1/*
2 * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License").  You may not use
5 * this file except in compliance with the License.  You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/asn1.h>
11#include <openssl/x509.h>
12#include <openssl/x509v3.h>
13#include <openssl/err.h>
14
15#include "pcy_local.h"
16
17static int node_cmp(const X509_POLICY_NODE *const *a,
18                    const X509_POLICY_NODE *const *b)
19{
20    return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy);
21}
22
23STACK_OF(X509_POLICY_NODE) *ossl_policy_node_cmp_new(void)
24{
25    return sk_X509_POLICY_NODE_new(node_cmp);
26}
27
28X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes,
29                                           const ASN1_OBJECT *id)
30{
31    X509_POLICY_DATA n;
32    X509_POLICY_NODE l;
33    int idx;
34
35    n.valid_policy = (ASN1_OBJECT *)id;
36    l.data = &n;
37
38    idx = sk_X509_POLICY_NODE_find(nodes, &l);
39    return sk_X509_POLICY_NODE_value(nodes, idx);
40
41}
42
43X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level,
44                                              const X509_POLICY_NODE *parent,
45                                              const ASN1_OBJECT *id)
46{
47    X509_POLICY_NODE *node;
48    int i;
49    for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
50        node = sk_X509_POLICY_NODE_value(level->nodes, i);
51        if (node->parent == parent) {
52            if (!OBJ_cmp(node->data->valid_policy, id))
53                return node;
54        }
55    }
56    return NULL;
57}
58
59X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
60                                             X509_POLICY_DATA *data,
61                                             X509_POLICY_NODE *parent,
62                                             X509_POLICY_TREE *tree,
63                                             int extra_data)
64{
65    X509_POLICY_NODE *node;
66
67    /* Verify that the tree isn't too large.  This mitigates CVE-2023-0464 */
68    if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
69        return NULL;
70
71    node = OPENSSL_zalloc(sizeof(*node));
72    if (node == NULL) {
73        ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
74        return NULL;
75    }
76    node->data = data;
77    node->parent = parent;
78    if (level != NULL) {
79        if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
80            if (level->anyPolicy)
81                goto node_error;
82            level->anyPolicy = node;
83        } else {
84
85            if (level->nodes == NULL)
86                level->nodes = ossl_policy_node_cmp_new();
87            if (level->nodes == NULL) {
88                ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
89                goto node_error;
90            }
91            if (!sk_X509_POLICY_NODE_push(level->nodes, node)) {
92                ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
93                goto node_error;
94            }
95        }
96    }
97
98    if (extra_data) {
99        if (tree->extra_data == NULL)
100            tree->extra_data = sk_X509_POLICY_DATA_new_null();
101        if (tree->extra_data == NULL){
102            ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
103            goto extra_data_error;
104        }
105        if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) {
106            ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
107            goto extra_data_error;
108        }
109    }
110
111    tree->node_count++;
112    if (parent)
113        parent->nchild++;
114
115    return node;
116
117 extra_data_error:
118    if (level != NULL) {
119        if (level->anyPolicy == node)
120            level->anyPolicy = NULL;
121        else
122            (void) sk_X509_POLICY_NODE_pop(level->nodes);
123    }
124
125 node_error:
126    ossl_policy_node_free(node);
127    return NULL;
128}
129
130void ossl_policy_node_free(X509_POLICY_NODE *node)
131{
132    OPENSSL_free(node);
133}
134
135/*
136 * See if a policy node matches a policy OID. If mapping enabled look through
137 * expected policy set otherwise just valid policy.
138 */
139
140int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl,
141                           const X509_POLICY_NODE *node, const ASN1_OBJECT *oid)
142{
143    int i;
144    ASN1_OBJECT *policy_oid;
145    const X509_POLICY_DATA *x = node->data;
146
147    if ((lvl->flags & X509_V_FLAG_INHIBIT_MAP)
148        || !(x->flags & POLICY_DATA_FLAG_MAP_MASK)) {
149        if (!OBJ_cmp(x->valid_policy, oid))
150            return 1;
151        return 0;
152    }
153
154    for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++) {
155        policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i);
156        if (!OBJ_cmp(policy_oid, oid))
157            return 1;
158    }
159    return 0;
160
161}
162