summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2014-04-21 08:41:26 +0000
committerjsing <>2014-04-21 08:41:26 +0000
commitaf50ddfc8cd7409b6577826223496779c69cd1e0 (patch)
treef2f8e8a8d38afa820e7b749c66023be793b9ca3c
parentf46c697a11680ae5d3ab06393f0bfe2ed1841168 (diff)
downloadopenbsd-af50ddfc8cd7409b6577826223496779c69cd1e0.tar.gz
openbsd-af50ddfc8cd7409b6577826223496779c69cd1e0.tar.bz2
openbsd-af50ddfc8cd7409b6577826223496779c69cd1e0.zip
KNF.
Diffstat
-rw-r--r--src/lib/libcrypto/x509v3/ext_dat.h88
-rw-r--r--src/lib/libcrypto/x509v3/pcy_cache.c146
-rw-r--r--src/lib/libcrypto/x509v3/pcy_data.c43
-rw-r--r--src/lib/libcrypto/x509v3/pcy_int.h42
-rw-r--r--src/lib/libcrypto/x509v3/pcy_lib.c74
-rw-r--r--src/lib/libcrypto/x509v3/pcy_map.c49
-rw-r--r--src/lib/libcrypto/x509v3/pcy_node.c105
-rw-r--r--src/lib/libcrypto/x509v3/pcy_tree.c457
-rw-r--r--src/lib/libssl/src/crypto/x509v3/ext_dat.h88
-rw-r--r--src/lib/libssl/src/crypto/x509v3/pcy_cache.c146
-rw-r--r--src/lib/libssl/src/crypto/x509v3/pcy_data.c43
-rw-r--r--src/lib/libssl/src/crypto/x509v3/pcy_int.h42
-rw-r--r--src/lib/libssl/src/crypto/x509v3/pcy_lib.c74
-rw-r--r--src/lib/libssl/src/crypto/x509v3/pcy_map.c49
-rw-r--r--src/lib/libssl/src/crypto/x509v3/pcy_node.c105
-rw-r--r--src/lib/libssl/src/crypto/x509v3/pcy_tree.c457
16 files changed, 912 insertions, 1096 deletions
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
index 76daee6fcd..d90d2e7f8e 100644
--- a/src/lib/libcrypto/x509v3/ext_dat.h
+++ b/src/lib/libcrypto/x509v3/ext_dat.h
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -74,59 +74,57 @@ extern X509V3_EXT_METHOD v3_addr, v3_asid;
74 */ 74 */
75 75
76static const X509V3_EXT_METHOD *standard_exts[] = { 76static const X509V3_EXT_METHOD *standard_exts[] = {
77&v3_nscert, 77 &v3_nscert,
78&v3_ns_ia5_list[0], 78 &v3_ns_ia5_list[0],
79&v3_ns_ia5_list[1], 79 &v3_ns_ia5_list[1],
80&v3_ns_ia5_list[2], 80 &v3_ns_ia5_list[2],
81&v3_ns_ia5_list[3], 81 &v3_ns_ia5_list[3],
82&v3_ns_ia5_list[4], 82 &v3_ns_ia5_list[4],
83&v3_ns_ia5_list[5], 83 &v3_ns_ia5_list[5],
84&v3_ns_ia5_list[6], 84 &v3_ns_ia5_list[6],
85&v3_skey_id, 85 &v3_skey_id,
86&v3_key_usage, 86 &v3_key_usage,
87&v3_pkey_usage_period, 87 &v3_pkey_usage_period,
88&v3_alt[0], 88 &v3_alt[0],
89&v3_alt[1], 89 &v3_alt[1],
90&v3_bcons, 90 &v3_bcons,
91&v3_crl_num, 91 &v3_crl_num,
92&v3_cpols, 92 &v3_cpols,
93&v3_akey_id, 93 &v3_akey_id,
94&v3_crld, 94 &v3_crld,
95&v3_ext_ku, 95 &v3_ext_ku,
96&v3_delta_crl, 96 &v3_delta_crl,
97&v3_crl_reason, 97 &v3_crl_reason,
98#ifndef OPENSSL_NO_OCSP 98#ifndef OPENSSL_NO_OCSP
99&v3_crl_invdate, 99 &v3_crl_invdate,
100#endif 100#endif
101&v3_sxnet, 101 &v3_sxnet,
102&v3_info, 102 &v3_info,
103#ifndef OPENSSL_NO_RFC3779 103#ifndef OPENSSL_NO_RFC3779
104&v3_addr, 104 &v3_addr,
105&v3_asid, 105 &v3_asid,
106#endif 106#endif
107#ifndef OPENSSL_NO_OCSP 107#ifndef OPENSSL_NO_OCSP
108&v3_ocsp_nonce, 108 &v3_ocsp_nonce,
109&v3_ocsp_crlid, 109 &v3_ocsp_crlid,
110&v3_ocsp_accresp, 110 &v3_ocsp_accresp,
111&v3_ocsp_nocheck, 111 &v3_ocsp_nocheck,
112&v3_ocsp_acutoff, 112 &v3_ocsp_acutoff,
113&v3_ocsp_serviceloc, 113 &v3_ocsp_serviceloc,
114#endif 114#endif
115&v3_sinfo, 115 &v3_sinfo,
116&v3_policy_constraints, 116 &v3_policy_constraints,
117#ifndef OPENSSL_NO_OCSP 117#ifndef OPENSSL_NO_OCSP
118&v3_crl_hold, 118 &v3_crl_hold,
119#endif 119#endif
120&v3_pci, 120 &v3_pci,
121&v3_name_constraints, 121 &v3_name_constraints,
122&v3_policy_mappings, 122 &v3_policy_mappings,
123&v3_inhibit_anyp, 123 &v3_inhibit_anyp,
124&v3_idp, 124 &v3_idp,
125&v3_alt[2], 125 &v3_alt[2],
126&v3_freshest_crl, 126 &v3_freshest_crl,
127}; 127};
128 128
129/* Number of standard extensions */ 129/* Number of standard extensions */
130
131#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *)) 130#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *))
132
diff --git a/src/lib/libcrypto/x509v3/pcy_cache.c b/src/lib/libcrypto/x509v3/pcy_cache.c
index 24c79b4a80..cc990670d7 100644
--- a/src/lib/libcrypto/x509v3/pcy_cache.c
+++ b/src/lib/libcrypto/x509v3/pcy_cache.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -63,28 +63,28 @@
63#include "pcy_int.h" 63#include "pcy_int.h"
64 64
65static int policy_data_cmp(const X509_POLICY_DATA * const *a, 65static int policy_data_cmp(const X509_POLICY_DATA * const *a,
66 const X509_POLICY_DATA * const *b); 66 const X509_POLICY_DATA * const *b);
67static int policy_cache_set_int(long *out, ASN1_INTEGER *value); 67static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
68 68
69/* Set cache entry according to CertificatePolicies extension. 69/* Set cache entry according to CertificatePolicies extension.
70 * Note: this destroys the passed CERTIFICATEPOLICIES structure. 70 * Note: this destroys the passed CERTIFICATEPOLICIES structure.
71 */ 71 */
72 72
73static int policy_cache_create(X509 *x, 73static int
74 CERTIFICATEPOLICIES *policies, int crit) 74policy_cache_create(X509 *x, CERTIFICATEPOLICIES *policies, int crit)
75 { 75{
76 int i; 76 int i;
77 int ret = 0; 77 int ret = 0;
78 X509_POLICY_CACHE *cache = x->policy_cache; 78 X509_POLICY_CACHE *cache = x->policy_cache;
79 X509_POLICY_DATA *data = NULL; 79 X509_POLICY_DATA *data = NULL;
80 POLICYINFO *policy; 80 POLICYINFO *policy;
81
81 if (sk_POLICYINFO_num(policies) == 0) 82 if (sk_POLICYINFO_num(policies) == 0)
82 goto bad_policy; 83 goto bad_policy;
83 cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp); 84 cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
84 if (!cache->data) 85 if (!cache->data)
85 goto bad_policy; 86 goto bad_policy;
86 for (i = 0; i < sk_POLICYINFO_num(policies); i++) 87 for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
87 {
88 policy = sk_POLICYINFO_value(policies, i); 88 policy = sk_POLICYINFO_value(policies, i);
89 data = policy_data_new(policy, NULL, crit); 89 data = policy_data_new(policy, NULL, crit);
90 if (!data) 90 if (!data)
@@ -92,48 +92,44 @@ static int policy_cache_create(X509 *x,
92 /* Duplicate policy OIDs are illegal: reject if matches 92 /* Duplicate policy OIDs are illegal: reject if matches
93 * found. 93 * found.
94 */ 94 */
95 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) 95 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
96 { 96 if (cache->anyPolicy) {
97 if (cache->anyPolicy)
98 {
99 ret = -1; 97 ret = -1;
100 goto bad_policy; 98 goto bad_policy;
101 }
102 cache->anyPolicy = data;
103 } 99 }
104 else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) 100 cache->anyPolicy = data;
105 { 101 } else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) {
106 ret = -1; 102 ret = -1;
107 goto bad_policy; 103 goto bad_policy;
108 } 104 } else if (!sk_X509_POLICY_DATA_push(cache->data, data))
109 else if (!sk_X509_POLICY_DATA_push(cache->data, data))
110 goto bad_policy; 105 goto bad_policy;
111 data = NULL; 106 data = NULL;
112 } 107 }
113 ret = 1; 108 ret = 1;
114 bad_policy: 109
110bad_policy:
115 if (ret == -1) 111 if (ret == -1)
116 x->ex_flags |= EXFLAG_INVALID_POLICY; 112 x->ex_flags |= EXFLAG_INVALID_POLICY;
117 if (data) 113 if (data)
118 policy_data_free(data); 114 policy_data_free(data);
119 sk_POLICYINFO_pop_free(policies, POLICYINFO_free); 115 sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
120 if (ret <= 0) 116 if (ret <= 0) {
121 {
122 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free); 117 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
123 cache->data = NULL; 118 cache->data = NULL;
124 }
125 return ret;
126 } 119 }
120 return ret;
121}
127 122
128 123static int
129static int policy_cache_new(X509 *x) 124policy_cache_new(X509 *x)
130 { 125{
131 X509_POLICY_CACHE *cache; 126 X509_POLICY_CACHE *cache;
132 ASN1_INTEGER *ext_any = NULL; 127 ASN1_INTEGER *ext_any = NULL;
133 POLICY_CONSTRAINTS *ext_pcons = NULL; 128 POLICY_CONSTRAINTS *ext_pcons = NULL;
134 CERTIFICATEPOLICIES *ext_cpols = NULL; 129 CERTIFICATEPOLICIES *ext_cpols = NULL;
135 POLICY_MAPPINGS *ext_pmaps = NULL; 130 POLICY_MAPPINGS *ext_pmaps = NULL;
136 int i; 131 int i;
132
137 cache = malloc(sizeof(X509_POLICY_CACHE)); 133 cache = malloc(sizeof(X509_POLICY_CACHE));
138 if (!cache) 134 if (!cache)
139 return 0; 135 return 0;
@@ -150,23 +146,20 @@ static int policy_cache_new(X509 *x)
150 */ 146 */
151 ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL); 147 ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
152 148
153 if (!ext_pcons) 149 if (!ext_pcons) {
154 {
155 if (i != -1) 150 if (i != -1)
156 goto bad_cache; 151 goto bad_cache;
157 } 152 } else {
158 else 153 if (!ext_pcons->requireExplicitPolicy &&
159 { 154 !ext_pcons->inhibitPolicyMapping)
160 if (!ext_pcons->requireExplicitPolicy
161 && !ext_pcons->inhibitPolicyMapping)
162 goto bad_cache; 155 goto bad_cache;
163 if (!policy_cache_set_int(&cache->explicit_skip, 156 if (!policy_cache_set_int(&cache->explicit_skip,
164 ext_pcons->requireExplicitPolicy)) 157 ext_pcons->requireExplicitPolicy))
165 goto bad_cache; 158 goto bad_cache;
166 if (!policy_cache_set_int(&cache->map_skip, 159 if (!policy_cache_set_int(&cache->map_skip,
167 ext_pcons->inhibitPolicyMapping)) 160 ext_pcons->inhibitPolicyMapping))
168 goto bad_cache; 161 goto bad_cache;
169 } 162 }
170 163
171 /* Process CertificatePolicies */ 164 /* Process CertificatePolicies */
172 165
@@ -175,13 +168,12 @@ static int policy_cache_new(X509 *x)
175 * there is no point continuing because the valid policies will be 168 * there is no point continuing because the valid policies will be
176 * NULL. 169 * NULL.
177 */ 170 */
178 if (!ext_cpols) 171 if (!ext_cpols) {
179 {
180 /* If not absent some problem with extension */ 172 /* If not absent some problem with extension */
181 if (i != -1) 173 if (i != -1)
182 goto bad_cache; 174 goto bad_cache;
183 return 1; 175 return 1;
184 } 176 }
185 177
186 i = policy_cache_create(x, ext_cpols, i); 178 i = policy_cache_create(x, ext_cpols, i);
187 179
@@ -192,48 +184,41 @@ static int policy_cache_new(X509 *x)
192 184
193 ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL); 185 ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
194 186
195 if (!ext_pmaps) 187 if (!ext_pmaps) {
196 {
197 /* If not absent some problem with extension */ 188 /* If not absent some problem with extension */
198 if (i != -1) 189 if (i != -1)
199 goto bad_cache; 190 goto bad_cache;
200 } 191 } else {
201 else
202 {
203 i = policy_cache_set_mapping(x, ext_pmaps); 192 i = policy_cache_set_mapping(x, ext_pmaps);
204 if (i <= 0) 193 if (i <= 0)
205 goto bad_cache; 194 goto bad_cache;
206 } 195 }
207 196
208 ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL); 197 ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
209 198
210 if (!ext_any) 199 if (!ext_any) {
211 {
212 if (i != -1) 200 if (i != -1)
213 goto bad_cache; 201 goto bad_cache;
214 } 202 } else if (!policy_cache_set_int(&cache->any_skip, ext_any))
215 else if (!policy_cache_set_int(&cache->any_skip, ext_any)) 203 goto bad_cache;
216 goto bad_cache;
217 204
218 if (0) 205 if (0) {
219 { 206bad_cache:
220 bad_cache:
221 x->ex_flags |= EXFLAG_INVALID_POLICY; 207 x->ex_flags |= EXFLAG_INVALID_POLICY;
222 } 208 }
223 209
224 if(ext_pcons) 210 if (ext_pcons)
225 POLICY_CONSTRAINTS_free(ext_pcons); 211 POLICY_CONSTRAINTS_free(ext_pcons);
226 212
227 if (ext_any) 213 if (ext_any)
228 ASN1_INTEGER_free(ext_any); 214 ASN1_INTEGER_free(ext_any);
229 215
230 return 1; 216 return 1;
231
232
233} 217}
234 218
235void policy_cache_free(X509_POLICY_CACHE *cache) 219void
236 { 220policy_cache_free(X509_POLICY_CACHE *cache)
221{
237 if (!cache) 222 if (!cache)
238 return; 223 return;
239 if (cache->anyPolicy) 224 if (cache->anyPolicy)
@@ -241,46 +226,47 @@ void policy_cache_free(X509_POLICY_CACHE *cache)
241 if (cache->data) 226 if (cache->data)
242 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free); 227 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
243 free(cache); 228 free(cache);
244 } 229}
245
246const X509_POLICY_CACHE *policy_cache_set(X509 *x)
247 {
248 230
249 if (x->policy_cache == NULL) 231const X509_POLICY_CACHE *
250 { 232policy_cache_set(X509 *x)
233{
234 if (x->policy_cache == NULL) {
251 CRYPTO_w_lock(CRYPTO_LOCK_X509); 235 CRYPTO_w_lock(CRYPTO_LOCK_X509);
252 policy_cache_new(x); 236 policy_cache_new(x);
253 CRYPTO_w_unlock(CRYPTO_LOCK_X509); 237 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
254 } 238 }
255 239
256 return x->policy_cache; 240 return x->policy_cache;
241}
257 242
258 } 243X509_POLICY_DATA *
259 244policy_cache_find_data(const X509_POLICY_CACHE *cache, const ASN1_OBJECT *id)
260X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache, 245{
261 const ASN1_OBJECT *id)
262 {
263 int idx; 246 int idx;
264 X509_POLICY_DATA tmp; 247 X509_POLICY_DATA tmp;
248
265 tmp.valid_policy = (ASN1_OBJECT *)id; 249 tmp.valid_policy = (ASN1_OBJECT *)id;
266 idx = sk_X509_POLICY_DATA_find(cache->data, &tmp); 250 idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
267 if (idx == -1) 251 if (idx == -1)
268 return NULL; 252 return NULL;
269 return sk_X509_POLICY_DATA_value(cache->data, idx); 253 return sk_X509_POLICY_DATA_value(cache->data, idx);
270 } 254}
271 255
272static int policy_data_cmp(const X509_POLICY_DATA * const *a, 256static int
273 const X509_POLICY_DATA * const *b) 257policy_data_cmp(const X509_POLICY_DATA * const *a,
274 { 258 const X509_POLICY_DATA * const *b)
259{
275 return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy); 260 return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
276 } 261}
277 262
278static int policy_cache_set_int(long *out, ASN1_INTEGER *value) 263static int
279 { 264policy_cache_set_int(long *out, ASN1_INTEGER *value)
265{
280 if (value == NULL) 266 if (value == NULL)
281 return 1; 267 return 1;
282 if (value->type == V_ASN1_NEG_INTEGER) 268 if (value->type == V_ASN1_NEG_INTEGER)
283 return 0; 269 return 0;
284 *out = ASN1_INTEGER_get(value); 270 *out = ASN1_INTEGER_get(value);
285 return 1; 271 return 1;
286 } 272}
diff --git a/src/lib/libcrypto/x509v3/pcy_data.c b/src/lib/libcrypto/x509v3/pcy_data.c
index 7c80915f5b..bf33bdd5d0 100644
--- a/src/lib/libcrypto/x509v3/pcy_data.c
+++ b/src/lib/libcrypto/x509v3/pcy_data.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -64,16 +64,17 @@
64 64
65/* Policy Node routines */ 65/* Policy Node routines */
66 66
67void policy_data_free(X509_POLICY_DATA *data) 67void
68 { 68policy_data_free(X509_POLICY_DATA *data)
69{
69 ASN1_OBJECT_free(data->valid_policy); 70 ASN1_OBJECT_free(data->valid_policy);
70 /* Don't free qualifiers if shared */ 71 /* Don't free qualifiers if shared */
71 if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS)) 72 if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS))
72 sk_POLICYQUALINFO_pop_free(data->qualifier_set, 73 sk_POLICYQUALINFO_pop_free(data->qualifier_set,
73 POLICYQUALINFO_free); 74 POLICYQUALINFO_free);
74 sk_ASN1_OBJECT_pop_free(data->expected_policy_set, ASN1_OBJECT_free); 75 sk_ASN1_OBJECT_pop_free(data->expected_policy_set, ASN1_OBJECT_free);
75 free(data); 76 free(data);
76 } 77}
77 78
78/* Create a data based on an existing policy. If 'id' is NULL use the 79/* Create a data based on an existing policy. If 'id' is NULL use the
79 * oid in the policy, otherwise use 'id'. This behaviour covers the two 80 * oid in the policy, otherwise use 'id'. This behaviour covers the two
@@ -82,32 +83,30 @@ void policy_data_free(X509_POLICY_DATA *data)
82 * another source. 83 * another source.
