STACK_OF (ASN1_OBJECT)* policy_oids,unsigned int flags)771 int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
772 			STACK_OF(X509) *certs,
773 			STACK_OF(ASN1_OBJECT) *policy_oids,
774 			unsigned int flags)
775 	{
776 	int ret;
777 	X509_POLICY_TREE *tree = NULL;
778 	STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
779 	*ptree = NULL;
780 
781 	*pexplicit_policy = 0;
782 	ret = tree_init(&tree, certs, flags);
783 
784 	switch (ret)
785 		{
786 
787 		/* Tree empty requireExplicit False: OK */
788 		case 2:
789 		return 1;
790 
791 		/* Some internal error */
792 		case -1:
793 		return -1;
794 
795 		/* Some internal error */
796 		case 0:
797 		return 0;
798 
799 		/* Tree empty requireExplicit True: Error */
800 
801 		case 6:
802 		*pexplicit_policy = 1;
803 		return -2;
804 
805 		/* Tree OK requireExplicit True: OK and continue */
806 		case 5:
807 		*pexplicit_policy = 1;
808 		break;
809 
810 		/* Tree OK: continue */
811 
812 		case 1:
813 		if (!tree)
814 			/*
815 			 * tree_init() returns success and a null tree
816 			 * if it's just looking at a trust anchor.
817 			 * I'm not sure that returning success here is
818 			 * correct, but I'm sure that reporting this
819 			 * as an internal error which our caller
820 			 * interprets as a malloc failure is wrong.
821 			 */
822 			return 1;
823 		break;
824 		}
825 
826 	if (!tree) goto error;
827 	ret = tree_evaluate(tree);
828 
829 	tree_print("tree_evaluate()", tree, NULL);
830 
831 	if (ret <= 0)
832 		goto error;
833 
834 	/* Return value 2 means tree empty */
835 	if (ret == 2)
836 		{
837 		X509_policy_tree_free(tree);
838 		if (*pexplicit_policy)
839 			return -2;
840 		else
841 			return 1;
842 		}
843 
844 	/* Tree is not empty: continue */
845 
846 	ret = tree_calculate_authority_set(tree, &auth_nodes);
847 
848 	if (!ret)
849 		goto error;
850 
851 	if (!tree_calculate_user_set(tree, policy_oids, auth_nodes))
852 		goto error;
853 
854 	if (ret == 2)
855 		sk_X509_POLICY_NODE_free(auth_nodes);
856 
857 	if (tree)
858 		*ptree = tree;
859 
860 	if (*pexplicit_policy)
861 		{
862 		nodes = X509_policy_tree_get0_user_policies(tree);
863 		if (sk_X509_POLICY_NODE_num(nodes) <= 0)
864 			return -2;
865 		}
866 
867 	return 1;
868 
869 	error:
870 
871 	X509_policy_tree_free(tree);
872 
873 	return 0;
874 
875 	}
876 
877