diff options
| author | tb <> | 2023-04-28 09:56:09 +0000 |
|---|---|---|
| committer | tb <> | 2023-04-28 09:56:09 +0000 |
| commit | 0208c36b83f57b5ea0297d0fa4ae8778edb8e772 (patch) | |
| tree | 1354ba2dc727b775c67ae55ccd24c0274ed1990b /src/lib | |
| parent | 355e0e012d67b963dc150882581087232ba98014 (diff) | |
| download | openbsd-0208c36b83f57b5ea0297d0fa4ae8778edb8e772.tar.gz openbsd-0208c36b83f57b5ea0297d0fa4ae8778edb8e772.tar.bz2 openbsd-0208c36b83f57b5ea0297d0fa4ae8778edb8e772.zip | |
Cleanup pass over x509_check_policy.c
This hoists variable declarations to the top and compiles with -Wshadow.
ok beck
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_policy.c | 145 |
1 files changed, 72 insertions, 73 deletions
diff --git a/src/lib/libcrypto/x509/x509_policy.c b/src/lib/libcrypto/x509/x509_policy.c index a1a8e5e60e..32ee4e9f4f 100644 --- a/src/lib/libcrypto/x509/x509_policy.c +++ b/src/lib/libcrypto/x509/x509_policy.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_policy.c,v 1.15 2023/04/27 16:12:08 beck Exp $ */ | 1 | /* $OpenBSD: x509_policy.c,v 1.16 2023/04/28 09:56:09 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2022, Google Inc. | 3 | * Copyright (c) 2022, Google Inc. |
| 4 | * | 4 | * |
| @@ -168,8 +168,7 @@ DECLARE_STACK_OF(X509_POLICY_LEVEL) | |||
| 168 | */ | 168 | */ |
| 169 | void | 169 | void |
| 170 | sk_X509_POLICY_NODE_delete_if(STACK_OF(X509_POLICY_NODE) *nodes, | 170 | sk_X509_POLICY_NODE_delete_if(STACK_OF(X509_POLICY_NODE) *nodes, |
| 171 | int (*delete_if)(X509_POLICY_NODE *, void *), | 171 | int (*delete_if)(X509_POLICY_NODE *, void *), void *data) |
| 172 | void *data) | ||
| 173 | { | 172 | { |
| 174 | _STACK *sk = (_STACK *)nodes; | 173 | _STACK *sk = (_STACK *)nodes; |
| 175 | X509_POLICY_NODE *node; | 174 | X509_POLICY_NODE *node; |
| @@ -259,19 +258,22 @@ x509_policy_level_new(void) | |||
| 259 | static int | 258 | static int |
| 260 | x509_policy_level_is_empty(const X509_POLICY_LEVEL *level) | 259 | x509_policy_level_is_empty(const X509_POLICY_LEVEL *level) |
| 261 | { | 260 | { |
| 262 | return !level->has_any_policy && | 261 | if (level->has_any_policy) |
| 263 | sk_X509_POLICY_NODE_num(level->nodes) == 0; | 262 | return 0; |
| 263 | |||
| 264 | return sk_X509_POLICY_NODE_num(level->nodes) == 0; | ||
| 264 | } | 265 | } |
| 265 | 266 | ||
| 266 | static void | 267 | static void |
| 267 | x509_policy_level_clear(X509_POLICY_LEVEL *level) | 268 | x509_policy_level_clear(X509_POLICY_LEVEL *level) |
| 268 | { | 269 | { |
| 270 | X509_POLICY_NODE *node; | ||
| 269 | int i; | 271 | int i; |
| 270 | 272 | ||
| 271 | level->has_any_policy = 0; | 273 | level->has_any_policy = 0; |
| 272 | for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { | 274 | for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { |
| 273 | x509_policy_node_free( | 275 | node = sk_X509_POLICY_NODE_value(level->nodes, i); |
| 274 | sk_X509_POLICY_NODE_value(level->nodes, i)); | 276 | x509_policy_node_free(node); |
| 275 | } | 277 | } |
| 276 | sk_X509_POLICY_NODE_zero(level->nodes); | 278 | sk_X509_POLICY_NODE_zero(level->nodes); |
| 277 | } | 279 | } |
| @@ -358,17 +360,18 @@ delete_if_not_in_policies(X509_POLICY_NODE *node, void *data) | |||
| 358 | * for self-issued certificates. | 360 | * for self-issued certificates. |