83 */ 84 */
84 85
85X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, 86X509_POLICY_DATA *
86 const ASN1_OBJECT *cid, int crit) 87policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *cid, int crit)
87 { 88{
88 X509_POLICY_DATA *ret; 89 X509_POLICY_DATA *ret;
89 ASN1_OBJECT *id; 90 ASN1_OBJECT *id;
91
90 if (!policy && !cid) 92 if (!policy && !cid)
91 return NULL; 93 return NULL;
92 if (cid) 94 if (cid) {
93 {
94 id = OBJ_dup(cid); 95 id = OBJ_dup(cid);
95 if (!id) 96 if (!id)
96 return NULL; 97 return NULL;
97 } 98 } else
98 else
99 id = NULL; 99 id = NULL;
100 ret = malloc(sizeof(X509_POLICY_DATA)); 100 ret = malloc(sizeof(X509_POLICY_DATA));
101 if (!ret) 101 if (!ret)
102 return NULL; 102 return NULL;
103 ret->expected_policy_set = sk_ASN1_OBJECT_new_null(); 103 ret->expected_policy_set = sk_ASN1_OBJECT_new_null();
104 if (!ret->expected_policy_set) 104 if (!ret->expected_policy_set) {
105 {
106 free(ret); 105 free(ret);
107 if (id) 106 if (id)
108 ASN1_OBJECT_free(id); 107 ASN1_OBJECT_free(id);
109 return NULL; 108 return NULL;
110 } 109 }
111 110
112 if (crit) 111 if (crit)
113 ret->flags = POLICY_DATA_FLAG_CRITICAL; 112 ret->flags = POLICY_DATA_FLAG_CRITICAL;
@@ -116,20 +115,16 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy,
116 115
117 if (id) 116 if (id)
118 ret->valid_policy = id; 117 ret->valid_policy = id;
119 else 118 else {
120 {
121 ret->valid_policy = policy->policyid; 119 ret->valid_policy = policy->policyid;
122 policy->policyid = NULL; 120 policy->policyid = NULL;
123 } 121 }
124 122
125 if (policy) 123 if (policy) {
126 {
127 ret->qualifier_set = policy->qualifiers; 124 ret->qualifier_set = policy->qualifiers;
128 policy->qualifiers = NULL; 125 policy->qualifiers = NULL;
129 } 126 } else
130 else
131 ret->qualifier_set = NULL; 127 ret->qualifier_set = NULL;
132 128
133 return ret; 129 return ret;
134 } 130}
135
diff --git a/src/lib/libcrypto/x509v3/pcy_int.h b/src/lib/libcrypto/x509v3/pcy_int.h
index ccff92846e..4798a23853 100644
--- a/src/lib/libcrypto/x509v3/pcy_int.h
+++ b/src/lib/libcrypto/x509v3/pcy_int.h
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -69,19 +69,18 @@ DECLARE_STACK_OF(X509_POLICY_DATA)
69 * can be kept static and cached with the certificate. 69 * can be kept static and cached with the certificate.
70 */ 70 */
71 71
72struct X509_POLICY_DATA_st 72struct X509_POLICY_DATA_st {
73 {
74 unsigned int flags; 73 unsigned int flags;
75 /* Policy OID and qualifiers for this data */ 74 /* Policy OID and qualifiers for this data */
76 ASN1_OBJECT *valid_policy; 75 ASN1_OBJECT *valid_policy;
77 STACK_OF(POLICYQUALINFO) *qualifier_set; 76 STACK_OF(POLICYQUALINFO) *qualifier_set;
78 STACK_OF(ASN1_OBJECT) *expected_policy_set; 77 STACK_OF(ASN1_OBJECT) *expected_policy_set;
79 }; 78};
80 79
81/* X509_POLICY_DATA flags values */ 80/* X509_POLICY_DATA flags values */
82 81
83/* This flag indicates the structure has been mapped using a policy mapping 82/* This flag indicates the structure has been mapped using a policy mapping
84 * extension. If policy mapping is not active its references get deleted. 83 * extension. If policy mapping is not active its references get deleted.
85 */ 84 */
86 85
87#define POLICY_DATA_FLAG_MAPPED 0x1 86#define POLICY_DATA_FLAG_MAPPED 0x1
@@ -125,24 +124,22 @@ struct X509_POLICY_CACHE_st {
125 * value or -1 if absent. 124 * value or -1 if absent.
126 */ 125 */
127 long map_skip; 126 long map_skip;
128 }; 127};
129 128
130/*#define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL*/ 129/*#define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL*/
131 130
132/* This structure represents the relationship between nodes */ 131/* This structure represents the relationship between nodes */
133 132
134struct X509_POLICY_NODE_st 133struct X509_POLICY_NODE_st {
135 {
136 /* node data this refers to */ 134 /* node data this refers to */
137 const X509_POLICY_DATA *data; 135 const X509_POLICY_DATA *data;
138 /* Parent node */ 136 /* Parent node */
139 X509_POLICY_NODE *parent; 137 X509_POLICY_NODE *parent;
140 /* Number of child nodes */ 138 /* Number of child nodes */
141 int nchild; 139 int nchild;
142 }; 140};
143 141
144struct X509_POLICY_LEVEL_st 142struct X509_POLICY_LEVEL_st {
145 {
146 /* Cert for this level */ 143 /* Cert for this level */
147 X509 *cert; 144 X509 *cert;
148 /* nodes at this level */ 145 /* nodes at this level */
@@ -152,10 +149,9 @@ struct X509_POLICY_LEVEL_st
152 /* Extra data */ 149 /* Extra data */
153 /*STACK_OF(X509_POLICY_DATA) *extra_data;*/ 150 /*STACK_OF(X509_POLICY_DATA) *extra_data;*/
154 unsigned int flags; 151 unsigned int flags;
155 }; 152};
156 153
157struct X509_POLICY_TREE_st 154struct X509_POLICY_TREE_st {
158 {
159 /* This is the tree 'level' data */ 155 /* This is the tree 'level' data */
160 X509_POLICY_LEVEL *levels; 156 X509_POLICY_LEVEL *levels;
161 int nlevel; 157 int nlevel;
@@ -167,7 +163,7 @@ struct X509_POLICY_TREE_st
167 STACK_OF(X509_POLICY_NODE) *auth_policies; 163 STACK_OF(X509_POLICY_NODE) *auth_policies;
168 STACK_OF(X509_POLICY_NODE) *user_policies; 164 STACK_OF(X509_POLICY_NODE) *user_policies;
169 unsigned int flags; 165 unsigned int flags;
170 }; 166};
171 167
172/* Set if anyPolicy present in user policies */ 168/* Set if anyPolicy present in user policies */
173#define POLICY_FLAG_ANY_POLICY 0x2 169#define POLICY_FLAG_ANY_POLICY 0x2
@@ -180,11 +176,11 @@ struct X509_POLICY_TREE_st
180/* Internal functions */ 176/* Internal functions */
181 177
182X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id, 178X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id,
183 int crit); 179 int crit);
184void policy_data_free(X509_POLICY_DATA *data); 180void policy_data_free(X509_POLICY_DATA *data);
185 181
186X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache, 182X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
187 const ASN1_OBJECT *id); 183 const ASN1_OBJECT *id);
188int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps); 184int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps);
189 185
190 186
@@ -195,18 +191,16 @@ void policy_cache_init(void);
195void policy_cache_free(X509_POLICY_CACHE *cache); 191void policy_cache_free(X509_POLICY_CACHE *cache);
196 192
197X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, 193X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
198 const X509_POLICY_NODE *parent, 194 const X509_POLICY_NODE *parent, const ASN1_OBJECT *id);
199 const ASN1_OBJECT *id);
200 195
201X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, 196X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
202 const ASN1_OBJECT *id); 197 const ASN1_OBJECT *id);
203 198
204X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, 199X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
205 const X509_POLICY_DATA *data, 200 const X509_POLICY_DATA *data, X509_POLICY_NODE *parent,
206 X509_POLICY_NODE *parent, 201 X509_POLICY_TREE *tree);
207 X509_POLICY_TREE *tree);
208void policy_node_free(X509_POLICY_NODE *node); 202void policy_node_free(X509_POLICY_NODE *node);
209int policy_node_match(const X509_POLICY_LEVEL *lvl, 203int policy_node_match(const X509_POLICY_LEVEL *lvl,
210 const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); 204 const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
211 205
212const X509_POLICY_CACHE *policy_cache_set(X509 *x); 206const X509_POLICY_CACHE *policy_cache_set(X509 *x);
diff --git a/src/lib/libcrypto/x509v3/pcy_lib.c b/src/lib/libcrypto/x509v3/pcy_lib.c
index 93bfd92703..de26a8f7e4 100644
--- a/src/lib/libcrypto/x509v3/pcy_lib.c
+++ b/src/lib/libcrypto/x509v3/pcy_lib.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -67,44 +67,46 @@
67 67
68/* X509_POLICY_TREE stuff */ 68/* X509_POLICY_TREE stuff */
69 69
70int X509_policy_tree_level_count(const X509_POLICY_TREE *tree) 70int
71 { 71X509_policy_tree_level_count(const X509_POLICY_TREE *tree)
72{
72 if (!tree) 73 if (!tree)
73 return 0; 74 return 0;
74 return tree->nlevel; 75 return tree->nlevel;
75 } 76}
76 77
77X509_POLICY_LEVEL * 78X509_POLICY_LEVEL *
78 X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i) 79X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i)
79 { 80{
80 if (!tree || (i < 0) || (i >= tree->nlevel)) 81 if (!tree || (i < 0) || (i >= tree->nlevel))
81 return NULL; 82 return NULL;
82 return tree->levels + i; 83 return tree->levels + i;
83 } 84}
84 85
85STACK_OF(X509_POLICY_NODE) * 86STACK_OF(X509_POLICY_NODE) *
86 X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree) 87X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree)
87 { 88{
88 if (!tree) 89 if (!tree)
89 return NULL; 90 return NULL;
90 return tree->auth_policies; 91 return tree->auth_policies;
91 } 92}
92 93
93STACK_OF(X509_POLICY_NODE) * 94STACK_OF(X509_POLICY_NODE) *
94 X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree) 95X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree)
95 { 96{
96 if (!tree) 97 if (!tree)
97 return NULL; 98 return NULL;
98 if (tree->flags & POLICY_FLAG_ANY_POLICY) 99 if (tree->flags & POLICY_FLAG_ANY_POLICY)
99 return tree->auth_policies; 100 return tree->auth_policies;
100 else 101 else
101 return tree->user_policies; 102 return tree->user_policies;
102 } 103}
103 104
104/* X509_POLICY_LEVEL stuff */ 105/* X509_POLICY_LEVEL stuff */
105 106
106int X509_policy_level_node_count(X509_POLICY_LEVEL *level) 107int
107 { 108X509_policy_level_node_count(X509_POLICY_LEVEL *level)
109{
108 int n; 110 int n;
109 if (!level) 111 if (!level)
110 return 0; 112 return 0;
@@ -115,53 +117,53 @@ int X509_policy_level_node_count(X509_POLICY_LEVEL *level)
115 if (level->nodes) 117 if (level->nodes)
116 n += sk_X509_POLICY_NODE_num(level->nodes); 118 n += sk_X509_POLICY_NODE_num(level->nodes);
117 return n; 119 return n;
118 } 120}
119 121
120X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i) 122X509_POLICY_NODE *
121 { 123X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i)
124{
122 if (!level) 125 if (!level)
123 return NULL; 126 return NULL;
124 if (level->anyPolicy) 127 if (level->anyPolicy) {
125 {
126 if (i == 0) 128 if (i == 0)
127 return level->anyPolicy; 129 return level->anyPolicy;
128 i--; 130 i--;
129 }
130 return sk_X509_POLICY_NODE_value(level->nodes, i);
131 } 131 }
132 return sk_X509_POLICY_NODE_value(level->nodes, i);
133}
132 134
133/* X509_POLICY_NODE stuff */ 135/* X509_POLICY_NODE stuff */
134 136
135const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node) 137const ASN1_OBJECT *
136 { 138X509_policy_node_get0_policy(const X509_POLICY_NODE *node)
139{
137 if (!node) 140 if (!node)
138 return NULL; 141 return NULL;
139 return node->data->valid_policy; 142 return node->data->valid_policy;
140 } 143}
141 144
142#if 0 145#if 0
143int X509_policy_node_get_critical(const X509_POLICY_NODE *node) 146int
144 { 147X509_policy_node_get_critical(const X509_POLICY_NODE *node)
148{
145 if (node_critical(node)) 149 if (node_critical(node))
146 return 1; 150 return 1;
147 return 0; 151 return 0;
148 } 152}
149#endif 153#endif
150 154
151STACK_OF(POLICYQUALINFO) * 155STACK_OF(POLICYQUALINFO) *
152 X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node) 156X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node)
153 { 157{
154 if (!node) 158 if (!node)
155 return NULL; 159 return NULL;
156 return node->data->qualifier_set; 160 return node->data->qualifier_set;
157 } 161}
158 162
159const X509_POLICY_NODE * 163const X509_POLICY_NODE *
160 X509_policy_node_get0_parent(const X509_POLICY_NODE *node) 164X509_policy_node_get0_parent(const X509_POLICY_NODE *node)
161 { 165{
162 if (!node) 166 if (!node)
163 return NULL; 167 return NULL;
164 return node->parent; 168 return node->parent;
165 } 169}
166
167
diff --git a/src/lib/libcrypto/x509v3/pcy_map.c b/src/lib/libcrypto/x509v3/pcy_map.c
index 21163b529d..295988a411 100644
--- a/src/lib/libcrypto/x509v3/pcy_map.c
+++ b/src/lib/libcrypto/x509v3/pcy_map.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -66,28 +66,27 @@
66 * Note: this modifies the passed POLICY_MAPPINGS structure 66 * Note: this modifies the passed POLICY_MAPPINGS structure
67 */ 67 */
68 68
69int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) 69int
70 { 70policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
71{
71 POLICY_MAPPING *map; 72 POLICY_MAPPING *map;
72 X509_POLICY_DATA *data; 73 X509_POLICY_DATA *data;
73 X509_POLICY_CACHE *cache = x->policy_cache; 74 X509_POLICY_CACHE *cache = x->policy_cache;
74 int i; 75 int i;
75 int ret = 0; 76 int ret = 0;
76 if (sk_POLICY_MAPPING_num(maps) == 0) 77
77 { 78 if (sk_POLICY_MAPPING_num(maps) == 0) {
78 ret = -1; 79 ret = -1;
79 goto bad_mapping; 80 goto bad_mapping;
80 } 81 }
81 for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) 82 for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) {
82 {
83 map = sk_POLICY_MAPPING_value(maps, i); 83 map = sk_POLICY_MAPPING_value(maps, i);
84 /* Reject if map to or from anyPolicy */ 84 /* Reject if map to or from anyPolicy */
85 if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy) 85 if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy) ||
86 || (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy)) 86 (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy)) {
87 {
88 ret = -1; 87 ret = -1;
89 goto bad_mapping; 88 goto bad_mapping;
90 } 89 }
91 90
92 /* Attempt to find matching policy data */ 91 /* Attempt to find matching policy data */
93 data = policy_cache_find_data(cache, map->issuerDomainPolicy); 92 data = policy_cache_find_data(cache, map->issuerDomainPolicy);
@@ -96,37 +95,33 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
96 continue; 95 continue;
97 96
98 /* Create a NODE from anyPolicy */ 97 /* Create a NODE from anyPolicy */
99 if (!data) 98 if (!data) {
100 {
101 data = policy_data_new(NULL, map->issuerDomainPolicy, 99 data = policy_data_new(NULL, map->issuerDomainPolicy,
102 cache->anyPolicy->flags 100 cache->anyPolicy->flags &
103 & POLICY_DATA_FLAG_CRITICAL); 101 POLICY_DATA_FLAG_CRITICAL);
104 if (!data) 102 if (!data)
105 goto bad_mapping; 103 goto bad_mapping;
106 data->qualifier_set = cache->anyPolicy->qualifier_set; 104 data->qualifier_set = cache->anyPolicy->qualifier_set;
107 /*map->issuerDomainPolicy = NULL;*/ 105 /*map->issuerDomainPolicy = NULL;*/
108 data->flags |= POLICY_DATA_FLAG_MAPPED_ANY; 106 data->flags |= POLICY_DATA_FLAG_MAPPED_ANY;
109 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; 107 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
110 if (!sk_X509_POLICY_DATA_push(cache->data, data)) 108 if (!sk_X509_POLICY_DATA_push(cache->data, data)) {
111 {
112 policy_data_free(data); 109 policy_data_free(data);
113 goto bad_mapping; 110 goto bad_mapping;
114 }
115 } 111 }
116 else 112 } else
117 data->flags |= POLICY_DATA_FLAG_MAPPED; 113 data->flags |= POLICY_DATA_FLAG_MAPPED;
118 if (!sk_ASN1_OBJECT_push(data->expected_policy_set, 114 if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
119 map->subjectDomainPolicy)) 115 map->subjectDomainPolicy))
120 goto bad_mapping; 116 goto bad_mapping;
121 map->subjectDomainPolicy = NULL; 117 map->subjectDomainPolicy = NULL;
122 118 }
123 }
124 119
125 ret = 1; 120 ret = 1;
126 bad_mapping: 121
122bad_mapping:
127 if (ret == -1) 123 if (ret == -1)
128 x->ex_flags |= EXFLAG_INVALID_POLICY; 124 x->ex_flags |= EXFLAG_INVALID_POLICY;
129 sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free); 125 sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
130 return ret; 126 return ret;
131 127}
132 }
diff --git a/src/lib/libcrypto/x509v3/pcy_node.c b/src/lib/libcrypto/x509v3/pcy_node.c
index 8c2124a7f6..1742ab0d05 100644
--- a/src/lib/libcrypto/x509v3/pcy_node.c
+++ b/src/lib/libcrypto/x509v3/pcy_node.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -62,20 +62,20 @@
62 62
63#include "pcy_int.h" 63#include "pcy_int.h"
64 64
65static int node_cmp(const X509_POLICY_NODE * const *a, 65static int
66 const X509_POLICY_NODE * const *b) 66node_cmp(const X509_POLICY_NODE * const *a, const X509_POLICY_NODE * const *b)
67 { 67{
68 return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy); 68 return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy);
69 } 69}
70 70
71STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void) 71STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void)
72 { 72{
73 return sk_X509_POLICY_NODE_new(node_cmp); 73 return sk_X509_POLICY_NODE_new(node_cmp);
74 } 74}
75 75
76X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes, 76X509_POLICY_NODE *
77 const ASN1_OBJECT *id) 77tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes, const ASN1_OBJECT *id)
78 { 78{
79 X509_POLICY_DATA n; 79 X509_POLICY_DATA n;
80 X509_POLICY_NODE l; 80 X509_POLICY_NODE l;
81 int idx; 81 int idx;
@@ -88,49 +88,43 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes,
88 return NULL; 88 return NULL;
89 89
90 return sk_X509_POLICY_NODE_value(nodes, idx); 90 return sk_X509_POLICY_NODE_value(nodes, idx);
91}
91 92
92 } 93X509_POLICY_NODE *
93 94level_find_node(const X509_POLICY_LEVEL *level, const X509_POLICY_NODE *parent,
94X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, 95 const ASN1_OBJECT *id)
95 const X509_POLICY_NODE *parent, 96{
96 const ASN1_OBJECT *id)
97 {
98 X509_POLICY_NODE *node; 97 X509_POLICY_NODE *node;
99 int i; 98 int i;
100 for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) 99
101 { 100 for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
102 node = sk_X509_POLICY_NODE_value(level->nodes, i); 101 node = sk_X509_POLICY_NODE_value(level->nodes, i);
103 if (node->parent == parent) 102 if (node->parent == parent) {
104 {
105 if (!OBJ_cmp(node->data->valid_policy, id)) 103 if (!OBJ_cmp(node->data->valid_policy, id))
106 return node; 104 return node;
107 }
108 } 105 }
109 return NULL;
110 } 106 }
107 return NULL;
108}
111 109
112X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, 110X509_POLICY_NODE *
113 const X509_POLICY_DATA *data, 111level_add_node(X509_POLICY_LEVEL *level, const X509_POLICY_DATA *data,
114 X509_POLICY_NODE *parent, 112 X509_POLICY_NODE *parent, X509_POLICY_TREE *tree)
115 X509_POLICY_TREE *tree) 113{
116 {
117 X509_POLICY_NODE *node; 114 X509_POLICY_NODE *node;
115
118 node = malloc(sizeof(X509_POLICY_NODE)); 116 node = malloc(sizeof(X509_POLICY_NODE));
119 if (!node) 117 if (!node)
120 return NULL; 118 return NULL;
121 node->data = data; 119 node->data = data;
122 node->parent = parent; 120 node->parent = parent;
123 node->nchild = 0; 121 node->nchild = 0;
124 if (level) 122 if (level) {
125 { 123 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
126 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy)
127 {
128 if (level->anyPolicy) 124 if (level->anyPolicy)
129 goto node_error; 125 goto node_error;
130 level->anyPolicy = node; 126 level->anyPolicy = node;
131 } 127 } else {
132 else
133 {
134 128
135 if (!level->nodes) 129 if (!level->nodes)
136 level->nodes = policy_node_cmp_new(); 130 level->nodes = policy_node_cmp_new();
@@ -138,60 +132,57 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
138 goto node_error; 132 goto node_error;
139 if (!sk_X509_POLICY_NODE_push(level->nodes, node)) 133 if (!sk_X509_POLICY_NODE_push(level->nodes, node))
140 goto node_error; 134 goto node_error;
141 }
142 } 135 }
136 }
143 137
144 if (tree) 138 if (tree) {
145 {
146 if (!tree->extra_data) 139 if (!tree->extra_data)
147 tree->extra_data = sk_X509_POLICY_DATA_new_null(); 140 tree->extra_data = sk_X509_POLICY_DATA_new_null();
148 if (!tree->extra_data) 141 if (!tree->extra_data)
149 goto node_error; 142 goto node_error;
150 if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) 143 if (!sk_X509_POLICY_DATA_push(tree->extra_data, data))
151 goto node_error; 144 goto node_error;
152 } 145 }
153 146
154 if (parent) 147 if (parent)
155 parent->nchild++; 148 parent->nchild++;
156 149
157 return node; 150 return node;
158 151
159 node_error: 152node_error:
160 policy_node_free(node); 153 policy_node_free(node);
161 return 0; 154 return 0;
155}
162 156
163 } 157void
164 158policy_node_free(X509_POLICY_NODE *node)
165void policy_node_free(X509_POLICY_NODE *node) 159{
166 {
167 free(node); 160 free(node);
168 } 161}
169 162
170/* See if a policy node matches a policy OID. If mapping enabled look through 163/* See if a policy node matches a policy OID. If mapping enabled look through
171 * expected policy set otherwise just valid policy. 164 * expected policy set otherwise just valid policy.
