1/* 2 * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include <openssl/asn1.h> 11#include <openssl/x509.h> 12#include <openssl/x509v3.h> 13#include <openssl/err.h> 14 15#include "pcy_local.h" 16 17static int node_cmp(const X509_POLICY_NODE *const *a, 18 const X509_POLICY_NODE *const *b) 19{ 20 return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy); 21} 22 23STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void) 24{ 25 return sk_X509_POLICY_NODE_new(node_cmp); 26} 27 28X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes, 29 const ASN1_OBJECT *id) 30{ 31 X509_POLICY_DATA n; 32 X509_POLICY_NODE l; 33 int idx; 34 35 n.valid_policy = (ASN1_OBJECT *)id; 36 l.data = &n; 37 38 idx = sk_X509_POLICY_NODE_find(nodes, &l); 39 return sk_X509_POLICY_NODE_value(nodes, idx); 40 41} 42 43X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, 44 const X509_POLICY_NODE *parent, 45 const ASN1_OBJECT *id) 46{ 47 X509_POLICY_NODE *node; 48 int i; 49 for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { 50 node = sk_X509_POLICY_NODE_value(level->nodes, i); 51 if (node->parent == parent) { 52 if (!OBJ_cmp(node->data->valid_policy, id)) 53 return node; 54 } 55 } 56 return NULL; 57} 58 59X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, 60 X509_POLICY_DATA *data, 61 X509_POLICY_NODE *parent, 62 X509_POLICY_TREE *tree) 63{ 64 X509_POLICY_NODE *node; 65 66 node = OPENSSL_zalloc(sizeof(*node)); 67 if (node == NULL) { 68 X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); 69 return NULL; 70 } 71 node->data = data; 72 node->parent = parent; 73 if (level) { 74 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { 75 if (level->anyPolicy) 76 goto node_error; 77 level->anyPolicy = node; 78 } else { 79 80 if (level->nodes == NULL) 81 level->nodes = policy_node_cmp_new(); 82 if (level->nodes == NULL) { 83 X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); 84 goto node_error; 85 } 86 if (!sk_X509_POLICY_NODE_push(level->nodes, node)) { 87 X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); 88 goto node_error; 89 } 90 } 91 } 92 93 if (tree) { 94 if (tree->extra_data == NULL) 95 tree->extra_data = sk_X509_POLICY_DATA_new_null(); 96 if (tree->extra_data == NULL){ 97 X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); 98 goto node_error; 99 } 100 if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) { 101 X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); 102 goto node_error; 103 } 104 } 105 106 if (parent) 107 parent->nchild++; 108 109 return node; 110 111 node_error: 112 policy_node_free(node); 113 return NULL; 114} 115 116void policy_node_free(X509_POLICY_NODE *node) 117{ 118 OPENSSL_free(node); 119} 120 121/* 122 * See if a policy node matches a policy OID. If mapping enabled look through 123 * expected policy set otherwise just valid policy. 124 */ 125 126int policy_node_match(const X509_POLICY_LEVEL *lvl, 127 const X509_POLICY_NODE *node, const ASN1_OBJECT *oid) 128{ 129 int i; 130 ASN1_OBJECT *policy_oid; 131 const X509_POLICY_DATA *x = node->data; 132 133 if ((lvl->flags & X509_V_FLAG_INHIBIT_MAP) 134 || !(x->flags & POLICY_DATA_FLAG_MAP_MASK)) { 135 if (!OBJ_cmp(x->valid_policy, oid)) 136 return 1; 137 return 0; 138 } 139 140 for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++) { 141 policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i); 142 if (!OBJ_cmp(policy_oid, oid)) 143 return 1; 144 } 145 return 0; 146 147} 148