| 359 | */ | 361 | */ |
| 360 | static int | 362 | static int |
| 361 | process_certificate_policies(const X509 *x509, | 363 | process_certificate_policies(const X509 *x509, X509_POLICY_LEVEL *level, |
| 362 | X509_POLICY_LEVEL *level, | ||
| 363 | int any_policy_allowed) | 364 | int any_policy_allowed) |
| 364 | { | 365 | { |
| 365 | int i; | 366 | STACK_OF(X509_POLICY_NODE) *new_nodes = NULL; |
| 367 | CERTIFICATEPOLICIES *policies; | ||
| 368 | const POLICYINFO *policy; | ||
| 369 | X509_POLICY_NODE *node; | ||
| 370 | int cert_has_any_policy, critical, i, previous_level_has_any_policy; | ||
| 366 | int ret = 0; | 371 | int ret = 0; |
| 367 | int critical; | ||
| 368 | 372 | ||
| 369 | STACK_OF(X509_POLICY_NODE) *new_nodes = NULL; | 373 | policies = X509_get_ext_d2i(x509, NID_certificate_policies, &critical, |
| 370 | CERTIFICATEPOLICIES *policies = | 374 | NULL); |
| 371 | X509_get_ext_d2i(x509, NID_certificate_policies, &critical, NULL); | ||
| 372 | if (policies == NULL) { | 375 | if (policies == NULL) { |
| 373 | if (critical != -1) | 376 | if (critical != -1) |
| 374 | return 0; /* Syntax error in the extension. */ | 377 | return 0; /* Syntax error in the extension. */ |
| @@ -389,9 +392,9 @@ process_certificate_policies(const X509 *x509, | |||
| 389 | 392 | ||
| 390 | sk_POLICYINFO_set_cmp_func(policies, policyinfo_cmp); | 393 | sk_POLICYINFO_set_cmp_func(policies, policyinfo_cmp); |
| 391 | sk_POLICYINFO_sort(policies); | 394 | sk_POLICYINFO_sort(policies); |
| 392 | int cert_has_any_policy = 0; | 395 | cert_has_any_policy = 0; |
| 393 | for (i = 0; i < sk_POLICYINFO_num(policies); i++) { | 396 | for (i = 0; i < sk_POLICYINFO_num(policies); i++) { |
| 394 | const POLICYINFO *policy = sk_POLICYINFO_value(policies, i); | 397 | policy = sk_POLICYINFO_value(policies, i); |
| 395 | if (is_any_policy(policy->policyid)) | 398 | if (is_any_policy(policy->policyid)) |
| 396 | cert_has_any_policy = 1; | 399 | cert_has_any_policy = 1; |
| 397 | if (i > 0 && | 400 | if (i > 0 && |
| @@ -412,7 +415,7 @@ process_certificate_policies(const X509 *x509, | |||
| 412 | * "expected_policy_set" values of the previous level. | 415 | * "expected_policy_set" values of the previous level. |
| 413 | * See |process_policy_mappings| for details. | 416 | * See |process_policy_mappings| for details. |
| 414 | */ | 417 | */ |
| 415 | const int previous_level_has_any_policy = level->has_any_policy; | 418 | previous_level_has_any_policy = level->has_any_policy; |
| 416 | 419 | ||
| 417 | /* | 420 | /* |
| 418 | * First, we handle steps (d.1.i) and (d.2). The net effect of these | 421 | * First, we handle steps (d.1.i) and (d.2). The net effect of these |
| @@ -434,8 +437,7 @@ process_certificate_policies(const X509 *x509, | |||
| 434 | if (new_nodes == NULL) | 437 | if (new_nodes == NULL) |
| 435 | goto err; | 438 | goto err; |
| 436 | for (i = 0; i < sk_POLICYINFO_num(policies); i++) { | 439 | for (i = 0; i < sk_POLICYINFO_num(policies); i++) { |
| 437 | const POLICYINFO *policy = sk_POLICYINFO_value(policies, | 440 | policy = sk_POLICYINFO_value(policies, i); |
| 438 | i); | ||
| 439 | /* | 441 | /* |
| 440 | * Though we've reordered the steps slightly, |policy| | 442 | * Though we've reordered the steps slightly, |policy| |