172 */ 165 */
173 166
174int policy_node_match(const X509_POLICY_LEVEL *lvl, 167int
175 const X509_POLICY_NODE *node, const ASN1_OBJECT *oid) 168policy_node_match(const X509_POLICY_LEVEL *lvl, const X509_POLICY_NODE *node,
176 { 169 const ASN1_OBJECT *oid)
170{
177 int i; 171 int i;
178 ASN1_OBJECT *policy_oid; 172 ASN1_OBJECT *policy_oid;
179 const X509_POLICY_DATA *x = node->data; 173 const X509_POLICY_DATA *x = node->data;
180 174
181 if ( (lvl->flags & X509_V_FLAG_INHIBIT_MAP) 175 if ((lvl->flags & X509_V_FLAG_INHIBIT_MAP) ||
182 || !(x->flags & POLICY_DATA_FLAG_MAP_MASK)) 176 !(x->flags & POLICY_DATA_FLAG_MAP_MASK)) {
183 {
184 if (!OBJ_cmp(x->valid_policy, oid)) 177 if (!OBJ_cmp(x->valid_policy, oid))
185 return 1; 178 return 1;
186 return 0; 179 return 0;
187 } 180 }
188 181
189 for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++) 182 for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++) {
190 {
191 policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i); 183 policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i);
192 if (!OBJ_cmp(policy_oid, oid)) 184 if (!OBJ_cmp(policy_oid, oid))
193 return 1; 185 return 1;
194 }
195 return 0;
196
197 } 186 }
187 return 0;
188}
diff --git a/src/lib/libcrypto/x509v3/pcy_tree.c b/src/lib/libcrypto/x509v3/pcy_tree.c
index c4239b1fd9..ebc4809371 100644
--- a/src/lib/libcrypto/x509v3/pcy_tree.c
+++ b/src/lib/libcrypto/x509v3/pcy_tree.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -70,36 +70,36 @@
70 70
71#ifdef OPENSSL_POLICY_DEBUG 71#ifdef OPENSSL_POLICY_DEBUG
72 72
73static void expected_print(BIO *err, X509_POLICY_LEVEL *lev, 73static void
74 X509_POLICY_NODE *node, int indent) 74expected_print(BIO *err, X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
75 { 75 int indent)
76 if ( (lev->flags & X509_V_FLAG_INHIBIT_MAP) 76{
77 || !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK)) 77 if ((lev->flags & X509_V_FLAG_INHIBIT_MAP) ||
78 !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK))
78 BIO_puts(err, " Not Mapped\n"); 79 BIO_puts(err, " Not Mapped\n");
79 else 80 else {
80 {
81 int i; 81 int i;
82 STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set; 82 STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set;
83 ASN1_OBJECT *oid; 83 ASN1_OBJECT *oid;
84 BIO_puts(err, " Expected: "); 84 BIO_puts(err, " Expected: ");
85 for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++) 85 for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++) {
86 {
87 oid = sk_ASN1_OBJECT_value(pset, i); 86 oid = sk_ASN1_OBJECT_value(pset, i);
88 if (i) 87 if (i)
89 BIO_puts(err, ", "); 88 BIO_puts(err, ", ");
90 i2a_ASN1_OBJECT(err, oid); 89 i2a_ASN1_OBJECT(err, oid);
91 }
92 BIO_puts(err, "\n");
93 } 90 }
91 BIO_puts(err, "\n");
94 } 92 }
93}
95 94
96static void tree_print(char *str, X509_POLICY_TREE *tree, 95static void
97 X509_POLICY_LEVEL *curr) 96tree_print(char *str, X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
98 { 97{
99 X509_POLICY_LEVEL *plev; 98 X509_POLICY_LEVEL *plev;
100 X509_POLICY_NODE *node; 99 X509_POLICY_NODE *node;
101 int i; 100 int i;
102 BIO *err; 101 BIO *err;
102
103 err = BIO_new_fp(stderr, BIO_NOCLOSE); 103 err = BIO_new_fp(stderr, BIO_NOCLOSE);
104 if (!curr) 104 if (!curr)
105 curr = tree->levels + tree->nlevel; 105 curr = tree->levels + tree->nlevel;
@@ -107,24 +107,21 @@ static void tree_print(char *str, X509_POLICY_TREE *tree,
107 curr++; 107 curr++;
108 BIO_printf(err, "Level print after %s\n", str); 108 BIO_printf(err, "Level print after %s\n", str);
109 BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels); 109 BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels);
110 for (plev = tree->levels; plev != curr; plev++) 110 for (plev = tree->levels; plev != curr; plev++) {
111 {
112 BIO_printf(err, "Level %ld, flags = %x\n", 111 BIO_printf(err, "Level %ld, flags = %x\n",
113 plev - tree->levels, plev->flags); 112 plev - tree->levels, plev->flags);
114 for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++) 113 for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++) {
115 {
116 node = sk_X509_POLICY_NODE_value(plev->nodes, i); 114 node = sk_X509_POLICY_NODE_value(plev->nodes, i);
117 X509_POLICY_NODE_print(err, node, 2); 115 X509_POLICY_NODE_print(err, node, 2);
118 expected_print(err, plev, node, 2); 116 expected_print(err, plev, node, 2);
119 BIO_printf(err, " Flags: %x\n", node->data->flags); 117 BIO_printf(err, " Flags: %x\n", node->data->flags);
120 } 118 }
121 if (plev->anyPolicy) 119 if (plev->anyPolicy)
122 X509_POLICY_NODE_print(err, plev->anyPolicy, 2); 120 X509_POLICY_NODE_print(err, plev->anyPolicy, 2);
123 } 121 }
124 122
125 BIO_free(err); 123 BIO_free(err);
126 124}
127 }
128#else 125#else
129 126
130#define tree_print(a,b,c) /* */ 127#define tree_print(a,b,c) /* */
@@ -140,9 +137,9 @@ static void tree_print(char *str, X509_POLICY_TREE *tree,
140 * 6 Tree empty and requireExplicitPolicy true. 137 * 6 Tree empty and requireExplicitPolicy true.
141 */ 138 */
142 139
143static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, 140static int
144 unsigned int flags) 141tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, unsigned int flags)
145 { 142{
146 X509_POLICY_TREE *tree; 143 X509_POLICY_TREE *tree;
147 X509_POLICY_LEVEL *level; 144 X509_POLICY_LEVEL *level;
148 const X509_POLICY_CACHE *cache; 145 const X509_POLICY_CACHE *cache;
@@ -153,6 +150,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
153 int explicit_policy; 150 int explicit_policy;
154 int any_skip; 151 int any_skip;
155 int map_skip; 152 int map_skip;
153
156 *ptree = NULL; 154 *ptree = NULL;
157 n = sk_X509_num(certs); 155 n = sk_X509_num(certs);
158 156
@@ -183,8 +181,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
183 * trust anchor. Note any bad cache results on the way. Also can 181 * trust anchor. Note any bad cache results on the way. Also can
184 * calculate explicit_policy value at this point. 182 * calculate explicit_policy value at this point.
185 */ 183 */
186 for (i = n - 2; i >= 0; i--) 184 for (i = n - 2; i >= 0; i--) {
187 {
188 x = sk_X509_value(certs, i); 185 x = sk_X509_value(certs, i);
189 X509_check_purpose(x, -1, -1); 186 X509_check_purpose(x, -1, -1);
190 cache = policy_cache_set(x); 187 cache = policy_cache_set(x);
@@ -199,22 +196,20 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
199 */ 196 */
200 else if ((ret == 1) && !cache->data) 197 else if ((ret == 1) && !cache->data)
201 ret = 2; 198 ret = 2;
202 if (explicit_policy > 0) 199 if (explicit_policy > 0) {
203 {
204 if (!(x->ex_flags & EXFLAG_SI)) 200 if (!(x->ex_flags & EXFLAG_SI))
205 explicit_policy--; 201 explicit_policy--;
206 if ((cache->explicit_skip != -1) 202 if ((cache->explicit_skip != -1) &&
207 && (cache->explicit_skip < explicit_policy)) 203 (cache->explicit_skip < explicit_policy))
208 explicit_policy = cache->explicit_skip; 204 explicit_policy = cache->explicit_skip;
209 }
210 } 205 }
206 }
211 207
212 if (ret != 1) 208 if (ret != 1) {
213 {
214 if (ret == 2 && !explicit_policy) 209 if (ret == 2 && !explicit_policy)
215 return 6; 210 return 6;
216 return ret; 211 return ret;
217 } 212 }
218 213
219 214
220 /* If we get this far initialize the tree */ 215 /* If we get this far initialize the tree */
@@ -231,11 +226,10 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
231 tree->auth_policies = NULL; 226 tree->auth_policies = NULL;
232 tree->user_policies = NULL; 227 tree->user_policies = NULL;
233 228
234 if (!tree->levels) 229 if (!tree->levels) {
235 {
236 free(tree); 230 free(tree);
237 return 0; 231 return 0;
238 } 232 }
239 233
240 memset(tree->levels, 0, n * sizeof(X509_POLICY_LEVEL)); 234 memset(tree->levels, 0, n * sizeof(X509_POLICY_LEVEL));
241 235
@@ -250,8 +244,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
250 if (!data || !level_add_node(level, data, NULL, tree)) 244 if (!data || !level_add_node(level, data, NULL, tree))
251 goto bad_tree; 245 goto bad_tree;
252 246
253 for (i = n - 2; i >= 0; i--) 247 for (i = n - 2; i >= 0; i--) {
254 {
255 level++; 248 level++;
256 x = sk_X509_value(certs, i); 249 x = sk_X509_value(certs, i);
257 cache = policy_cache_set(x); 250 cache = policy_cache_set(x);
@@ -259,39 +252,35 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
259 level->cert = x; 252 level->cert = x;
260 253
261 if (!cache->anyPolicy) 254 if (!cache->anyPolicy)
262 level->flags |= X509_V_FLAG_INHIBIT_ANY; 255 level->flags |= X509_V_FLAG_INHIBIT_ANY;
263 256
264 /* Determine inhibit any and inhibit map flags */ 257 /* Determine inhibit any and inhibit map flags */
265 if (any_skip == 0) 258 if (any_skip == 0) {
266 {
267 /* Any matching allowed if certificate is self 259 /* Any matching allowed if certificate is self
268 * issued and not the last in the chain. 260 * issued and not the last in the chain.
269 */ 261 */
270 if (!(x->ex_flags & EXFLAG_SI) || (i == 0)) 262 if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
271 level->flags |= X509_V_FLAG_INHIBIT_ANY; 263 level->flags |= X509_V_FLAG_INHIBIT_ANY;
272 } 264 } else {
273 else
274 {
275 if (!(x->ex_flags & EXFLAG_SI)) 265 if (!(x->ex_flags & EXFLAG_SI))
276 any_skip--; 266 any_skip--;
277 if ((cache->any_skip >= 0) 267 if ((cache->any_skip >= 0) &&
278 && (cache->any_skip < any_skip)) 268 (cache->any_skip < any_skip))
279 any_skip = cache->any_skip; 269 any_skip = cache->any_skip;
280 } 270 }
281 271
282 if (map_skip == 0) 272 if (map_skip == 0)
283 level->flags |= X509_V_FLAG_INHIBIT_MAP; 273 level->flags |= X509_V_FLAG_INHIBIT_MAP;
284 else 274 else {
285 {
286 if (!(x->ex_flags & EXFLAG_SI)) 275 if (!(x->ex_flags & EXFLAG_SI))
287 map_skip--; 276 map_skip--;
288 if ((cache->map_skip >= 0) 277 if ((cache->map_skip >= 0) &&
289 && (cache->map_skip < map_skip)) 278 (cache->map_skip < map_skip))
290 map_skip = cache->map_skip; 279 map_skip = cache->map_skip;
291 }
292
293 } 280 }
294 281
282 }
283
295 *ptree = tree; 284 *ptree = tree;
296 285
297 if (explicit_policy) 286 if (explicit_policy)
@@ -299,55 +288,50 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
299 else 288 else
300 return 5; 289 return 5;
301 290
302 bad_tree: 291bad_tree:
303
304 X509_policy_tree_free(tree); 292 X509_policy_tree_free(tree);
305 293
306 return 0; 294 return 0;
295}
307 296
308 } 297static int
309 298tree_link_matching_nodes(X509_POLICY_LEVEL *curr, const X509_POLICY_DATA *data)
310static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, 299{
311 const X509_POLICY_DATA *data)
312 {
313 X509_POLICY_LEVEL *last = curr - 1; 300 X509_POLICY_LEVEL *last = curr - 1;
314 X509_POLICY_NODE *node; 301 X509_POLICY_NODE *node;
315 int i, matched = 0; 302 int i, matched = 0;
303
316 /* Iterate through all in nodes linking matches */ 304 /* Iterate through all in nodes linking matches */
317 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) 305 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
318 {
319 node = sk_X509_POLICY_NODE_value(last->nodes, i); 306 node = sk_X509_POLICY_NODE_value(last->nodes, i);
320 if (policy_node_match(last, node, data->valid_policy)) 307 if (policy_node_match(last, node, data->valid_policy)) {
321 {
322 if (!level_add_node(curr, data, node, NULL)) 308 if (!level_add_node(curr, data, node, NULL))
323 return 0; 309 return 0;
324 matched = 1; 310 matched = 1;
325 }
326 } 311 }
327 if (!matched && last->anyPolicy) 312 }
328 { 313 if (!matched && last->anyPolicy) {
329 if (!level_add_node(curr, data, last->anyPolicy, NULL)) 314 if (!level_add_node(curr, data, last->anyPolicy, NULL))
330 return 0; 315 return 0;
331 }
332 return 1;
333 } 316 }
317 return 1;
318}
334 319
335/* This corresponds to RFC3280 6.1.3(d)(1): 320/* This corresponds to RFC3280 6.1.3(d)(1):
336 * link any data from CertificatePolicies onto matching parent 321 * link any data from CertificatePolicies onto matching parent
337 * or anyPolicy if no match. 322 * or anyPolicy if no match.
338 */ 323 */
339 324
340static int tree_link_nodes(X509_POLICY_LEVEL *curr, 325static int
341 const X509_POLICY_CACHE *cache) 326tree_link_nodes(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache)
342 { 327{
343 int i; 328 int i;
344 X509_POLICY_DATA *data; 329 X509_POLICY_DATA *data;
345 330
346 for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++) 331 for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++) {
347 {
348 data = sk_X509_POLICY_DATA_value(cache->data, i); 332 data = sk_X509_POLICY_DATA_value(cache->data, i);
349 /* If a node is mapped any it doesn't have a corresponding 333 /* If a node is mapped any it doesn't have a corresponding
350 * CertificatePolicies entry. 334 * CertificatePolicies entry.
351 * However such an identical node would be created 335 * However such an identical node would be created
352 * if anyPolicy matching is enabled because there would be 336 * if anyPolicy matching is enabled because there would be
353 * no match with the parent valid_policy_set. So we create 337 * no match with the parent valid_policy_set. So we create
@@ -355,29 +339,28 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
355 * right and we can prune it later. 339 * right and we can prune it later.
356 */ 340 */
357#if 0 341#if 0
358 if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY) 342 if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY) &&
359 && !(curr->flags & X509_V_FLAG_INHIBIT_ANY)) 343 !(curr->flags & X509_V_FLAG_INHIBIT_ANY))
360 continue; 344 continue;
361#endif 345#endif
362 /* Look for matching nodes in previous level */ 346 /* Look for matching nodes in previous level */
363 if (!tree_link_matching_nodes(curr, data)) 347 if (!tree_link_matching_nodes(curr, data))
364 return 0; 348 return 0;
365 }
366 return 1;
367 } 349 }
350 return 1;
351}
368 352
369/* This corresponds to RFC3280 6.1.3(d)(2): 353/* This corresponds to RFC3280 6.1.3(d)(2):
370 * Create new data for any unmatched policies in the parent and link 354 * Create new data for any unmatched policies in the parent and link
371 * to anyPolicy. 355 * to anyPolicy.
372 */ 356 */
373 357
374static int tree_add_unmatched(X509_POLICY_LEVEL *curr, 358static int
375 const X509_POLICY_CACHE *cache, 359tree_add_unmatched(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
376 const ASN1_OBJECT *id, 360 const ASN1_OBJECT *id, X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
377 X509_POLICY_NODE *node, 361{
378 X509_POLICY_TREE *tree)
379 {
380 X509_POLICY_DATA *data; 362 X509_POLICY_DATA *data;
363
381 if (id == NULL) 364 if (id == NULL)
382 id = node->data->valid_policy; 365 id = node->data->valid_policy;
383 /* Create a new node with qualifiers from anyPolicy and 366 /* Create a new node with qualifiers from anyPolicy and
@@ -390,66 +373,57 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
390 /* Curr may not have anyPolicy */ 373 /* Curr may not have anyPolicy */
391 data->qualifier_set = cache->anyPolicy->qualifier_set; 374 data->qualifier_set = cache->anyPolicy->qualifier_set;
392 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; 375 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
393 if (!level_add_node(curr, data, node, tree)) 376 if (!level_add_node(curr, data, node, tree)) {
394 {
395 policy_data_free(data); 377 policy_data_free(data);
396 return 0; 378 return 0;
397 } 379 }
398 380
399 return 1; 381 return 1;
400 } 382}
401 383
402static int tree_link_unmatched(X509_POLICY_LEVEL *curr, 384static int
403 const X509_POLICY_CACHE *cache, 385tree_link_unmatched(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
404 X509_POLICY_NODE *node, 386 X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
405 X509_POLICY_TREE *tree) 387{
406 {
407 const X509_POLICY_LEVEL *last = curr - 1; 388 const X509_POLICY_LEVEL *last = curr - 1;
408 int i; 389 int i;
409 390
410 if ( (last->flags & X509_V_FLAG_INHIBIT_MAP) 391 if ((last->flags & X509_V_FLAG_INHIBIT_MAP) ||
411 || !(node->data->flags & POLICY_DATA_FLAG_MAPPED)) 392 !(node->data->flags & POLICY_DATA_FLAG_MAPPED)) {
412 {
413 /* If no policy mapping: matched if one child present */ 393 /* If no policy mapping: matched if one child present */
414 if (node->nchild) 394 if (node->nchild)
415 return 1; 395 return 1;
416 if (!tree_add_unmatched(curr, cache, NULL, node, tree)) 396 if (!tree_add_unmatched(curr, cache, NULL, node, tree))
417 return 0; 397 return 0;
418 /* Add it */ 398 /* Add it */
419 } 399 } else {
420 else
421 {
422 /* If mapping: matched if one child per expected policy set */ 400 /* If mapping: matched if one child per expected policy set */
423 STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set; 401 STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set;
424 if (node->nchild == sk_ASN1_OBJECT_num(expset)) 402 if (node->nchild == sk_ASN1_OBJECT_num(expset))
425 return 1; 403 return 1;
426 /* Locate unmatched nodes */ 404 /* Locate unmatched nodes */
427 for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++) 405 for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++) {
428 {
429 ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i); 406 ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i);
430 if (level_find_node(curr, node, oid)) 407 if (level_find_node(curr, node, oid))
431 continue; 408 continue;
432 if (!tree_add_unmatched(curr, cache, oid, node, tree)) 409 if (!tree_add_unmatched(curr, cache, oid, node, tree))
433 return 0; 410 return 0;
434 }
435
436 } 411 }
412 }
437 413
438 return 1; 414 return 1;
415}
439 416
440 } 417static int
441 418tree_link_any(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
442static int tree_link_any(X509_POLICY_LEVEL *curr, 419 X509_POLICY_TREE *tree)
443 const X509_POLICY_CACHE *cache, 420{
444 X509_POLICY_TREE *tree)
445 {
446 int i; 421 int i;
447 /*X509_POLICY_DATA *data;*/ 422 /*X509_POLICY_DATA *data;*/
448 X509_POLICY_NODE *node; 423 X509_POLICY_NODE *node;
449 X509_POLICY_LEVEL *last = curr - 1; 424 X509_POLICY_LEVEL *last = curr - 1;
450 425
451 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) 426 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
452 {
453 node = sk_X509_POLICY_NODE_value(last->nodes, i); 427 node = sk_X509_POLICY_NODE_value(last->nodes, i);
454 428
455 if (!tree_link_unmatched(curr, cache, node, tree)) 429 if (!tree_link_unmatched(curr, cache, node, tree))
@@ -461,7 +435,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
461 * nodes. 435 * nodes.
462 * 436 *
463 * Note: need something better for policy mapping 437 * Note: need something better for policy mapping
464 * because each node may have multiple children 438 * because each node may have multiple children
465 */ 439 */
466 if (node->nchild) 440 if (node->nchild)
467 continue; 441 continue;
@@ -469,110 +443,99 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
469 /* Create a new node with qualifiers from anyPolicy and 443 /* Create a new node with qualifiers from anyPolicy and
470 * id from unmatched node. 444 * id from unmatched node.
471 */ 445 */
472 data = policy_data_new(NULL, node->data->valid_policy, 446 data = policy_data_new(NULL, node->data->valid_policy,
473 node_critical(node)); 447 node_critical(node));
474 448
475 if (data == NULL) 449 if (data == NULL)
476 return 0; 450 return 0;
477 /* Curr may not have anyPolicy */ 451 /* Curr may not have anyPolicy */
478 data->qualifier_set = cache->anyPolicy->qualifier_set; 452 data->qualifier_set = cache->anyPolicy->qualifier_set;
479 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; 453 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
480 if (!level_add_node(curr, data, node, tree)) 454 if (!level_add_node(curr, data, node, tree)) {
481 {
482 policy_data_free(data); 455 policy_data_free(data);
483 return 0; 456 return 0;
484 } 457 }
485 458
486#endif 459#endif
487 460
488 } 461 }
489 /* Finally add link to anyPolicy */ 462 /* Finally add link to anyPolicy */
490 if (last->anyPolicy) 463 if (last->anyPolicy) {
491 {
492 if (!level_add_node(curr, cache->anyPolicy, 464 if (!level_add_node(curr, cache->anyPolicy,
493 last->anyPolicy, NULL)) 465 last->anyPolicy, NULL))
494 return 0; 466 return 0;
495 }
496 return 1;
497 } 467 }
468 return 1;
469}
498 470
499/* Prune the tree: delete any child mapped child data on the current level 471/* Prune the tree: delete any child mapped child data on the current level
500 * then proceed up the tree deleting any data with no children. If we ever 472 * then proceed up the tree deleting any data with no children. If we ever
501 * have no data on a level we can halt because the tree will be empty. 473 * have no data on a level we can halt because the tree will be empty.
502 */ 474 */
503 475
504static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr) 476static int
505 { 477tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
478{
506 STACK_OF(X509_POLICY_NODE) *nodes; 479 STACK_OF(X509_POLICY_NODE) *nodes;
507 X509_POLICY_NODE *node; 480 X509_POLICY_NODE *node;
508 int i; 481 int i;
482
509 nodes = curr->nodes; 483 nodes = curr->nodes;
510 if (curr->flags & X509_V_FLAG_INHIBIT_MAP) 484 if (curr->flags & X509_V_FLAG_INHIBIT_MAP) {
511 { 485 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) {
512 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--)
513 {
514 node = sk_X509_POLICY_NODE_value(nodes, i); 486 node = sk_X509_POLICY_NODE_value(nodes, i);
515 /* Delete any mapped data: see RFC3280 XXXX */ 487 /* Delete any mapped data: see RFC3280 XXXX */
516 if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK) 488 if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK) {
517 {
518 node->parent->nchild--; 489 node->parent->nchild--;
519 free(node); 490 free(node);
520 (void)sk_X509_POLICY_NODE_delete(nodes,i); 491 (void)sk_X509_POLICY_NODE_delete(nodes, i);
521 }
522 } 492 }
523 } 493 }
494 }
524 495
525 for(;;) { 496 for (;;) {
526 --curr; 497 --curr;
527 nodes = curr->nodes; 498 nodes = curr->nodes;
528 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) 499 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) {
529 {
530 node = sk_X509_POLICY_NODE_value(nodes, i); 500 node = sk_X509_POLICY_NODE_value(nodes, i);
531 if (node->nchild == 0) 501 if (node->nchild == 0) {
532 {
533 node->parent->nchild--; 502 node->parent->nchild--;
534 free(node); 503 free(node);
535 (void)sk_X509_POLICY_NODE_delete(nodes, i); 504 (void)sk_X509_POLICY_NODE_delete(nodes, i);
536 }
537 } 505 }
538 if (curr->anyPolicy && !curr->anyPolicy->nchild) 506 }
539 { 507 if (curr->anyPolicy && !curr->anyPolicy->nchild) {
540 if (curr->anyPolicy->parent) 508 if (curr->anyPolicy->parent)
541 curr->anyPolicy->parent->nchild--; 509 curr->anyPolicy->parent->nchild--;
542 free(curr->anyPolicy); 510 free(curr->anyPolicy);
543 curr->anyPolicy = NULL; 511 curr->anyPolicy = NULL;
544 } 512 }
545 if (curr == tree->levels) 513 if (curr == tree->levels) {
546 {
547 /* If we zapped anyPolicy at top then tree is empty */ 514 /* If we zapped anyPolicy at top then tree is empty */
548 if (!curr->anyPolicy) 515 if (!curr->anyPolicy)
549 return 2; 516 return 2;
550 return 1; 517 return 1;
551 }
552 } 518 }
519 }
553 520
554 return 1; 521 return 1;
522}
555 523
556 } 524static int
557 525tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes, X509_POLICY_NODE *pcy)
558static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes, 526{
559 X509_POLICY_NODE *pcy) 527 if (!*pnodes) {
560 {
561 if (!*pnodes)
562 {
563 *pnodes = policy_node_cmp_new(); 528 *pnodes = policy_node_cmp_new();
564 if (!*pnodes) 529 if (!*pnodes)
565 return 0; 530 return 0;
566 } 531 } else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1)
567 else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1)
568 return 1; 532 return 1;
569 533
570 if (!sk_X509_POLICY_NODE_push(*pnodes, pcy)) 534 if (!sk_X509_POLICY_NODE_push(*pnodes, pcy))
571 return 0; 535 return 0;
572 536
573 return 1; 537 return 1;
574 538}
575 }
576 539
577/* Calculate the authority set based on policy tree. 540/* Calculate the authority set based on policy tree.
578 * The 'pnodes' parameter is used as a store for the set of policy nodes 541 * The 'pnodes' parameter is used as a store for the set of policy nodes
@@ -583,43 +546,41 @@ static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes,
583 * that pnodes should be freed. 546 * that pnodes should be freed.
584 */ 547 */
585 548
586static int tree_calculate_authority_set(X509_POLICY_TREE *tree, 549static int
587 STACK_OF(X509_POLICY_NODE) **pnodes) 550tree_calculate_authority_set(X509_POLICY_TREE *tree,
588 { 551 STACK_OF(X509_POLICY_NODE) **pnodes)
552{
589 X509_POLICY_LEVEL *curr; 553 X509_POLICY_LEVEL *curr;
590 X509_POLICY_NODE *node, *anyptr; 554 X509_POLICY_NODE *node, *anyptr;
591 STACK_OF(X509_POLICY_NODE) **addnodes; 555 STACK_OF(X509_POLICY_NODE) **addnodes;
592 int i, j; 556 int i, j;
557
593 curr = tree->levels + tree->nlevel - 1; 558 curr = tree->levels + tree->nlevel - 1;
594 559
595 /* If last level contains anyPolicy set is anyPolicy */ 560 /* If last level contains anyPolicy set is anyPolicy */
596 if (curr->anyPolicy) 561 if (curr->anyPolicy) {
597 {
598 if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy)) 562 if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy))
599 return 0; 563 return 0;
600 addnodes = pnodes; 564 addnodes = pnodes;
601 } 565 } else
602 else
603 /* Add policies to authority set */ 566 /* Add policies to authority set */
604 addnodes = &tree->auth_policies; 567 addnodes = &tree->auth_policies;
605 568
606 curr = tree->levels; 569 curr = tree->levels;
607 for (i = 1; i < tree->nlevel; i++) 570 for (i = 1; i < tree->nlevel; i++) {
608 {
609 /* If no anyPolicy node on this this level it can't 571 /* If no anyPolicy node on this this level it can't
610 * appear on lower levels so end search. 572 * appear on lower levels so end search.
611 */ 573 */
612 if (!(anyptr = curr->anyPolicy)) 574 if (!(anyptr = curr->anyPolicy))
613 break; 575 break;
614 curr++; 576 curr++;
615 for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++) 577 for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++) {
616 {
617 node = sk_X509_POLICY_NODE_value(curr->nodes, j); 578 node = sk_X509_POLICY_NODE_value(curr->nodes, j);
618 if ((node->parent == anyptr) 579 if ((node->parent == anyptr) &&
619 && !tree_add_auth_node(addnodes, node)) 580 !tree_add_auth_node(addnodes, node))
620 return 0; 581 return 0;
621 }
622 } 582 }
583 }
623 584
624 if (addnodes == pnodes) 585 if (addnodes == pnodes)
625 return 2; 586 return 2;
@@ -627,16 +588,15 @@ static int tree_calculate_authority_set(X509_POLICY_TREE *tree,
627 *pnodes = tree->auth_policies; 588 *pnodes = tree->auth_policies;
628 589
629 return 1; 590 return 1;
630 } 591}
631 592
632static int tree_calculate_user_set(X509_POLICY_TREE *tree, 593static int
633 STACK_OF(ASN1_OBJECT) *policy_oids, 594tree_calculate_user_set(X509_POLICY_TREE *tree,
634 STACK_OF(X509_POLICY_NODE) *auth_nodes) 595 STACK_OF(ASN1_OBJECT) *policy_oids, STACK_OF(X509_POLICY_NODE) *auth_nodes)
635 { 596{
636 int i; 597 int i;
637 X509_POLICY_NODE *node; 598 X509_POLICY_NODE *node;
638 ASN1_OBJECT *oid; 599 ASN1_OBJECT *oid;
639
640 X509_POLICY_NODE *anyPolicy; 600 X509_POLICY_NODE *anyPolicy;
641 X509_POLICY_DATA *extra; 601 X509_POLICY_DATA *extra;
642 602
@@ -649,84 +609,78 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
649 609
650 anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy; 610 anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy;
651 611
652 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) 612 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) {
653 {
654 oid = sk_ASN1_OBJECT_value(policy_oids, i); 613 oid = sk_ASN1_OBJECT_value(policy_oids, i);
655 if (OBJ_obj2nid(oid) == NID_any_policy) 614 if (OBJ_obj2nid(oid) == NID_any_policy) {
656 {
657 tree->flags |= POLICY_FLAG_ANY_POLICY; 615 tree->flags |= POLICY_FLAG_ANY_POLICY;
658 return 1; 616 return 1;
659 }
660 } 617 }
618 }
661 619
662 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) 620 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) {
663 {
664 oid = sk_ASN1_OBJECT_value(policy_oids, i); 621 oid = sk_ASN1_OBJECT_value(policy_oids, i);
665 node = tree_find_sk(auth_nodes, oid); 622 node = tree_find_sk(auth_nodes, oid);
666 if (!node) 623 if (!node) {
667 {
668 if (!anyPolicy) 624 if (!anyPolicy)
669 continue; 625 continue;
670 /* Create a new node with policy ID from user set 626 /* Create a new node with policy ID from user set
671 * and qualifiers from anyPolicy. 627 * and qualifiers from anyPolicy.
672 */ 628 */
673 extra = policy_data_new(NULL, oid, 629 extra = policy_data_new(NULL, oid,
674 node_critical(anyPolicy)); 630 node_critical(anyPolicy));
675 if (!extra) 631 if (!extra)
676 return 0; 632 return 0;
677 extra->qualifier_set = anyPolicy->data->qualifier_set; 633 extra->qualifier_set = anyPolicy->data->qualifier_set;
678 extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS 634 extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS |
679 | POLICY_DATA_FLAG_EXTRA_NODE; 635 POLICY_DATA_FLAG_EXTRA_NODE;
680 node = level_add_node(NULL, extra, anyPolicy->parent, 636 node = level_add_node(NULL, extra, anyPolicy->parent,
681 tree); 637 tree);
682 } 638 }
683 if (!tree->user_policies) 639 if (!tree->user_policies) {
684 {
685 tree->user_policies = sk_X509_POLICY_NODE_new_null(); 640 tree->user_policies = sk_X509_POLICY_NODE_new_null();
686 if (!tree->user_policies) 641 if (!tree->user_policies)
687 return 1; 642 return 1;
688 } 643 }
689 if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) 644 if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
690 return 0; 645 return 0;
691 }
692 return 1;
693
694 } 646 }
647 return 1;
648}
695 649
696static int tree_evaluate(X509_POLICY_TREE *tree) 650static int
697 { 651tree_evaluate(X509_POLICY_TREE *tree)
652{
698 int ret, i; 653 int ret, i;
699 X509_POLICY_LEVEL *curr = tree->levels + 1; 654 X509_POLICY_LEVEL *curr = tree->levels + 1;
700 const X509_POLICY_CACHE *cache; 655 const X509_POLICY_CACHE *cache;
701 656
702 for(i = 1; i < tree->nlevel; i++, curr++) 657 for (i = 1; i < tree->nlevel; i++, curr++) {
703 {
704 cache = policy_cache_set(curr->cert); 658 cache = policy_cache_set(curr->cert);
705 if (!tree_link_nodes(curr, cache)) 659 if (!tree_link_nodes(curr, cache))
706 return 0; 660 return 0;
707 661
708 if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) 662 if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) &&
709 && !tree_link_any(curr, cache, tree)) 663 !tree_link_any(curr, cache, tree))
710 return 0; 664 return 0;
711 tree_print("before tree_prune()", tree, curr); 665 tree_print("before tree_prune()", tree, curr);
712 ret = tree_prune(tree, curr); 666 ret = tree_prune(tree, curr);
713 if (ret != 1) 667 if (ret != 1)
714 return ret; 668 return ret;
715 } 669 }
716 670
717 return 1; 671 return 1;
672}
718 673
719 } 674static void
720 675exnode_free(X509_POLICY_NODE *node)
721static void exnode_free(X509_POLICY_NODE *node) 676{
722 {
723 if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE)) 677 if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE))
724 free(node); 678 free(node);
725 } 679}
726 680
727 681void
728void X509_policy_tree_free(X509_POLICY_TREE *tree) 682X509_policy_tree_free(X509_POLICY_TREE *tree)
729 { 683{
730 X509_POLICY_LEVEL *curr; 684 X509_POLICY_LEVEL *curr;
731 int i; 685 int i;
732 686
@@ -736,25 +690,23 @@ void X509_policy_tree_free(X509_POLICY_TREE *tree)
736 sk_X509_POLICY_NODE_free(tree->auth_policies); 690 sk_X509_POLICY_NODE_free(tree->auth_policies);
737 sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free); 691 sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
738 692
739 for(i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++) 693 for (i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++) {
740 {
741 if (curr->cert) 694 if (curr->cert)
742 X509_free(curr->cert); 695 X509_free(curr->cert);
743 if (curr->nodes) 696 if (curr->nodes)
744 sk_X509_POLICY_NODE_pop_free(curr->nodes, 697 sk_X509_POLICY_NODE_pop_free(curr->nodes,
745 policy_node_free); 698 policy_node_free);
746 if (curr->anyPolicy) 699 if (curr->anyPolicy)
747 policy_node_free(curr->anyPolicy); 700 policy_node_free(curr->anyPolicy);
748 } 701 }
749 702
750 if (tree->extra_data) 703 if (tree->extra_data)
751 sk_X509_POLICY_DATA_pop_free(tree->extra_data, 704 sk_X509_POLICY_DATA_pop_free(tree->extra_data,
752 policy_data_free); 705 policy_data_free);
753 706
754 free(tree->levels); 707 free(tree->levels);
755 free(tree); 708 free(tree);
756 709}
757 }
758 710
759/* Application policy checking function. 711/* Application policy checking function.
760 * Return codes: 712 * Return codes:
@@ -764,48 +716,47 @@ void X509_policy_tree_free(X509_POLICY_TREE *tree)
764 * -2 User constrained policy set empty and requireExplicit true. 716 * -2 User constrained policy set empty and requireExplicit true.