| 441 | * is in |level| if and only if it would have been a | 443 | * is in |level| if and only if it would have been a |
| @@ -444,11 +446,9 @@ process_certificate_policies(const X509 *x509, | |||
| 444 | if (!is_any_policy(policy->policyid) && | 446 | if (!is_any_policy(policy->policyid) && |
| 445 | x509_policy_level_find(level, policy->policyid) == | 447 | x509_policy_level_find(level, policy->policyid) == |
| 446 | NULL) { | 448 | NULL) { |
| 447 | X509_POLICY_NODE *node = x509_policy_node_new( | 449 | node = x509_policy_node_new(policy->policyid); |
| 448 | policy->policyid); | ||
| 449 | if (node == NULL || | 450 | if (node == NULL || |
| 450 | !sk_X509_POLICY_NODE_push(new_nodes, | 451 | !sk_X509_POLICY_NODE_push(new_nodes, node)) { |
| 451 | node)) { | ||
| 452 | x509_policy_node_free(node); | 452 | x509_policy_node_free(node); |
| 453 | goto err; | 453 | goto err; |
| 454 | } | 454 | } |
| @@ -517,13 +517,16 @@ process_policy_mappings(const X509 *cert, | |||
| 517 | X509_POLICY_LEVEL *level, | 517 | X509_POLICY_LEVEL *level, |
| 518 | int mapping_allowed) | 518 | int mapping_allowed) |
| 519 | { | 519 | { |
| 520 | int i; | ||
| 521 | int ok = 0; | ||
| 522 | int critical; | ||
| 523 | STACK_OF(X509_POLICY_NODE) *new_nodes = NULL; | 520 | STACK_OF(X509_POLICY_NODE) *new_nodes = NULL; |
| 521 | POLICY_MAPPINGS *mappings; | ||
| 522 | const ASN1_OBJECT *last_policy; | ||
| 523 | POLICY_MAPPING *mapping; | ||
| 524 | X509_POLICY_LEVEL *next = NULL; | 524 | X509_POLICY_LEVEL *next = NULL; |
| 525 | POLICY_MAPPINGS *mappings = | 525 | X509_POLICY_NODE *node; |
| 526 | X509_get_ext_d2i(cert, NID_policy_mappings, &critical, NULL); | 526 | int critical, i; |
| 527 | int ok = 0; | ||
| 528 | |||
| 529 | mappings = X509_get_ext_d2i(cert, NID_policy_mappings, &critical, NULL); | ||
| 527 | if (mappings == NULL && critical != -1) { | 530 | if (mappings == NULL && critical != -1) { |
| 528 | /* Syntax error in the policy mappings extension. */ | 531 | /* Syntax error in the policy mappings extension. */ |
| 529 | goto err; | 532 | goto err; |
| @@ -542,8 +545,7 @@ process_policy_mappings(const X509 *cert, | |||
| 542 | 545 | ||
| 543 | /* RFC 5280, section 6.1.4, step (a). */ | 546 | /* RFC 5280, section 6.1.4, step (a). */ |
| 544 | for (i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) { | 547 | for (i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) { |
| 545 | POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, | 548 | mapping = sk_POLICY_MAPPING_value(mappings, i); |
| 546 | i); | ||
| 547 | if (is_any_policy(mapping->issuerDomainPolicy) || | 549 | if (is_any_policy(mapping->issuerDomainPolicy) || |
| 548 | is_any_policy(mapping->subjectDomainPolicy)) | 550 | is_any_policy(mapping->subjectDomainPolicy)) |
| 549 | goto err; | 551 | goto err; |
| @@ -562,11 +564,9 @@ process_policy_mappings(const X509 *cert, | |||
| 562 | new_nodes = sk_X509_POLICY_NODE_new_null(); | 564 | new_nodes = sk_X509_POLICY_NODE_new_null(); |
| 563 | if (new_nodes == NULL) | 565 | if (new_nodes == NULL) |
| 564 | goto err; | 566 | goto err; |
| 565 | const ASN1_OBJECT *last_policy = NULL; | 567 | last_policy = NULL; |
| 566 | for (i = 0; i < sk_POLICY_MAPPING_num(mappings); | 568 | for (i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) { |