765 */ 717 */
766 718
767int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, 719int
768 STACK_OF(X509) *certs, 720X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
769 STACK_OF(ASN1_OBJECT) *policy_oids, 721 STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids,
770 unsigned int flags) 722 unsigned int flags)
771 { 723{
772 int ret; 724 int ret;
773 X509_POLICY_TREE *tree = NULL; 725 X509_POLICY_TREE *tree = NULL;
774 STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL; 726 STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
775 *ptree = NULL;
776 727
728 *ptree = NULL;
777 *pexplicit_policy = 0; 729 *pexplicit_policy = 0;
778 ret = tree_init(&tree, certs, flags); 730 ret = tree_init(&tree, certs, flags);
779 731
780 switch (ret) 732 switch (ret) {
781 {
782 733
783 /* Tree empty requireExplicit False: OK */ 734 /* Tree empty requireExplicit False: OK */
784 case 2: 735 case 2:
785 return 1; 736 return 1;
786 737
787 /* Some internal error */ 738 /* Some internal error */
788 case -1: 739 case -1:
789 return -1; 740 return -1;
790 741
791 /* Some internal error */ 742 /* Some internal error */
792 case 0: 743 case 0:
793 return 0; 744 return 0;
794 745
795 /* Tree empty requireExplicit True: Error */ 746 /* Tree empty requireExplicit True: Error */
796 747
797 case 6: 748 case 6:
798 *pexplicit_policy = 1; 749 *pexplicit_policy = 1;
799 return -2; 750 return -2;
800 751
801 /* Tree OK requireExplicit True: OK and continue */ 752 /* Tree OK requireExplicit True: OK and continue */
802 case 5: 753 case 5:
803 *pexplicit_policy = 1; 754 *pexplicit_policy = 1;
804 break; 755 break;
805 756
806 /* Tree OK: continue */ 757 /* Tree OK: continue */
807 758
808 case 1: 759 case 1:
809 if (!tree) 760 if (!tree)
810 /* 761 /*
811 * tree_init() returns success and a null tree 762 * tree_init() returns success and a null tree
@@ -817,9 +768,10 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
817 */ 768 */
818 return 1; 769 return 1;
819 break; 770 break;
820 } 771 }
821 772
822 if (!tree) goto error; 773 if (!tree)
774 goto error;
823 ret = tree_evaluate(tree); 775 ret = tree_evaluate(tree);
824 776
825 tree_print("tree_evaluate()", tree, NULL); 777 tree_print("tree_evaluate()", tree, NULL);
@@ -828,14 +780,13 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
828 goto error; 780 goto error;
829 781
830 /* Return value 2 means tree empty */ 782 /* Return value 2 means tree empty */
831 if (ret == 2) 783 if (ret == 2) {
832 {
833 X509_policy_tree_free(tree); 784 X509_policy_tree_free(tree);
834 if (*pexplicit_policy) 785 if (*pexplicit_policy)
835 return -2; 786 return -2;
836 else 787 else
837 return 1; 788 return 1;
838 } 789 }
839 790
840 /* Tree is not empty: continue */ 791 /* Tree is not empty: continue */
841 792
@@ -846,27 +797,23 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
846 797
847 if (!tree_calculate_user_set(tree, policy_oids, auth_nodes)) 798 if (!tree_calculate_user_set(tree, policy_oids, auth_nodes))
848 goto error; 799 goto error;
849 800
850 if (ret == 2) 801 if (ret == 2)
851 sk_X509_POLICY_NODE_free(auth_nodes); 802 sk_X509_POLICY_NODE_free(auth_nodes);
852 803
853 if (tree) 804 if (tree)
854 *ptree = tree; 805 *ptree = tree;
855 806
856 if (*pexplicit_policy) 807 if (*pexplicit_policy) {
857 {
858 nodes = X509_policy_tree_get0_user_policies(tree); 808 nodes = X509_policy_tree_get0_user_policies(tree);
859 if (sk_X509_POLICY_NODE_num(nodes) <= 0) 809 if (sk_X509_POLICY_NODE_num(nodes) <= 0)
860 return -2; 810 return -2;
861 } 811 }
862 812
863 return 1; 813 return 1;
864 814
865 error: 815error:
866
867 X509_policy_tree_free(tree); 816 X509_policy_tree_free(tree);
868 817
869 return 0; 818 return 0;
870 819}
871 }
872
diff --git a/src/lib/libssl/src/crypto/x509v3/ext_dat.h b/src/lib/libssl/src/crypto/x509v3/ext_dat.h
index 76daee6fcd..d90d2e7f8e 100644
--- a/src/lib/libssl/src/crypto/x509v3/ext_dat.h
+++ b/src/lib/libssl/src/crypto/x509v3/ext_dat.h
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -74,59 +74,57 @@ extern X509V3_EXT_METHOD v3_addr, v3_asid;
74 */ 74 */
75 75
76static const X509V3_EXT_METHOD *standard_exts[] = { 76static const X509V3_EXT_METHOD *standard_exts[] = {
77&v3_nscert, 77 &v3_nscert,
78&v3_ns_ia5_list[0], 78 &v3_ns_ia5_list[0],
79&v3_ns_ia5_list[1], 79 &v3_ns_ia5_list[1],
80&v3_ns_ia5_list[2], 80 &v3_ns_ia5_list[2],
81&v3_ns_ia5_list[3], 81 &v3_ns_ia5_list[3],
82&v3_ns_ia5_list[4], 82 &v3_ns_ia5_list[4],
83&v3_ns_ia5_list[5], 83 &v3_ns_ia5_list[5],
84&v3_ns_ia5_list[6], 84 &v3_ns_ia5_list[6],
85&v3_skey_id, 85 &v3_skey_id,
86&v3_key_usage, 86 &v3_key_usage,
87&v3_pkey_usage_period, 87 &v3_pkey_usage_period,
88&v3_alt[0], 88 &v3_alt[0],
89&v3_alt[1], 89 &v3_alt[1],
90&v3_bcons, 90 &v3_bcons,
91&v3_crl_num, 91 &v3_crl_num,
92&v3_cpols, 92 &v3_cpols,
93&v3_akey_id, 93 &v3_akey_id,
94&v3_crld, 94 &v3_crld,
95&v3_ext_ku, 95 &v3_ext_ku,
96&v3_delta_crl, 96 &v3_delta_crl,
97&v3_crl_reason, 97 &v3_crl_reason,
98#ifndef OPENSSL_NO_OCSP 98#ifndef OPENSSL_NO_OCSP
99&v3_crl_invdate, 99 &v3_crl_invdate,
100#endif 100#endif
101&v3_sxnet, 101 &v3_sxnet,
102&v3_info, 102 &v3_info,
103#ifndef OPENSSL_NO_RFC3779 103#ifndef OPENSSL_NO_RFC3779
104&v3_addr, 104 &v3_addr,
105&v3_asid, 105 &v3_asid,
106#endif 106#endif
107#ifndef OPENSSL_NO_OCSP 107#ifndef OPENSSL_NO_OCSP
108&v3_ocsp_nonce, 108 &v3_ocsp_nonce,
109&v3_ocsp_crlid, 109 &v3_ocsp_crlid,
110&v3_ocsp_accresp, 110 &v3_ocsp_accresp,
111&v3_ocsp_nocheck, 111 &v3_ocsp_nocheck,
112&v3_ocsp_acutoff, 112 &v3_ocsp_acutoff,
113&v3_ocsp_serviceloc, 113 &v3_ocsp_serviceloc,
114#endif 114#endif
115&v3_sinfo, 115 &v3_sinfo,
116&v3_policy_constraints, 116 &v3_policy_constraints,
117#ifndef OPENSSL_NO_OCSP 117#ifndef OPENSSL_NO_OCSP
118&v3_crl_hold, 118 &v3_crl_hold,
119#endif 119#endif
120&v3_pci, 120 &v3_pci,
121&v3_name_constraints, 121 &v3_name_constraints,
122&v3_policy_mappings, 122 &v3_policy_mappings,
123&v3_inhibit_anyp, 123 &v3_inhibit_anyp,
124&v3_idp, 124 &v3_idp,
125&v3_alt[2], 125 &v3_alt[2],
126&v3_freshest_crl, 126 &v3_freshest_crl,
127}; 127};
128 128
129/* Number of standard extensions */ 129/* Number of standard extensions */
130
131#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *)) 130#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *))
132
diff --git a/src/lib/libssl/src/crypto/x509v3/pcy_cache.c b/src/lib/libssl/src/crypto/x509v3/pcy_cache.c
index 24c79b4a80..cc990670d7 100644
--- a/src/lib/libssl/src/crypto/x509v3/pcy_cache.c
+++ b/src/lib/libssl/src/crypto/x509v3/pcy_cache.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -63,28 +63,28 @@
63#include "pcy_int.h" 63#include "pcy_int.h"
64 64
65static int policy_data_cmp(const X509_POLICY_DATA * const *a, 65static int policy_data_cmp(const X509_POLICY_DATA * const *a,
66 const X509_POLICY_DATA * const *b); 66 const X509_POLICY_DATA * const *b);
67static int policy_cache_set_int(long *out, ASN1_INTEGER *value); 67static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
68 68
69/* Set cache entry according to CertificatePolicies extension. 69/* Set cache entry according to CertificatePolicies extension.
70 * Note: this destroys the passed CERTIFICATEPOLICIES structure. 70 * Note: this destroys the passed CERTIFICATEPOLICIES structure.
71 */ 71 */
72 72
73static int policy_cache_create(X509 *x, 73static int
74 CERTIFICATEPOLICIES *policies, int crit) 74policy_cache_create(X509 *x, CERTIFICATEPOLICIES *policies, int crit)
75 { 75{
76 int i; 76 int i;
77 int ret = 0; 77 int ret = 0;
78 X509_POLICY_CACHE *cache = x->policy_cache; 78 X509_POLICY_CACHE *cache = x->policy_cache;
79 X509_POLICY_DATA *data = NULL; 79 X509_POLICY_DATA *data = NULL;
80 POLICYINFO *policy; 80 POLICYINFO *policy;
81
81 if (sk_POLICYINFO_num(policies) == 0) 82 if (sk_POLICYINFO_num(policies) == 0)
82 goto bad_policy; 83 goto bad_policy;
83 cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp); 84 cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
84 if (!cache->data) 85 if (!cache->data)
85 goto bad_policy; 86 goto bad_policy;
86 for (i = 0; i < sk_POLICYINFO_num(policies); i++) 87 for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
87 {
88 policy = sk_POLICYINFO_value(policies, i); 88 policy = sk_POLICYINFO_value(policies, i);
89 data = policy_data_new(policy, NULL, crit); 89 data = policy_data_new(policy, NULL, crit);
90 if (!data) 90 if (!data)
@@ -92,48 +92,44 @@ static int policy_cache_create(X509 *x,
92 /* Duplicate policy OIDs are illegal: reject if matches 92 /* Duplicate policy OIDs are illegal: reject if matches
93 * found. 93 * found.
94 */ 94 */
95 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) 95 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
96 { 96 if (cache->anyPolicy) {
97 if (cache->anyPolicy)
98 {
99 ret = -1; 97 ret = -1;
100 goto bad_policy; 98 goto bad_policy;
101 }
102 cache->anyPolicy = data;
103 } 99 }
104 else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) 100 cache->anyPolicy = data;
105 { 101 } else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) {
106 ret = -1; 102 ret = -1;
107 goto bad_policy; 103 goto bad_policy;
108 } 104 } else if (!sk_X509_POLICY_DATA_push(cache->data, data))
109 else if (!sk_X509_POLICY_DATA_push(cache->data, data))
110 goto bad_policy; 105 goto bad_policy;
111 data = NULL; 106 data = NULL;
112 } 107 }
113 ret = 1; 108 ret = 1;
114 bad_policy: 109
110bad_policy:
115 if (ret == -1) 111 if (ret == -1)
116 x->ex_flags |= EXFLAG_INVALID_POLICY; 112 x->ex_flags |= EXFLAG_INVALID_POLICY;
117 if (data) 113 if (data)
118 policy_data_free(data); 114 policy_data_free(data);
119 sk_POLICYINFO_pop_free(policies, POLICYINFO_free); 115 sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
120 if (ret <= 0) 116 if (ret <= 0) {
121 {
122 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free); 117 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
123 cache->data = NULL; 118 cache->data = NULL;
124 }
125 return ret;
126 } 119 }
120 return ret;
121}
127 122
128 123static int
129static int policy_cache_new(X509 *x) 124policy_cache_new(X509 *x)
130 { 125{
131 X509_POLICY_CACHE *cache; 126 X509_POLICY_CACHE *cache;
132 ASN1_INTEGER *ext_any = NULL; 127 ASN1_INTEGER *ext_any = NULL;
133 POLICY_CONSTRAINTS *ext_pcons = NULL; 128 POLICY_CONSTRAINTS *ext_pcons = NULL;
134 CERTIFICATEPOLICIES *ext_cpols = NULL; 129 CERTIFICATEPOLICIES *ext_cpols = NULL;
135 POLICY_MAPPINGS *ext_pmaps = NULL; 130 POLICY_MAPPINGS *ext_pmaps = NULL;
136 int i; 131 int i;
132
137 cache = malloc(sizeof(X509_POLICY_CACHE)); 133 cache = malloc(sizeof(X509_POLICY_CACHE));
138 if (!cache) 134 if (!cache)
139 return 0; 135 return 0;
@@ -150,23 +146,20 @@ static int policy_cache_new(X509 *x)
150 */ 146 */
151 ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL); 147 ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
152 148
153 if (!ext_pcons) 149 if (!ext_pcons) {
154 {
155 if (i != -1) 150 if (i != -1)
156 goto bad_cache; 151 goto bad_cache;
157 } 152 } else {
158 else 153 if (!ext_pcons->requireExplicitPolicy &&
159 { 154 !ext_pcons->inhibitPolicyMapping)
160 if (!ext_pcons->requireExplicitPolicy
161 && !ext_pcons->inhibitPolicyMapping)
162 goto bad_cache; 155 goto bad_cache;
163 if (!policy_cache_set_int(&cache->explicit_skip, 156 if (!policy_cache_set_int(&cache->explicit_skip,
164 ext_pcons->requireExplicitPolicy)) 157 ext_pcons->requireExplicitPolicy))
165 goto bad_cache; 158 goto bad_cache;
166 if (!policy_cache_set_int(&cache->map_skip, 159 if (!policy_cache_set_int(&cache->map_skip,
167 ext_pcons->inhibitPolicyMapping)) 160 ext_pcons->inhibitPolicyMapping))
168 goto bad_cache; 161 goto bad_cache;
169 } 162 }
170 163
171 /* Process CertificatePolicies */ 164 /* Process CertificatePolicies */
172 165
@@ -175,13 +168,12 @@ static int policy_cache_new(X509 *x)
175 * there is no point continuing because the valid policies will be 168 * there is no point continuing because the valid policies will be
176 * NULL. 169 * NULL.
177 */ 170 */
178 if (!ext_cpols) 171 if (!ext_cpols) {
179 {
180 /* If not absent some problem with extension */ 172 /* If not absent some problem with extension */
181 if (i != -1) 173 if (i != -1)
182 goto bad_cache; 174 goto bad_cache;
183 return 1; 175 return 1;
184 } 176 }
185 177
186 i = policy_cache_create(x, ext_cpols, i); 178 i = policy_cache_create(x, ext_cpols, i);
187 179
@@ -192,48 +184,41 @@ static int policy_cache_new(X509 *x)
192 184
193 ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL); 185 ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
194 186
195 if (!ext_pmaps) 187 if (!ext_pmaps) {
196 {
197 /* If not absent some problem with extension */ 188 /* If not absent some problem with extension */
198 if (i != -1) 189 if (i != -1)
199 goto bad_cache; 190 goto bad_cache;
200 } 191 } else {
201 else
202 {
203 i = policy_cache_set_mapping(x, ext_pmaps); 192 i = policy_cache_set_mapping(x, ext_pmaps);
204 if (i <= 0) 193 if (i <= 0)
205 goto bad_cache; 194 goto bad_cache;
206 } 195 }
207 196
208 ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL); 197 ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
209 198
210 if (!ext_any) 199 if (!ext_any) {
211 {
212 if (i != -1) 200 if (i != -1)
213 goto bad_cache; 201 goto bad_cache;
214 } 202 } else if (!policy_cache_set_int(&cache->any_skip, ext_any))
215 else if (!policy_cache_set_int(&cache->any_skip, ext_any)) 203 goto bad_cache;
216 goto bad_cache;
217 204
218 if (0) 205 if (0) {
219 { 206bad_cache:
220 bad_cache:
221 x->ex_flags |= EXFLAG_INVALID_POLICY; 207 x->ex_flags |= EXFLAG_INVALID_POLICY;
222 } 208 }
223 209
224 if(ext_pcons) 210 if (ext_pcons)
225 POLICY_CONSTRAINTS_free(ext_pcons); 211 POLICY_CONSTRAINTS_free(ext_pcons);
226 212
227 if (ext_any) 213 if (ext_any)
228 ASN1_INTEGER_free(ext_any); 214 ASN1_INTEGER_free(ext_any);
229 215
230 return 1; 216 return 1;
231
232
233} 217}
234 218
235void policy_cache_free(X509_POLICY_CACHE *cache) 219void
236 { 220policy_cache_free(X509_POLICY_CACHE *cache)
221{
237 if (!cache) 222 if (!cache)
238 return; 223 return;
239 if (cache->anyPolicy) 224 if (cache->anyPolicy)
@@ -241,46 +226,47 @@ void policy_cache_free(X509_POLICY_CACHE *cache)
241 if (cache->data) 226 if (cache->data)
242 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free); 227 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
243 free(cache); 228 free(cache);
244 } 229}
245
246const X509_POLICY_CACHE *policy_cache_set(X509 *x)
247 {
248 230
249 if (x->policy_cache == NULL) 231const X509_POLICY_CACHE *
250 { 232policy_cache_set(X509 *x)
233{
234 if (x->policy_cache == NULL) {
251 CRYPTO_w_lock(CRYPTO_LOCK_X509); 235 CRYPTO_w_lock(CRYPTO_LOCK_X509);
252 policy_cache_new(x); 236 policy_cache_new(x);
253 CRYPTO_w_unlock(CRYPTO_LOCK_X509); 237 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
254 } 238 }
255 239
256 return x->policy_cache; 240 return x->policy_cache;
241}
257 242
258 } 243X509_POLICY_DATA *
259 244policy_cache_find_data(const X509_POLICY_CACHE *cache, const ASN1_OBJECT *id)
260X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache, 245{
261 const ASN1_OBJECT *id)
262 {
263 int idx; 246 int idx;
264 X509_POLICY_DATA tmp; 247 X509_POLICY_DATA tmp;
248
265 tmp.valid_policy = (ASN1_OBJECT *)id; 249 tmp.valid_policy = (ASN1_OBJECT *)id;
266 idx = sk_X509_POLICY_DATA_find(cache->data, &tmp); 250 idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
267 if (idx == -1) 251 if (idx == -1)
268 return NULL; 252 return NULL;
269 return sk_X509_POLICY_DATA_value(cache->data, idx); 253 return sk_X509_POLICY_DATA_value(cache->data, idx);
270 } 254}
271 255
272static int policy_data_cmp(const X509_POLICY_DATA * const *a, 256static int
273 const X509_POLICY_DATA * const *b) 257policy_data_cmp(const X509_POLICY_DATA * const *a,
274 { 258 const X509_POLICY_DATA * const *b)
259{
275 return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy); 260 return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
276 } 261}
277 262
278static int policy_cache_set_int(long *out, ASN1_INTEGER *value) 263static int
279 { 264policy_cache_set_int(long *out, ASN1_INTEGER *value)
265{
280 if (value == NULL) 266 if (value == NULL)
281 return 1; 267 return 1;
282 if (value->type == V_ASN1_NEG_INTEGER) 268 if (value->type == V_ASN1_NEG_INTEGER)
283 return 0; 269 return 0;
284 *out = ASN1_INTEGER_get(value); 270 *out = ASN1_INTEGER_get(value);
285 return 1; 271 return 1;
286 } 272}
diff --git a/src/lib/libssl/src/crypto/x509v3/pcy_data.c b/src/lib/libssl/src/crypto/x509v3/pcy_data.c
index 7c80915f5b..bf33bdd5d0 100644
--- a/src/lib/libssl/src/crypto/x509v3/pcy_data.c
+++ b/src/lib/libssl/src/crypto/x509v3/pcy_data.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -64,16 +64,17 @@
64 64
65/* Policy Node routines */ 65/* Policy Node routines */
66 66
67void policy_data_free(X509_POLICY_DATA *data) 67void
68 { 68policy_data_free(X509_POLICY_DATA *data)
69{
69 ASN1_OBJECT_free(data->valid_policy); 70 ASN1_OBJECT_free(data->valid_policy);
70 /* Don't free qualifiers if shared */ 71 /* Don't free qualifiers if shared */
71 if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS)) 72 if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS))
72 sk_POLICYQUALINFO_pop_free(data->qualifier_set, 73 sk_POLICYQUALINFO_pop_free(data->qualifier_set,
73 POLICYQUALINFO_free); 74 POLICYQUALINFO_free);
74 sk_ASN1_OBJECT_pop_free(data->expected_policy_set, ASN1_OBJECT_free); 75 sk_ASN1_OBJECT_pop_free(data->expected_policy_set, ASN1_OBJECT_free);
75 free(data); 76 free(data);
76 } 77}
77 78
78/* Create a data based on an existing policy. If 'id' is NULL use the 79/* Create a data based on an existing policy. If 'id' is NULL use the
79 * oid in the policy, otherwise use 'id'. This behaviour covers the two 80 * oid in the policy, otherwise use 'id'. This behaviour covers the two
@@ -82,32 +83,30 @@ void policy_data_free(X509_POLICY_DATA *data)
82 * another source. 83 * another source.
83 */ 84 */
84 85
85X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, 86X509_POLICY_DATA *
86 const ASN1_OBJECT *cid, int crit) 87policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *cid, int crit)
87 { 88{
88 X509_POLICY_DATA *ret; 89 X509_POLICY_DATA *ret;
89 ASN1_OBJECT *id; 90 ASN1_OBJECT *id;
91
90 if (!policy && !cid) 92 if (!policy && !cid)
91 return NULL; 93 return NULL;
92 if (cid) 94 if (cid) {
93 {
94 id = OBJ_dup(cid); 95 id = OBJ_dup(cid);
95 if (!id) 96 if (!id)
96 return NULL; 97 return NULL;
97 } 98 } else
98 else
99 id = NULL; 99 id = NULL;
100 ret = malloc(sizeof(X509_POLICY_DATA)); 100 ret = malloc(sizeof(X509_POLICY_DATA));
101 if (!ret) 101 if (!ret)
102 return NULL; 102 return NULL;
103 ret->expected_policy_set = sk_ASN1_OBJECT_new_null(); 103 ret->expected_policy_set = sk_ASN1_OBJECT_new_null();
104 if (!ret->expected_policy_set) 104 if (!ret->expected_policy_set) {
105 {
106 free(ret); 105 free(ret);
107 if (id) 106 if (id)
108 ASN1_OBJECT_free(id); 107 ASN1_OBJECT_free(id);
109 return NULL; 108 return NULL;
110 } 109 }
111 110
112 if (crit) 111 if (crit)
113 ret->flags = POLICY_DATA_FLAG_CRITICAL; 112 ret->flags = POLICY_DATA_FLAG_CRITICAL;
@@ -116,20 +115,16 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy,
116 115
117 if (id) 116 if (id)
118 ret->valid_policy = id; 117 ret->valid_policy = id;
119 else 118 else {
120 {
121 ret->valid_policy = policy->policyid; 119 ret->valid_policy = policy->policyid;
122 policy->policyid = NULL; 120 policy->policyid = NULL;
123 } 121 }
124 122
125 if (policy) 123 if (policy) {
126 {
127 ret->qualifier_set = policy->qualifiers; 124 ret->qualifier_set = policy->qualifiers;
128 policy->qualifiers = NULL; 125 policy->qualifiers = NULL;
129 } 126 } else
130 else
131 ret->qualifier_set = NULL; 127 ret->qualifier_set = NULL;
132 128
133 return ret; 129 return ret;
134 } 130}
135
diff --git a/src/lib/libssl/src/crypto/x509v3/pcy_int.h b/src/lib/libssl/src/crypto/x509v3/pcy_int.h
index ccff92846e..4798a23853 100644
--- a/src/lib/libssl/src/crypto/x509v3/pcy_int.h
+++ b/src/lib/libssl/src/crypto/x509v3/pcy_int.h
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -69,19 +69,18 @@ DECLARE_STACK_OF(X509_POLICY_DATA)
69 * can be kept static and cached with the certificate. 69 * can be kept static and cached with the certificate.
70 */ 70 */
71 71
72struct X509_POLICY_DATA_st 72struct X509_POLICY_DATA_st {
73 {
74 unsigned int flags; 73 unsigned int flags;
75 /* Policy OID and qualifiers for this data */ 74 /* Policy OID and qualifiers for this data */
76 ASN1_OBJECT *valid_policy; 75 ASN1_OBJECT *valid_policy;
77 STACK_OF(POLICYQUALINFO) *qualifier_set; 76 STACK_OF(POLICYQUALINFO) *qualifier_set;
78 STACK_OF(ASN1_OBJECT) *expected_policy_set; 77 STACK_OF(ASN1_OBJECT) *expected_policy_set;
79 }; 78};
80 79
81/* X509_POLICY_DATA flags values */ 80/* X509_POLICY_DATA flags values */
82 81
83/* This flag indicates the structure has been mapped using a policy mapping 82/* This flag indicates the structure has been mapped using a policy mapping
84 * extension. If policy mapping is not active its references get deleted. 83 * extension. If policy mapping is not active its references get deleted.
85 */ 84 */
86 85
87#define POLICY_DATA_FLAG_MAPPED 0x1 86#define POLICY_DATA_FLAG_MAPPED 0x1
@@ -125,24 +124,22 @@ struct X509_POLICY_CACHE_st {
125 * value or -1 if absent. 124 * value or -1 if absent.
126 */ 125 */
127 long map_skip; 126 long map_skip;
128 }; 127};
129 128
130/*#define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL*/ 129/*#define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL*/
131 130
132/* This structure represents the relationship between nodes */ 131/* This structure represents the relationship between nodes */
133 132
134struct X509_POLICY_NODE_st 133struct X509_POLICY_NODE_st {
135 {
136 /* node data this refers to */ 134 /* node data this refers to */
137 const X509_POLICY_DATA *data; 135 const X509_POLICY_DATA *data;
138 /* Parent node */ 136 /* Parent node */
139 X509_POLICY_NODE *parent; 137 X509_POLICY_NODE *parent;
140 /* Number of child nodes */ 138 /* Number of child nodes */
141 int nchild; 139 int nchild;
142 }; 140};
143 141
144struct X509_POLICY_LEVEL_st 142struct X509_POLICY_LEVEL_st {
145 {
146 /* Cert for this level */ 143 /* Cert for this level */
147 X509 *cert; 144 X509 *cert;
148 /* nodes at this level */ 145 /* nodes at this level */
@@ -152,10 +149,9 @@ struct X509_POLICY_LEVEL_st
152 /* Extra data */ 149 /* Extra data */
153 /*STACK_OF(X509_POLICY_DATA) *extra_data;*/ 150 /*STACK_OF(X509_POLICY_DATA) *extra_data;*/
154 unsigned int flags; 151 unsigned int flags;
155 }; 152};
156 153
157struct X509_POLICY_TREE_st 154struct X509_POLICY_TREE_st {
158 {
159 /* This is the tree 'level' data */ 155 /* This is the tree 'level' data */
160 X509_POLICY_LEVEL *levels; 156 X509_POLICY_LEVEL *levels;
161 int nlevel; 157 int nlevel;
@@ -167,7 +163,7 @@ struct X509_POLICY_TREE_st
167 STACK_OF(X509_POLICY_NODE) *auth_policies; 163 STACK_OF(X509_POLICY_NODE) *auth_policies;
168 STACK_OF(X509_POLICY_NODE) *user_policies; 164 STACK_OF(X509_POLICY_NODE) *user_policies;
169 unsigned int flags; 165 unsigned int flags;
170 }; 166};
171 167
172/* Set if anyPolicy present in user policies */ 168/* Set if anyPolicy present in user policies */
173#define POLICY_FLAG_ANY_POLICY 0x2 169#define POLICY_FLAG_ANY_POLICY 0x2
@@ -180,11 +176,11 @@ struct X509_POLICY_TREE_st
180/* Internal functions */ 176/* Internal functions */
181 177
182X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id, 178X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id,
183 int crit); 179 int crit);
184void policy_data_free(X509_POLICY_DATA *data); 180void policy_data_free(X509_POLICY_DATA *data);
185 181
186X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache, 182X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
187 const ASN1_OBJECT *id); 183 const ASN1_OBJECT *id);
188int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps); 184int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps);
189 185
190 186
@@ -195,18 +191,16 @@ void policy_cache_init(void);
195void policy_cache_free(X509_POLICY_CACHE *cache); 191void policy_cache_free(X509_POLICY_CACHE *cache);
196 192
197X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, 193X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
198 const X509_POLICY_NODE *parent, 194 const X509_POLICY_NODE *parent, const ASN1_OBJECT *id);
199 const ASN1_OBJECT *id);
200 195
201X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, 196X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
202 const ASN1_OBJECT *id); 197 const ASN1_OBJECT *id);
203 198
204X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, 199X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
205 const X509_POLICY_DATA *data, 200 const X509_POLICY_DATA *data, X509_POLICY_NODE *parent,
206 X509_POLICY_NODE *parent, 201 X509_POLICY_TREE *tree);
207 X509_POLICY_TREE *tree);
208void policy_node_free(X509_POLICY_NODE *node); 202void policy_node_free(X509_POLICY_NODE *node);
209int policy_node_match(const X509_POLICY_LEVEL *lvl, 203int policy_node_match(const X509_POLICY_LEVEL *lvl,
210 const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); 204 const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
211 205
212const X509_POLICY_CACHE *policy_cache_set(X509 *x); 206const X509_POLICY_CACHE *policy_cache_set(X509 *x);
diff --git a/src/lib/libssl/src/crypto/x509v3/pcy_lib.c b/src/lib/libssl/src/crypto/x509v3/pcy_lib.c
index 93bfd92703..de26a8f7e4 100644
--- a/src/lib/libssl/src/crypto/x509v3/pcy_lib.c
+++ b/src/lib/libssl/src/crypto/x509v3/pcy_lib.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -67,44 +67,46 @@
67 67
68/* X509_POLICY_TREE stuff */ 68/* X509_POLICY_TREE stuff */
69 69
70int X509_policy_tree_level_count(const X509_POLICY_TREE *tree) 70int
71 { 71X509_policy_tree_level_count(const X509_POLICY_TREE *tree)
72{
72 if (!tree) 73 if (!tree)
73 return 0; 74 return 0;
74 return tree->nlevel; 75 return tree->nlevel;
75 } 76}
76 77
77X509_POLICY_LEVEL * 78X509_POLICY_LEVEL *
78 X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i) 79X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i)
79 { 80{
80 if (!tree || (i < 0) || (i >= tree->nlevel)) 81 if (!tree || (i < 0) || (i >= tree->nlevel))
81 return NULL; 82 return NULL;
82 return tree->levels + i; 83 return tree->levels + i;
83 } 84}
84 85
85STACK_OF(X509_POLICY_NODE) * 86STACK_OF(X509_POLICY_NODE) *
86 X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree) 87X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree)
87 { 88{
88 if (!tree) 89 if (!tree)
89 return NULL; 90 return NULL;
90 return tree->auth_policies; 91 return tree->auth_policies;
91 } 92}
92 93
93STACK_OF(X509_POLICY_NODE) * 94STACK_OF(X509_POLICY_NODE) *
94 X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree) 95X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree)
95 { 96{
96 if (!tree) 97 if (!tree)
97 return NULL; 98 return NULL;
98 if (tree->flags & POLICY_FLAG_ANY_POLICY) 99 if (tree->flags & POLICY_FLAG_ANY_POLICY)
99 return tree->auth_policies; 100 return tree->auth_policies;
100 else 101 else
101 return tree->user_policies; 102 return tree->user_policies;
102 } 103}
103 104
104/* X509_POLICY_LEVEL stuff */ 105/* X509_POLICY_LEVEL stuff */
105 106
106int X509_policy_level_node_count(X509_POLICY_LEVEL *level) 107int
107 { 108X509_policy_level_node_count(X509_POLICY_LEVEL *level)
109{
108 int n; 110 int n;
109 if (!level) 111 if (!level)
110 return 0; 112 return 0;
@@ -115,53 +117,53 @@ int X509_policy_level_node_count(X509_POLICY_LEVEL *level)
115 if (level->nodes) 117 if (level->nodes)
116 n += sk_X509_POLICY_NODE_num(level->nodes); 118 n += sk_X509_POLICY_NODE_num(level->nodes);
117 return n; 119 return n;
118 } 120}
119 121
120X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i) 122X509_POLICY_NODE *
121 { 123X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i)
124{
122 if (!level) 125 if (!level)
123 return NULL; 126 return NULL;
124 if (level->anyPolicy) 127 if (level->anyPolicy) {
125 {
126 if (i == 0) 128 if (i == 0)
127 return level->anyPolicy; 129 return level->anyPolicy;
128 i--; 130 i--;
129 }
130 return sk_X509_POLICY_NODE_value(level->nodes, i);
131 } 131 }
132 return sk_X509_POLICY_NODE_value(level->nodes, i);
133}
132 134
133/* X509_POLICY_NODE stuff */ 135/* X509_POLICY_NODE stuff */
134 136
135const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node) 137const ASN1_OBJECT *
136 { 138X509_policy_node_get0_policy(const X509_POLICY_NODE *node)
139{
137 if (!node) 140 if (!node)
138 return NULL; 141 return NULL;
139 return node->data->valid_policy; 142 return node->data->valid_policy;
140 } 143}
141 144
142#if 0 145#if 0
143int X509_policy_node_get_critical(const X509_POLICY_NODE *node) 146int
144 { 147X509_policy_node_get_critical(const X509_POLICY_NODE *node)
148{
145 if (node_critical(node)) 149 if (node_critical(node))
146 return 1; 150 return 1;
147 return 0; 151 return 0;
148 } 152}
149#endif 153#endif
150 154
151STACK_OF(POLICYQUALINFO) * 155STACK_OF(POLICYQUALINFO) *
152 X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node) 156X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node)
153 { 157{
154 if (!node) 158 if (!node)
155 return NULL; 159 return NULL;
156 return node->data->qualifier_set; 160 return node->data->qualifier_set;
157 } 161}
158 162
159const X509_POLICY_NODE * 163const X509_POLICY_NODE *
160 X509_policy_node_get0_parent(const X509_POLICY_NODE *node) 164X509_policy_node_get0_parent(const X509_POLICY_NODE *node)
161 { 165{
162 if (!node) 166 if (!node)
163 return NULL; 167 return NULL;
164 return node->parent; 168 return node->parent;
165 } 169}
166
167
diff --git a/src/lib/libssl/src/crypto/x509v3/pcy_map.c b/src/lib/libssl/src/crypto/x509v3/pcy_map.c
index 21163b529d..295988a411 100644
--- a/src/lib/libssl/src/crypto/x509v3/pcy_map.c
+++ b/src/lib/libssl/src/crypto/x509v3/pcy_map.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -66,28 +66,27 @@
66 * Note: this modifies the passed POLICY_MAPPINGS structure 66 * Note: this modifies the passed POLICY_MAPPINGS structure
67 */ 67 */
68 68
69int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) 69int
70 { 70policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
71{
71 POLICY_MAPPING *map; 72 POLICY_MAPPING *map;
72 X509_POLICY_DATA *data; 73 X509_POLICY_DATA *data;
73 X509_POLICY_CACHE *cache = x->policy_cache; 74 X509_POLICY_CACHE *cache = x->policy_cache;
74 int i; 75 int i;
75 int ret = 0; 76 int ret = 0;
76 if (sk_POLICY_MAPPING_num(maps) == 0) 77
77 { 78 if (sk_POLICY_MAPPING_num(maps) == 0) {
78 ret = -1; 79 ret = -1;
79 goto bad_mapping; 80 goto bad_mapping;
80 } 81 }
81 for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) 82 for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) {
82 {
83 map = sk_POLICY_MAPPING_value(maps, i); 83 map = sk_POLICY_MAPPING_value(maps, i);
84 /* Reject if map to or from anyPolicy */ 84 /* Reject if map to or from anyPolicy */
85 if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy) 85 if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy) ||
86 || (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy)) 86 (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy)) {
87 {
88 ret = -1; 87 ret = -1;
89 goto bad_mapping; 88 goto bad_mapping;
90 } 89 }
91 90
92 /* Attempt to find matching policy data */ 91 /* Attempt to find matching policy data */
93 data = policy_cache_find_data(cache, map->issuerDomainPolicy); 92 data = policy_cache_find_data(cache, map->issuerDomainPolicy);
@@ -96,37 +95,33 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
96 continue; 95 continue;
97 96
98 /* Create a NODE from anyPolicy */ 97 /* Create a NODE from anyPolicy */
99 if (!data) 98 if (!data) {
100 {
101 data = policy_data_new(NULL, map->issuerDomainPolicy, 99 data = policy_data_new(NULL, map->issuerDomainPolicy,
102 cache->anyPolicy->flags 100 cache->anyPolicy->flags &
103 & POLICY_DATA_FLAG_CRITICAL); 101 POLICY_DATA_FLAG_CRITICAL);
104 if (!data) 102 if (!data)
105 goto bad_mapping; 103 goto bad_mapping;
106 data->qualifier_set = cache->anyPolicy->qualifier_set; 104 data->qualifier_set = cache->anyPolicy->qualifier_set;
107 /*map->issuerDomainPolicy = NULL;*/ 105 /*map->issuerDomainPolicy = NULL;*/
108 data->flags |= POLICY_DATA_FLAG_MAPPED_ANY; 106 data->flags |= POLICY_DATA_FLAG_MAPPED_ANY;
109 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; 107 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
110 if (!sk_X509_POLICY_DATA_push(cache->data, data)) 108 if (!sk_X509_POLICY_DATA_push(cache->data, data)) {
111 {
112 policy_data_free(data); 109 policy_data_free(data);
113 goto bad_mapping; 110 goto bad_mapping;
114 }
115 } 111 }
116 else 112 } else
117 data->flags |= POLICY_DATA_FLAG_MAPPED; 113 data->flags |= POLICY_DATA_FLAG_MAPPED;
118 if (!sk_ASN1_OBJECT_push(data->expected_policy_set, 114 if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
119 map->subjectDomainPolicy)) 115 map->subjectDomainPolicy))
120 goto bad_mapping; 116 goto bad_mapping;
121 map->subjectDomainPolicy = NULL; 117 map->subjectDomainPolicy = NULL;
122 118 }
123 }
124 119
125 ret = 1; 120 ret = 1;
126 bad_mapping: 121
122bad_mapping:
127 if (ret == -1) 123 if (ret == -1)
128 x->ex_flags |= EXFLAG_INVALID_POLICY; 124 x->ex_flags |= EXFLAG_INVALID_POLICY;
129 sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free); 125 sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
130 return ret; 126 return ret;
131 127}
132 }
diff --git a/src/lib/libssl/src/crypto/x509v3/pcy_node.c b/src/lib/libssl/src/crypto/x509v3/pcy_node.c
index 8c2124a7f6..1742ab0d05 100644
--- a/src/lib/libssl/src/crypto/x509v3/pcy_node.c
+++ b/src/lib/libssl/src/crypto/x509v3/pcy_node.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -62,20 +62,20 @@
62 62
63#include "pcy_int.h" 63#include "pcy_int.h"
64 64
65static int node_cmp(const X509_POLICY_NODE * const *a, 65static int
66 const X509_POLICY_NODE * const *b) 66node_cmp(const X509_POLICY_NODE * const *a, const X509_POLICY_NODE * const *b)
67 { 67{
68 return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy); 68 return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy);
69 } 69}
70 70
71STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void) 71STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void)
72 { 72{
73 return sk_X509_POLICY_NODE_new(node_cmp); 73 return sk_X509_POLICY_NODE_new(node_cmp);
74 } 74}
75 75
76X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes, 76X509_POLICY_NODE *
77 const ASN1_OBJECT *id) 77tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes, const ASN1_OBJECT *id)
78 { 78{
79 X509_POLICY_DATA n; 79 X509_POLICY_DATA n;
80 X509_POLICY_NODE l; 80 X509_POLICY_NODE l;
81 int idx; 81 int idx;
@@ -88,49 +88,43 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes,
88 return NULL; 88 return NULL;
89 89
90 return sk_X509_POLICY_NODE_value(nodes, idx); 90 return sk_X509_POLICY_NODE_value(nodes, idx);
91}
91 92
92 } 93X509_POLICY_NODE *
93 94level_find_node(const X509_POLICY_LEVEL *level, const X509_POLICY_NODE *parent,
94X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, 95 const ASN1_OBJECT *id)
95 const X509_POLICY_NODE *parent, 96{
96 const ASN1_OBJECT *id)
97 {
98 X509_POLICY_NODE *node; 97 X509_POLICY_NODE *node;
99 int i; 98 int i;
100 for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) 99
101 { 100 for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
102 node = sk_X509_POLICY_NODE_value(level->nodes, i); 101 node = sk_X509_POLICY_NODE_value(level->nodes, i);
103 if (node->parent == parent) 102 if (node->parent == parent) {
104 {
105 if (!OBJ_cmp(node->data->valid_policy, id)) 103 if (!OBJ_cmp(node->data->valid_policy, id))
106 return node; 104 return node;
107 }
108 } 105 }
109 return NULL;
110 } 106 }
107 return NULL;
108}
111 109
112X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, 110X509_POLICY_NODE *
113 const X509_POLICY_DATA *data, 111level_add_node(X509_POLICY_LEVEL *level, const X509_POLICY_DATA *data,
114 X509_POLICY_NODE *parent, 112 X509_POLICY_NODE *parent, X509_POLICY_TREE *tree)
115 X509_POLICY_TREE *tree) 113{
116 {
117 X509_POLICY_NODE *node; 114 X509_POLICY_NODE *node;
115
118 node = malloc(sizeof(X509_POLICY_NODE)); 116 node = malloc(sizeof(X509_POLICY_NODE));
119 if (!node) 117 if (!node)
120 return NULL; 118 return NULL;
121 node->data = data; 119 node->data = data;
122 node->parent = parent; 120 node->parent = parent;
123 node->nchild = 0; 121 node->nchild = 0;
124 if (level) 122 if (level) {
125 { 123 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
126 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy)
127 {
128 if (level->anyPolicy) 124 if (level->anyPolicy)
129 goto node_error; 125 goto node_error;
130 level->anyPolicy = node; 126 level->anyPolicy = node;
131 } 127 } else {
132 else
133 {
134 128
135 if (!level->nodes) 129 if (!level->nodes)
136 level->nodes = policy_node_cmp_new(); 130 level->nodes = policy_node_cmp_new();
@@ -138,60 +132,57 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
138 goto node_error; 132 goto node_error;
139 if (!sk_X509_POLICY_NODE_push(level->nodes, node)) 133 if (!sk_X509_POLICY_NODE_push(level->nodes, node))
140 goto node_error; 134 goto node_error;
141 }
142 } 135 }
136 }
143 137
144 if (tree) 138 if (tree) {
145 {
146 if (!tree->extra_data) 139 if (!tree->extra_data)
147 tree->extra_data = sk_X509_POLICY_DATA_new_null(); 140 tree->extra_data = sk_X509_POLICY_DATA_new_null();
148 if (!tree->extra_data) 141 if (!tree->extra_data)
149 goto node_error; 142 goto node_error;
150 if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) 143 if (!sk_X509_POLICY_DATA_push(tree->extra_data, data))
151 goto node_error; 144 goto node_error;
152 } 145 }
153 146
154 if (parent) 147 if (parent)
155 parent->nchild++; 148 parent->nchild++;
156 149
157 return node; 150 return node;
158 151
159 node_error: 152node_error:
160 policy_node_free(node); 153 policy_node_free(node);
161 return 0; 154 return 0;
155}
162 156
163 } 157void
164 158policy_node_free(X509_POLICY_NODE *node)
165void policy_node_free(X509_POLICY_NODE *node) 159{
166 {
167 free(node); 160 free(node);
168 } 161}
169 162
170/* See if a policy node matches a policy OID. If mapping enabled look through 163/* See if a policy node matches a policy OID. If mapping enabled look through
171 * expected policy set otherwise just valid policy. 164 * expected policy set otherwise just valid policy.