| 567 | i++) { | 569 | mapping = sk_POLICY_MAPPING_value(mappings, i); |
| 568 | const POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, | ||
| 569 | i); | ||
| 570 | /* | 570 | /* |
| 571 | * There may be multiple mappings with the same | 571 | * There may be multiple mappings with the same |
| 572 | * |issuerDomainPolicy|. | 572 | * |issuerDomainPolicy|. |
| @@ -577,8 +577,7 @@ process_policy_mappings(const X509 *cert, | |||
| 577 | continue; | 577 | continue; |
| 578 | last_policy = mapping->issuerDomainPolicy; | 578 | last_policy = mapping->issuerDomainPolicy; |
| 579 | 579 | ||
| 580 | X509_POLICY_NODE *node = | 580 | node = x509_policy_level_find(level, |
| 581 | x509_policy_level_find(level, | ||
| 582 | mapping->issuerDomainPolicy); | 581 | mapping->issuerDomainPolicy); |
| 583 | if (node == NULL) { | 582 | if (node == NULL) { |
| 584 | if (!level->has_any_policy) | 583 | if (!level->has_any_policy) |
| @@ -619,10 +618,9 @@ process_policy_mappings(const X509 *cert, | |||
| 619 | goto err; | 618 | goto err; |
| 620 | } | 619 | } |
| 621 | for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { | 620 | for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { |
| 622 | X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(level->nodes, | 621 | node = sk_X509_POLICY_NODE_value(level->nodes, i); |
| 623 | i); | ||
| 624 | if (!node->mapped) { | 622 | if (!node->mapped) { |
| 625 | POLICY_MAPPING *mapping = POLICY_MAPPING_new(); | 623 | mapping = POLICY_MAPPING_new(); |
| 626 | if (mapping == NULL) | 624 | if (mapping == NULL) |
| 627 | goto err; | 625 | goto err; |
| 628 | mapping->issuerDomainPolicy = OBJ_dup(node->policy); | 626 | mapping->issuerDomainPolicy = OBJ_dup(node->policy); |
| @@ -648,7 +646,7 @@ process_policy_mappings(const X509 *cert, | |||
| 648 | 646 | ||
| 649 | X509_POLICY_NODE *last_node = NULL; | 647 | X509_POLICY_NODE *last_node = NULL; |
| 650 | for (i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) { | 648 | for (i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) { |
| 651 | POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, i); | 649 | mapping = sk_POLICY_MAPPING_value(mappings, i); |
| 652 | /* | 650 | /* |
| 653 | * Skip mappings where |issuerDomainPolicy| does not appear in | 651 | * Skip mappings where |issuerDomainPolicy| does not appear in |
| 654 | * the graph. | 652 | * the graph. |
| @@ -726,9 +724,13 @@ process_policy_constraints(const X509 *x509, size_t *explicit_policy, | |||
| 726 | size_t *policy_mapping, | 724 | size_t *policy_mapping, |
| 727 | size_t *inhibit_any_policy) | 725 | size_t *inhibit_any_policy) |
| 728 | { | 726 | { |
| 727 | ASN1_INTEGER *inhibit_any_policy_ext; | ||
| 728 | POLICY_CONSTRAINTS *constraints; | ||
| 729 | int critical; | 729 | int critical; |
| 730 | POLICY_CONSTRAINTS *constraints = | 730 | int ok = 0; |
| 731 | X509_get_ext_d2i(x509, NID_policy_constraints, &critical, NULL); | 731 | |
| 732 | constraints = X509_get_ext_d2i(x509, NID_policy_constraints, &critical, | ||
| 733 | NULL); | ||
| 732 | if (constraints == NULL && critical != -1) | 734 | if (constraints == NULL && critical != -1) |
| 733 | return 0; | 735 | return 0; |
| 734 | if (constraints != NULL) { | 736 | if (constraints != NULL) { |