172 */ 165 */
173 166
174int policy_node_match(const X509_POLICY_LEVEL *lvl, 167int
175 const X509_POLICY_NODE *node, const ASN1_OBJECT *oid) 168policy_node_match(const X509_POLICY_LEVEL *lvl, const X509_POLICY_NODE *node,
176 { 169 const ASN1_OBJECT *oid)
170{
177 int i; 171 int i;
178 ASN1_OBJECT *policy_oid; 172 ASN1_OBJECT *policy_oid;
179 const X509_POLICY_DATA *x = node->data; 173 const X509_POLICY_DATA *x = node->data;
180 174
181 if ( (lvl->flags & X509_V_FLAG_INHIBIT_MAP) 175 if ((lvl->flags & X509_V_FLAG_INHIBIT_MAP) ||
182 || !(x->flags & POLICY_DATA_FLAG_MAP_MASK)) 176 !(x->flags & POLICY_DATA_FLAG_MAP_MASK)) {
183 {
184 if (!OBJ_cmp(x->valid_policy, oid)) 177 if (!OBJ_cmp(x->valid_policy, oid))
185 return 1; 178 return 1;
186 return 0; 179 return 0;
187 } 180 }
188 181
189 for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++) 182 for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++) {
190 {
191 policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i); 183 policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i);
192 if (!OBJ_cmp(policy_oid, oid)) 184 if (!OBJ_cmp(policy_oid, oid))
193 return 1; 185 return 1;
194 }
195 return 0;
196
197 } 186 }
187 return 0;
188}
diff --git a/src/lib/libssl/src/crypto/x509v3/pcy_tree.c b/src/lib/libssl/src/crypto/x509v3/pcy_tree.c
index c4239b1fd9..ebc4809371 100644
--- a/src/lib/libssl/src/crypto/x509v3/pcy_tree.c
+++ b/src/lib/libssl/src/crypto/x509v3/pcy_tree.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -70,36 +70,36 @@
70 70
71#ifdef OPENSSL_POLICY_DEBUG 71#ifdef OPENSSL_POLICY_DEBUG
72 72
73static void expected_print(BIO *err, X509_POLICY_LEVEL *lev, 73static void
74 X509_POLICY_NODE *node, int indent) 74expected_print(BIO *err, X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
75 { 75 int indent)
76 if ( (lev->flags & X509_V_FLAG_INHIBIT_MAP) 76{
77 || !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK)) 77 if ((lev->flags & X509_V_FLAG_INHIBIT_MAP) ||
78 !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK))
78 BIO_puts(err, " Not Mapped\n"); 79 BIO_puts(err, " Not Mapped\n");
79 else 80 else {
80 {
81 int i; 81 int i;
82 STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set; 82 STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set;
83 ASN1_OBJECT *oid; 83 ASN1_OBJECT *oid;
84 BIO_puts(err, " Expected: "); 84 BIO_puts(err, " Expected: ");
85 for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++) 85 for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++) {
86 {
87 oid = sk_ASN1_OBJECT_value(pset, i); 86 oid = sk_ASN1_OBJECT_value(pset, i);
88 if (i) 87 if (i)
89 BIO_puts(err, ", "); 88 BIO_puts(err, ", ");
90 i2a_ASN1_OBJECT(err, oid); 89 i2a_ASN1_OBJECT(err, oid);
91 }
92 BIO_puts(err, "\n");
93 } 90 }
91 BIO_puts(err, "\n");
94 } 92 }
93}
95 94
96static void tree_print(char *str, X509_POLICY_TREE *tree, 95static void
97 X509_POLICY_LEVEL *curr) 96tree_print(char *str, X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
98 { 97{
99 X509_POLICY_LEVEL *plev; 98 X509_POLICY_LEVEL *plev;
100 X509_POLICY_NODE *node; 99 X509_POLICY_NODE *node;
101 int i; 100 int i;
102 BIO *err; 101 BIO *err;
102
103 err = BIO_new_fp(stderr, BIO_NOCLOSE); 103 err = BIO_new_fp(stderr, BIO_NOCLOSE);
104 if (!curr) 104 if (!curr)
105 curr = tree->levels + tree->nlevel; 105 curr = tree->levels + tree->nlevel;
@@ -107,24 +107,21 @@ static void tree_print(char *str, X509_POLICY_TREE *tree,
107 curr++; 107 curr++;
108 BIO_printf(err, "Level print after %s\n", str); 108 BIO_printf(err, "Level print after %s\n", str);
109 BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels); 109 BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels);
110 for (plev = tree->levels; plev != curr; plev++) 110 for (plev = tree->levels; plev != curr; plev++) {
111 {
112 BIO_printf(err, "Level %ld, flags = %x\n", 111 BIO_printf(err, "Level %ld, flags = %x\n",
113 plev - tree->levels, plev->flags); 112 plev - tree->levels, plev->flags);
114 for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++) 113 for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++) {
115 {
116 node = sk_X509_POLICY_NODE_value(plev->nodes, i); 114 node = sk_X509_POLICY_NODE_value(plev->nodes, i);
117 X509_POLICY_NODE_print(err, node, 2); 115 X509_POLICY_NODE_print(err, node, 2);
118 expected_print(err, plev, node, 2); 116 expected_print(err, plev, node, 2);
119 BIO_printf(err, " Flags: %x\n", node->data->flags); 117 BIO_printf(err, " Flags: %x\n", node->data->flags);
120 } 118 }
121 if (plev->anyPolicy) 119 if (plev->anyPolicy)
122 X509_POLICY_NODE_print(err, plev->anyPolicy, 2); 120 X509_POLICY_NODE_print(err, plev->anyPolicy, 2);
123 } 121 }
124 122
125 BIO_free(err); 123 BIO_free(err);
126 124}
127 }
128#else 125#else
129 126
130#define tree_print(a,b,c) /* */ 127#define tree_print(a,b,c) /* */
@@ -140,9 +137,9 @@ static void tree_print(char *str, X509_POLICY_TREE *tree,
140 * 6 Tree empty and requireExplicitPolicy true. 137 * 6 Tree empty and requireExplicitPolicy true.
141 */ 138 */
142 139
143static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, 140static int
144 unsigned int flags) 141tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, unsigned int flags)
145 { 142{
146 X509_POLICY_TREE *tree; 143 X509_POLICY_TREE *tree;
147 X509_POLICY_LEVEL *level; 144 X509_POLICY_LEVEL *level;
148 const X509_POLICY_CACHE *cache; 145 const X509_POLICY_CACHE *cache;
@@ -153,6 +150,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
153 int explicit_policy; 150 int explicit_policy;
154 int any_skip; 151 int any_skip;
155 int map_skip; 152 int map_skip;
153
156 *ptree = NULL; 154 *ptree = NULL;
157 n = sk_X509_num(certs); 155 n = sk_X509_num(certs);
158 156
@@ -183,8 +181,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
183 * trust anchor. Note any bad cache results on the way. Also can 181 * trust anchor. Note any bad cache results on the way. Also can
184 * calculate explicit_policy value at this point. 182 * calculate explicit_policy value at this point.
185 */ 183 */
186 for (i = n - 2; i >= 0; i--) 184 for (i = n - 2; i >= 0; i--) {
187 {
188 x = sk_X509_value(certs, i); 185 x = sk_X509_value(certs, i);
189 X509_check_purpose(x, -1, -1); 186 X509_check_purpose(x, -1, -1);
190 cache = policy_cache_set(x); 187 cache = policy_cache_set(x);
@@ -199,22 +196,20 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
199 */ 196 */
200 else if ((ret == 1) && !cache->data) 197 else if ((ret == 1) && !cache->data)
201 ret = 2; 198 ret = 2;
202 if (explicit_policy > 0) 199 if (explicit_policy > 0) {
203 {
204 if (!(x->ex_flags & EXFLAG_SI)) 200 if (!(x->ex_flags & EXFLAG_SI))
205 explicit_policy--; 201 explicit_policy--;
206 if ((cache->explicit_skip != -1) 202 if ((cache->explicit_skip != -1) &&
207 && (cache->explicit_skip < explicit_policy)) 203 (cache->explicit_skip < explicit_policy))
208 explicit_policy = cache->explicit_skip; 204 explicit_policy = cache->explicit_skip;
209 }
210 } 205 }
206 }
211 207
212 if (ret != 1) 208 if (ret != 1) {
213 {
214 if (ret == 2 && !explicit_policy) 209 if (ret == 2 && !explicit_policy)
215 return 6; 210 return 6;
216 return ret; 211 return ret;
217 } 212 }
218 213
219 214
220 /* If we get this far initialize the tree */ 215 /* If we get this far initialize the tree */
@@ -231,11 +226,10 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
231 tree->auth_policies = NULL; 226 tree->auth_policies = NULL;
232 tree->user_policies = NULL; 227 tree->user_policies = NULL;
233 228
234 if (!tree->levels) 229 if (!tree->levels) {
235 {
236 free(tree); 230 free(tree);
237 return 0; 231 return 0;
238 } 232 }
239 233
240 memset(tree->levels, 0, n * sizeof(X509_POLICY_LEVEL)); 234 memset(tree->levels, 0, n * sizeof(X509_POLICY_LEVEL));
241 235
@@ -250,8 +244,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
250 if (!data || !level_add_node(level, data, NULL, tree)) 244 if (!data || !level_add_node(level, data, NULL, tree))
251 goto bad_tree; 245 goto bad_tree;
252 246
253 for (i = n - 2; i >= 0; i--) 247 for (i = n - 2; i >= 0; i--) {
254 {
255 level++; 248 level++;
256 x = sk_X509_value(certs, i); 249 x = sk_X509_value(certs, i);
257 cache = policy_cache_set(x); 250 cache = policy_cache_set(x);
@@ -259,39 +252,35 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
259 level->cert = x; 252 level->cert = x;
260 253
261 if (!cache->anyPolicy) 254 if (!cache->anyPolicy)
262 level->flags |= X509_V_FLAG_INHIBIT_ANY; 255 level->flags |= X509_V_FLAG_INHIBIT_ANY;
263 256
264 /* Determine inhibit any and inhibit map flags */ 257 /* Determine inhibit any and inhibit map flags */
265 if (any_skip == 0) 258 if (any_skip == 0) {
266 {
267 /* Any matching allowed if certificate is self 259 /* Any matching allowed if certificate is self
268 * issued and not the last in the chain. 260 * issued and not the last in the chain.
269 */ 261 */
270 if (!(x->ex_flags & EXFLAG_SI) || (i == 0)) 262 if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
271 level->flags |= X509_V_FLAG_INHIBIT_ANY; 263 level->flags |= X509_V_FLAG_INHIBIT_ANY;
272 } 264 } else {
273 else
274 {
275 if (!(x->ex_flags & EXFLAG_SI)) 265 if (!(x->ex_flags & EXFLAG_SI))
276 any_skip--; 266 any_skip--;
277 if ((cache->any_skip >= 0) 267 if ((cache->any_skip >= 0) &&
278 && (cache->any_skip < any_skip)) 268 (cache->any_skip < any_skip))
279 any_skip = cache->any_skip; 269 any_skip = cache->any_skip;
280 } 270 }
281 271
282 if (map_skip == 0) 272 if (map_skip == 0)
283 level->flags |= X509_V_FLAG_INHIBIT_MAP; 273 level->flags |= X509_V_FLAG_INHIBIT_MAP;
284 else 274 else {
285 {
286 if (!(x->ex_flags & EXFLAG_SI)) 275 if (!(x->ex_flags & EXFLAG_SI))
287 map_skip--; 276 map_skip--;
288 if ((cache->map_skip >= 0) 277 if ((cache->map_skip >= 0) &&
289 && (cache->map_skip < map_skip)) 278 (cache->map_skip < map_skip))
290 map_skip = cache->map_skip; 279 map_skip = cache->map_skip;
291 }
292
293 } 280 }
294 281
282 }
283
295 *ptree = tree; 284 *ptree = tree;
296 285
297 if (explicit_policy) 286 if (explicit_policy)
@@ -299,55 +288,50 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
299 else 288 else
300 return 5; 289 return 5;
301 290
302 bad_tree: 291bad_tree:
303
304 X509_policy_tree_free(tree); 292 X509_policy_tree_free(tree);
305 293
306 return 0; 294 return 0;
295}
307 296
308 } 297static int
309 298tree_link_matching_nodes(X509_POLICY_LEVEL *curr, const X509_POLICY_DATA *data)
310static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, 299{
311 const X509_POLICY_DATA *data)
312 {
313 X509_POLICY_LEVEL *last = curr - 1; 300 X509_POLICY_LEVEL *last = curr - 1;
314 X509_POLICY_NODE *node; 301 X509_POLICY_NODE *node;
315 int i, matched = 0; 302 int i, matched = 0;
303
316 /* Iterate through all in nodes linking matches */ 304 /* Iterate through all in nodes linking matches */
317 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) 305 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
318 {
319 node = sk_X509_POLICY_NODE_value(last->nodes, i); 306 node = sk_X509_POLICY_NODE_value(last->nodes, i);
320 if (policy_node_match(last, node, data->valid_policy)) 307 if (policy_node_match(last, node, data->valid_policy)) {
321 {
322 if (!level_add_node(curr, data, node, NULL)) 308 if (!level_add_node(curr, data, node, NULL))
323 return 0; 309 return 0;
324 matched = 1; 310 matched = 1;
325 }
326 } 311 }
327 if (!matched && last->anyPolicy) 312 }
328 { 313 if (!matched && last->anyPolicy) {
329 if (!level_add_node(curr, data, last->anyPolicy, NULL)) 314 if (!level_add_node(curr, data, last->anyPolicy, NULL))
330 return 0; 315 return 0;
331 }
332 return 1;
333 } 316 }
317 return 1;
318}
334 319
335/* This corresponds to RFC3280 6.1.3(d)(1): 320/* This corresponds to RFC3280 6.1.3(d)(1):
336 * link any data from CertificatePolicies onto matching parent 321 * link any data from CertificatePolicies onto matching parent
337 * or anyPolicy if no match. 322 * or anyPolicy if no match.
338 */ 323 */
339 324
340static int tree_link_nodes(X509_POLICY_LEVEL *curr, 325static int
341 const X509_POLICY_CACHE *cache) 326tree_link_nodes(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache)
342 { 327{
343 int i; 328 int i;
344 X509_POLICY_DATA *data; 329 X509_POLICY_DATA *data;
345 330
346 for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++) 331 for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++) {
347 {
348 data = sk_X509_POLICY_DATA_value(cache->data, i); 332 data = sk_X509_POLICY_DATA_value(cache->data, i);
349 /* If a node is mapped any it doesn't have a corresponding 333 /* If a node is mapped any it doesn't have a corresponding
350 * CertificatePolicies entry. 334 * CertificatePolicies entry.
351 * However such an identical node would be created 335 * However such an identical node would be created
352 * if anyPolicy matching is enabled because there would be 336 * if anyPolicy matching is enabled because there would be
353 * no match with the parent valid_policy_set. So we create 337 * no match with the parent valid_policy_set. So we create
@@ -355,29 +339,28 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
355 * right and we can prune it later. 339 * right and we can prune it later.
356 */ 340 */
357#if 0 341#if 0
358 if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY) 342 if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY) &&
359 && !(curr->flags & X509_V_FLAG_INHIBIT_ANY)) 343 !(curr->flags & X509_V_FLAG_INHIBIT_ANY))
360 continue; 344 continue;
361#endif 345#endif
362 /* Look for matching nodes in previous level */ 346 /* Look for matching nodes in previous level */
363 if (!tree_link_matching_nodes(curr, data)) 347 if (!tree_link_matching_nodes(curr, data))
364 return 0; 348 return 0;
365 }
366 return 1;
367 } 349 }
350 return 1;
351}
368 352
369/* This corresponds to RFC3280 6.1.3(d)(2): 353/* This corresponds to RFC3280 6.1.3(d)(2):
370 * Create new data for any unmatched policies in the parent and link 354 * Create new data for any unmatched policies in the parent and link
371 * to anyPolicy. 355 * to anyPolicy.
372 */ 356 */
373 357
374static int tree_add_unmatched(X509_POLICY_LEVEL *curr, 358static int
375 const X509_POLICY_CACHE *cache, 359tree_add_unmatched(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
376 const ASN1_OBJECT *id, 360 const ASN1_OBJECT *id, X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
377 X509_POLICY_NODE *node, 361{
378 X509_POLICY_TREE *tree)
379 {
380 X509_POLICY_DATA *data; 362 X509_POLICY_DATA *data;
363
381 if (id == NULL) 364 if (id == NULL)
382 id = node->data->valid_policy; 365 id = node->data->valid_policy;
383 /* Create a new node with qualifiers from anyPolicy and 366 /* Create a new node with qualifiers from anyPolicy and
@@ -390,66 +373,57 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
390 /* Curr may not have anyPolicy */ 373 /* Curr may not have anyPolicy */
391 data->qualifier_set = cache->anyPolicy->qualifier_set; 374 data->qualifier_set = cache->anyPolicy->qualifier_set;
392 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; 375 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
393 if (!level_add_node(curr, data, node, tree)) 376 if (!level_add_node(curr, data, node, tree)) {
394 {
395 policy_data_free(data); 377 policy_data_free(data);
396 return 0; 378 return 0;
397 } 379 }
398 380
399 return 1; 381 return 1;
400 } 382}
401 383
402static int tree_link_unmatched(X509_POLICY_LEVEL *curr, 384static int
403 const X509_POLICY_CACHE *cache, 385tree_link_unmatched(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
404 X509_POLICY_NODE *node, 386 X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
405 X509_POLICY_TREE *tree) 387{
406 {
407 const X509_POLICY_LEVEL *last = curr - 1; 388 const X509_POLICY_LEVEL *last = curr - 1;
408 int i; 389 int i;
409 390
410 if ( (last->flags & X509_V_FLAG_INHIBIT_MAP) 391 if ((last->flags & X509_V_FLAG_INHIBIT_MAP) ||
411 || !(node->data->flags & POLICY_DATA_FLAG_MAPPED)) 392 !(node->data->flags & POLICY_DATA_FLAG_MAPPED)) {
412 {
413 /* If no policy mapping: matched if one child present */ 393 /* If no policy mapping: matched if one child present */
414 if (node->nchild) 394 if (node->nchild)
415 return 1; 395 return 1;
416 if (!tree_add_unmatched(curr, cache, NULL, node, tree)) 396 if (!tree_add_unmatched(curr, cache, NULL, node, tree))
417 return 0; 397 return 0;
418 /* Add it */ 398 /* Add it */
419 } 399 } else {
420 else
421 {
422 /* If mapping: matched if one child per expected policy set */ 400 /* If mapping: matched if one child per expected policy set */
423 STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set; 401 STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set;
424 if (node->nchild == sk_ASN1_OBJECT_num(expset)) 402 if (node->nchild == sk_ASN1_OBJECT_num(expset))
425 return 1; 403 return 1;
426 /* Locate unmatched nodes */ 404 /* Locate unmatched nodes */
427 for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++) 405 for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++) {
428 {
429 ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i); 406 ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i);
430 if (level_find_node(curr, node, oid)) 407 if (level_find_node(curr, node, oid))
431 continue; 408 continue;
432 if (!tree_add_unmatched(curr, cache, oid, node, tree)) 409 if (!tree_add_unmatched(curr, cache, oid, node, tree))
433 return 0; 410 return 0;
434 }
435
436 } 411 }
412 }
437 413
438 return 1; 414 return 1;
415}
439 416
440 } 417static int
441 418tree_link_any(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
442static int tree_link_any(X509_POLICY_LEVEL *curr, 419 X509_POLICY_TREE *tree)
443 const X509_POLICY_CACHE *cache, 420{
444 X509_POLICY_TREE *tree)
445 {
446 int i; 421 int i;
447 /*X509_POLICY_DATA *data;*/ 422 /*X509_POLICY_DATA *data;*/
448 X509_POLICY_NODE *node; 423 X509_POLICY_NODE *node;
449 X509_POLICY_LEVEL *last = curr - 1; 424 X509_POLICY_LEVEL *last = curr - 1;
450 425
451 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) 426 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
452 {
453 node = sk_X509_POLICY_NODE_value(last->nodes, i); 427 node = sk_X509_POLICY_NODE_value(last->nodes, i);
454 428
455 if (!tree_link_unmatched(curr, cache, node, tree)) 429 if (!tree_link_unmatched(curr, cache, node, tree))
@@ -461,7 +435,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
461 * nodes. 435 * nodes.
462 * 436 *
463 * Note: need something better for policy mapping 437 * Note: need something better for policy mapping
464 * because each node may have multiple children 438 * because each node may have multiple children
465 */ 439 */
466 if (node->nchild) 440 if (node->nchild)
467 continue; 441 continue;
@@ -469,110 +443,99 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
469 /* Create a new node with qualifiers from anyPolicy and 443 /* Create a new node with qualifiers from anyPolicy and
470 * id from unmatched node. 444 * id from unmatched node.
471 */ 445 */
472 data = policy_data_new(NULL, node->data->valid_policy, 446 data = policy_data_new(NULL, node->data->valid_policy,
473 node_critical(node)); 447 node_critical(node));
474 448
475 if (data == NULL) 449 if (data == NULL)
476 return 0; 450 return 0;
477 /* Curr may not have anyPolicy */ 451 /* Curr may not have anyPolicy */
478 data->qualifier_set = cache->anyPolicy->qualifier_set; 452 data->qualifier_set = cache->anyPolicy->qualifier_set;
479 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; 453 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
480 if (!level_add_node(curr, data, node, tree)) 454 if (!level_add_node(curr, data, node, tree)) {
481 {
482 policy_data_free(data); 455 policy_data_free(data);
483 return 0; 456 return 0;
484 } 457 }
485 458
486#endif 459#endif
487 460
488 } 461 }
489 /* Finally add link to anyPolicy */ 462 /* Finally add link to anyPolicy */
490 if (last->anyPolicy) 463 if (last->anyPolicy) {
491 {
492 if (!level_add_node(curr, cache->anyPolicy, 464 if (!level_add_node(curr, cache->anyPolicy,
493 last->anyPolicy, NULL)) 465 last->anyPolicy, NULL))
494 return 0; 466 return 0;
495 }
496 return 1;
497 } 467 }
468 return 1;
469}
498 470
499/* Prune the tree: delete any child mapped child data on the current level 471/* Prune the tree: delete any child mapped child data on the current level
500 * then proceed up the tree deleting any data with no children. If we ever 472 * then proceed up the tree deleting any data with no children. If we ever
501 * have no data on a level we can halt because the tree will be empty. 473 * have no data on a level we can halt because the tree will be empty.
502 */ 474 */
503 475
504static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr) 476static int
505 { 477tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
478{
506 STACK_OF(X509_POLICY_NODE) *nodes; 479 STACK_OF(X509_POLICY_NODE) *nodes;
507 X509_POLICY_NODE *node; 480 X509_POLICY_NODE *node;
508 int i; 481 int i;
482
509 nodes = curr->nodes; 483 nodes = curr->nodes;
510 if (curr->flags & X509_V_FLAG_INHIBIT_MAP) 484 if (curr->flags & X509_V_FLAG_INHIBIT_MAP) {
511 { 485 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) {
512 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--)
513 {
514 node = sk_X509_POLICY_NODE_value(nodes, i); 486 node = sk_X509_POLICY_NODE_value(nodes, i);
515 /* Delete any mapped data: see RFC3280 XXXX */ 487 /* Delete any mapped data: see RFC3280 XXXX */
516 if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK) 488 if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK) {
517 {
518 node->parent->nchild--; 489 node->parent->nchild--;
519 free(node); 490 free(node);
520 (void)sk_X509_POLICY_NODE_delete(nodes,i); 491 (void)sk_X509_POLICY_NODE_delete(nodes, i);
521 }
522 } 492 }
523 } 493 }
494 }
524 495
525 for(;;) { 496 for (;;) {
526 --curr; 497 --curr;
527 nodes = curr->nodes; 498 nodes = curr->nodes;
528 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) 499 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) {
529 {
530 node = sk_X509_POLICY_NODE_value(nodes, i); 500 node = sk_X509_POLICY_NODE_value(nodes, i);
531 if (node->nchild == 0) 501 if (node->nchild == 0) {
532 {
533 node->parent->nchild--; 502 node->parent->nchild--;
534 free(node); 503 free(node);
535 (void)sk_X509_POLICY_NODE_delete(nodes, i); 504 (void)sk_X509_POLICY_NODE_delete(nodes, i);
536 }
537 } 505 }
538 if (curr->anyPolicy && !curr->anyPolicy->nchild) 506 }
539 { 507 if (curr->anyPolicy && !curr->anyPolicy->nchild) {
540 if (curr->anyPolicy->parent) 508 if (curr->anyPolicy->parent)
541 curr->anyPolicy->parent->nchild--; 509 curr->anyPolicy->parent->nchild--;
542 free(curr->anyPolicy); 510 free(curr->anyPolicy);
543 curr->anyPolicy = NULL; 511 curr->anyPolicy = NULL;
544 } 512 }
545 if (curr == tree->levels) 513 if (curr == tree->levels) {
546 {
547 /* If we zapped anyPolicy at top then tree is empty */ 514 /* If we zapped anyPolicy at top then tree is empty */
548 if (!curr->anyPolicy) 515 if (!curr->anyPolicy)
549 return 2; 516 return 2;
550 return 1; 517 return 1;
551 }
552 } 518 }
519 }
553 520
554 return 1; 521 return 1;
522}
555 523
556 } 524static int
557 525tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes, X509_POLICY_NODE *pcy)
558static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes, 526{
559 X509_POLICY_NODE *pcy) 527 if (!*pnodes) {
560 {
561 if (!*pnodes)
562 {
563 *pnodes = policy_node_cmp_new(); 528 *pnodes = policy_node_cmp_new();
564 if (!*pnodes) 529 if (!*pnodes)
565 return 0; 530 return 0;
566 } 531 } else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1)
567 else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1)
568 return 1; 532 return 1;
569 533
570 if (!sk_X509_POLICY_NODE_push(*pnodes, pcy)) 534 if (!sk_X509_POLICY_NODE_push(*pnodes, pcy))
571 return 0; 535 return 0;
572 536
573 return 1; 537 return 1;
574 538}
575 }
576 539
577/* Calculate the authority set based on policy tree. 540/* Calculate the authority set based on policy tree.
578 * The 'pnodes' parameter is used as a store for the set of policy nodes 541 * The 'pnodes' parameter is used as a store for the set of policy nodes
@@ -583,43 +546,41 @@ static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes,
583 * that pnodes should be freed. 546 * that pnodes should be freed.
584 */ 547 */
585 548
586static int tree_calculate_authority_set(X509_POLICY_TREE *tree, 549static int
587 STACK_OF(X509_POLICY_NODE) **pnodes) 550tree_calculate_authority_set(X509_POLICY_TREE *tree,
588 { 551 STACK_OF(X509_POLICY_NODE) **pnodes)
552{
589 X509_POLICY_LEVEL *curr; 553 X509_POLICY_LEVEL *curr;
590 X509_POLICY_NODE *node, *anyptr; 554 X509_POLICY_NODE *node, *anyptr;
591 STACK_OF(X509_POLICY_NODE) **addnodes; 555 STACK_OF(X509_POLICY_NODE) **addnodes;
592 int i, j; 556 int i, j;
557
593 curr = tree->levels + tree->nlevel - 1; 558 curr = tree->levels + tree->nlevel - 1;
594 559
595 /* If last level contains anyPolicy set is anyPolicy */ 560 /* If last level contains anyPolicy set is anyPolicy */
596 if (curr->anyPolicy) 561 if (curr->anyPolicy) {
597 {
598 if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy)) 562 if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy))
599 return 0; 563 return 0;
600 addnodes = pnodes; 564 addnodes = pnodes;
601 } 565 } else
602 else
603 /* Add policies to authority set */ 566 /* Add policies to authority set */
604 addnodes = &tree->auth_policies; 567 addnodes = &tree->auth_policies;
605 568
606 curr = tree->levels; 569 curr = tree->levels;
607 for (i = 1; i < tree->nlevel; i++) 570 for (i = 1; i < tree->nlevel; i++) {
608 {
609 /* If no anyPolicy node on this this level it can't 571 /* If no anyPolicy node on this this level it can't
610 * appear on lower levels so end search. 572 * appear on lower levels so end search.
611 */ 573 */
612 if (!(anyptr = curr->anyPolicy)) 574 if (!(anyptr = curr->anyPolicy))
613 break; 575 break;
614 curr++; 576 curr++;
615 for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++) 577 for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++) {
616 {
617 node = sk_X509_POLICY_NODE_value(curr->nodes, j); 578 node = sk_X509_POLICY_NODE_value(curr->nodes, j);
618 if ((node->parent == anyptr) 579 if ((node->parent == anyptr) &&
619 && !tree_add_auth_node(addnodes, node)) 580 !tree_add_auth_node(addnodes, node))
620 return 0; 581 return 0;
621 }
622 } 582 }
583 }
623 584
624 if (addnodes == pnodes) 585 if (addnodes == pnodes)
625 return 2; 586 return 2;
@@ -627,16 +588,15 @@ static int tree_calculate_authority_set(X509_POLICY_TREE *tree,
627 *pnodes = tree->auth_policies; 588 *pnodes = tree->auth_policies;
628 589
629 return 1; 590 return 1;
630 } 591}
631 592
632static int tree_calculate_user_set(X509_POLICY_TREE *tree, 593static int
633 STACK_OF(ASN1_OBJECT) *policy_oids, 594tree_calculate_user_set(X509_POLICY_TREE *tree,
634 STACK_OF(X509_POLICY_NODE) *auth_nodes) 595 STACK_OF(ASN1_OBJECT) *policy_oids, STACK_OF(X509_POLICY_NODE) *auth_nodes)
635 { 596{
636 int i; 597 int i;
637 X509_POLICY_NODE *node; 598 X509_POLICY_NODE *node;
638 ASN1_OBJECT *oid; 599 ASN1_OBJECT *oid;
639
640 X509_POLICY_NODE *anyPolicy; 600 X509_POLICY_NODE *anyPolicy;
641 X509_POLICY_DATA *extra; 601 X509_POLICY_DATA *extra;
642 602
@@ -649,84 +609,78 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
649 609
650 anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy; 610 anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy;
651 611
652 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) 612 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) {
653 {
654 oid = sk_ASN1_OBJECT_value(policy_oids, i); 613 oid = sk_ASN1_OBJECT_value(policy_oids, i);
655 if (OBJ_obj2nid(oid) == NID_any_policy) 614 if (OBJ_obj2nid(oid) == NID_any_policy) {
656 {
657 tree->flags |= POLICY_FLAG_ANY_POLICY; 615 tree->flags |= POLICY_FLAG_ANY_POLICY;
658 return 1; 616 return 1;
659 }
660 } 617 }
618 }
661 619
662 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) 620 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) {
663 {
664 oid = sk_ASN1_OBJECT_value(policy_oids, i); 621 oid = sk_ASN1_OBJECT_value(policy_oids, i);
665 node = tree_find_sk(auth_nodes, oid); 622 node = tree_find_sk(auth_nodes, oid);
666 if (!node) 623 if (!node) {
667 {
668 if (!anyPolicy) 624 if (!anyPolicy)
669 continue; 625 continue;
670 /* Create a new node with policy ID from user set 626 /* Create a new node with policy ID from user set
671 * and qualifiers from anyPolicy. 627 * and qualifiers from anyPolicy.
672 */ 628 */
673 extra = policy_data_new(NULL, oid, 629 extra = policy_data_new(NULL, oid,
674 node_critical(anyPolicy)); 630 node_critical(anyPolicy));
675 if (!extra) 631 if (!extra)
676 return 0; 632 return 0;
677 extra->qualifier_set = anyPolicy->data->qualifier_set; 633 extra->qualifier_set = anyPolicy->data->qualifier_set;
678 extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS 634 extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS |
679 | POLICY_DATA_FLAG_EXTRA_NODE; 635 POLICY_DATA_FLAG_EXTRA_NODE;
680 node = level_add_node(NULL, extra, anyPolicy->parent, 636 node = level_add_node(NULL, extra, anyPolicy->parent,
681 tree); 637 tree);
682 } 638 }
683 if (!tree->user_policies) 639 if (!tree->user_policies) {
684 {
685 tree->user_policies = sk_X509_POLICY_NODE_new_null(); 640 tree->user_policies = sk_X509_POLICY_NODE_new_null();
686 if (!tree->user_policies) 641 if (!tree->user_policies)
687 return 1; 642 return 1;
688 } 643 }
689 if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) 644 if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
690 return 0; 645 return 0;
691 }
692 return 1;
693
694 } 646 }
647 return 1;
648}
695 649
696static int tree_evaluate(X509_POLICY_TREE *tree) 650static int
697 { 651tree_evaluate(X509_POLICY_TREE *tree)
652{
698 int ret, i; 653 int ret, i;
699 X509_POLICY_LEVEL *curr = tree->levels + 1; 654 X509_POLICY_LEVEL *curr = tree->levels + 1;
700 const X509_POLICY_CACHE *cache; 655 const X509_POLICY_CACHE *cache;
701 656
702 for(i = 1; i < tree->nlevel; i++, curr++) 657 for (i = 1; i < tree->nlevel; i++, curr++) {
703 {
704 cache = policy_cache_set(curr->cert); 658 cache = policy_cache_set(curr->cert);
705 if (!tree_link_nodes(curr, cache)) 659 if (!tree_link_nodes(curr, cache))
706 return 0; 660 return 0;
707 661
708 if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) 662 if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) &&
709 && !tree_link_any(curr, cache, tree)) 663 !tree_link_any(curr, cache, tree))
710 return 0; 664 return 0;
711 tree_print("before tree_prune()", tree, curr); 665 tree_print("before tree_prune()", tree, curr);
712 ret = tree_prune(tree, curr); 666 ret = tree_prune(tree, curr);
713 if (ret != 1) 667 if (ret != 1)
714 return ret; 668 return ret;
715 } 669 }
716 670
717 return 1; 671 return 1;
672}
718 673
719 } 674static void
720 675exnode_free(X509_POLICY_NODE *node)
721static void exnode_free(X509_POLICY_NODE *node) 676{
722 {
723 if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE)) 677 if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE))
724 free(node); 678 free(node);
725 } 679}
726 680
727 681void
728void X509_policy_tree_free(X509_POLICY_TREE *tree) 682X509_policy_tree_free(X509_POLICY_TREE *tree)
729 { 683{
730 X509_POLICY_LEVEL *curr; 684 X509_POLICY_LEVEL *curr;
731 int i; 685 int i;
732 686
@@ -736,25 +690,23 @@ void X509_policy_tree_free(X509_POLICY_TREE *tree)
736 sk_X509_POLICY_NODE_free(tree->auth_policies); 690 sk_X509_POLICY_NODE_free(tree->auth_policies);
737 sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free); 691 sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
738 692
739 for(i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++) 693 for (i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++) {
740 {
741 if (curr->cert) 694 if (curr->cert)
742 X509_free(curr->cert); 695 X509_free(curr->cert);
743 if (curr->nodes) 696 if (curr->nodes)
744 sk_X509_POLICY_NODE_pop_free(curr->nodes, 697 sk_X509_POLICY_NODE_pop_free(curr->nodes,
745 policy_node_free); 698 policy_node_free);
746 if (curr->anyPolicy) 699 if (curr->anyPolicy)
747 policy_node_free(curr->anyPolicy); 700 policy_node_free(curr->anyPolicy);
748 } 701 }
749 702
750 if (tree->extra_data) 703 if (tree->extra_data)
751 sk_X509_POLICY_DATA_pop_free(tree->extra_data, 704 sk_X509_POLICY_DATA_pop_free(tree->extra_data,
752 policy_data_free); 705 policy_data_free);
753 706
754 free(tree->levels); 707 free(tree->levels);
755 free(tree); 708 free(tree);
756 709}
757 }
758 710
759/* Application policy checking function. 711/* Application policy checking function.
760 * Return codes: 712 * Return codes:
@@ -764,48 +716,47 @@ void X509_policy_tree_free(X509_POLICY_TREE *tree)
764 * -2 User constrained policy set empty and requireExplicit true. 716 * -2 User constrained policy set empty and requireExplicit true.
765 */ 717 */
766 718
767int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, 719int
768 STACK_OF(X509) *certs, 720X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
769 STACK_OF(ASN1_OBJECT) *policy_oids, 721 STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids,
770 unsigned int flags) 722 unsigned int flags)
771 { 723{
772 int ret; 724 int ret;
773 X509_POLICY_TREE *tree = NULL; 725 X509_POLICY_TREE *tree = NULL;
774 STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL; 726 STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
775 *ptree = NULL;
776 727
728 *ptree = NULL;
777 *pexplicit_policy = 0; 729 *pexplicit_policy = 0;
778 ret = tree_init(&tree, certs, flags); 730 ret = tree_init(&tree, certs, flags);
779 731
780 switch (ret) 732 switch (ret) {
781 {
782 733
783 /* Tree empty requireExplicit False: OK */ 734 /* Tree empty requireExplicit False: OK */
784 case 2: 735 case 2:
785 return 1; 736 return 1;
786 737
787 /* Some internal error */ 738 /* Some internal error */
788 case -1: 739 case -1:
789 return -1; 740 return -1;
790 741
791 /* Some internal error */ 742 /* Some internal error */
792 case 0: 743 case 0:
793 return 0; 744 return 0;
794 745
795 /* Tree empty requireExplicit True: Error */ 746 /* Tree empty requireExplicit True: Error */
796 747
797 case 6: 748 case 6:
798 *pexplicit_policy = 1; 749 *pexplicit_policy = 1;
799 return -2; 750 return -2;
800 751
801 /* Tree OK requireExplicit True: OK and continue */ 752 /* Tree OK requireExplicit True: OK and continue */
802 case 5: 753 case 5:
803 *pexplicit_policy = 1; 754 *pexplicit_policy = 1;
804 break; 755 break;
805 756
806 /* Tree OK: continue */ 757 /* Tree OK: continue */
807 758
808 case 1: 759 case 1:
809 if (!tree) 760 if (!tree)
810 /* 761 /*
811 * tree_init() returns success and a null tree 762 * tree_init() returns success and a null tree
@@ -817,9 +768,10 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
817 */ 768 */
818 return 1; 769 return 1;
819 break; 770 break;
820 } 771 }
821 772
822 if (!tree) goto error; 773 if (!tree)
774 goto error;
823 ret = tree_evaluate(tree); 775 ret = tree_evaluate(tree);
824 776
825 tree_print("tree_evaluate()", tree, NULL); 777 tree_print("tree_evaluate()", tree, NULL);
@@ -828,14 +780,13 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
828 goto error; 780 goto error;
829 781
830 /* Return value 2 means tree empty */ 782 /* Return value 2 means tree empty */
831 if (ret == 2) 783 if (ret == 2) {
832 {
833 X509_policy_tree_free(tree); 784 X509_policy_tree_free(tree);
834 if (*pexplicit_policy) 785 if (*pexplicit_policy)
835 return -2; 786 return -2;
836 else 787 else
837 return 1; 788 return 1;
838 } 789 }
839 790
840 /* Tree is not empty: continue */ 791 /* Tree is not empty: continue */
841 792
@@ -846,27 +797,23 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
846 797
847 if (!tree_calculate_user_set(tree, policy_oids, auth_nodes)) 798 if (!tree_calculate_user_set(tree, policy_oids, auth_nodes))
848 goto error; 799 goto error;
849 800
850 if (ret == 2) 801 if (ret == 2)
851 sk_X509_POLICY_NODE_free(auth_nodes); 802 sk_X509_POLICY_NODE_free(auth_nodes);
852 803
853 if (tree) 804 if (tree)
854 *ptree = tree; 805 *ptree = tree;
855 806
856 if (*pexplicit_policy) 807 if (*pexplicit_policy) {
857 {
858 nodes = X509_policy_tree_get0_user_policies(tree); 808 nodes = X509_policy_tree_get0_user_policies(tree);
859 if (sk_X509_POLICY_NODE_num(nodes) <= 0) 809 if (sk_X509_POLICY_NODE_num(nodes) <= 0)
860 return -2; 810 return -2;
861 } 811 }
862 812
863 return 1; 813 return 1;
864 814
865 error: 815error:
866
867 X509_policy_tree_free(tree); 816 X509_policy_tree_free(tree);
868 817
869 return 0; 818 return 0;
870 819}
871 }
872
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 02:07:36 +0000