| @@ -742,8 +744,7 @@ process_policy_constraints(const X509 *x509, size_t *explicit_policy, | |||
| 742 | POLICY_CONSTRAINTS_free(constraints); | 744 | POLICY_CONSTRAINTS_free(constraints); |
| 743 | return 0; | 745 | return 0; |
| 744 | } | 746 | } |
| 745 | int ok = | 747 | ok = apply_skip_certs(constraints->requireExplicitPolicy, |
| 746 | apply_skip_certs(constraints->requireExplicitPolicy, | ||
| 747 | explicit_policy) && | 748 | explicit_policy) && |
| 748 | apply_skip_certs(constraints->inhibitPolicyMapping, | 749 | apply_skip_certs(constraints->inhibitPolicyMapping, |
| 749 | policy_mapping); | 750 | policy_mapping); |
| @@ -752,11 +753,11 @@ process_policy_constraints(const X509 *x509, size_t *explicit_policy, | |||
| 752 | return 0; | 753 | return 0; |
| 753 | } | 754 | } |
| 754 | 755 | ||
| 755 | ASN1_INTEGER *inhibit_any_policy_ext = | 756 | inhibit_any_policy_ext = X509_get_ext_d2i(x509, NID_inhibit_any_policy, |
| 756 | X509_get_ext_d2i(x509, NID_inhibit_any_policy, &critical, NULL); | 757 | &critical, NULL); |
| 757 | if (inhibit_any_policy_ext == NULL && critical != -1) | 758 | if (inhibit_any_policy_ext == NULL && critical != -1) |
| 758 | return 0; | 759 | return 0; |
| 759 | int ok = apply_skip_certs(inhibit_any_policy_ext, inhibit_any_policy); | 760 | ok = apply_skip_certs(inhibit_any_policy_ext, inhibit_any_policy); |
| 760 | ASN1_INTEGER_free(inhibit_any_policy_ext); | 761 | ASN1_INTEGER_free(inhibit_any_policy_ext); |
| 761 | return ok; | 762 | return ok; |
| 762 | } | 763 | } |
| @@ -772,15 +773,16 @@ static int | |||
| 772 | has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels, | 773 | has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels, |
| 773 | const STACK_OF(ASN1_OBJECT) *user_policies) | 774 | const STACK_OF(ASN1_OBJECT) *user_policies) |
| 774 | { | 775 | { |
| 776 | X509_POLICY_LEVEL *level, *prev; | ||
| 777 | X509_POLICY_NODE *node, *parent; | ||
| 778 | int num_levels, user_has_any_policy; | ||
| 775 | int i, j, k; | 779 | int i, j, k; |
| 776 | |||
| 777 | assert(user_policies == NULL || | 780 | assert(user_policies == NULL || |
| 778 | sk_ASN1_OBJECT_is_sorted(user_policies)); | 781 | sk_ASN1_OBJECT_is_sorted(user_policies)); |
| 779 | 782 | ||
| 780 | /* Step (g.i). If the policy graph is empty, the intersection is empty. */ | 783 | /* Step (g.i). If the policy graph is empty, the intersection is empty. */ |
| 781 | int num_levels = sk_X509_POLICY_LEVEL_num(levels); | 784 | num_levels = sk_X509_POLICY_LEVEL_num(levels); |
| 782 | X509_POLICY_LEVEL *level = sk_X509_POLICY_LEVEL_value(levels, | 785 | level = sk_X509_POLICY_LEVEL_value(levels, num_levels - 1); |
| 783 | num_levels - 1); | ||
| 784 | if (x509_policy_level_is_empty(level)) | 786 | if (x509_policy_level_is_empty(level)) |
| 785 | return 0; | 787 | return 0; |
| 786 | 788 | ||
| @@ -789,7 +791,7 @@ has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels, | |||
| 789 | * anyPolicy value. The caller may also have supplied anyPolicy | 791 | * anyPolicy value. The caller may also have supplied anyPolicy |
| 790 | * explicitly. | 792 | * explicitly. |
| 791 | */ | 793 | */ |
| 792 | int user_has_any_policy = sk_ASN1_OBJECT_num(user_policies) <= 0; | 794 | user_has_any_policy = sk_ASN1_OBJECT_num(user_policies) <= 0; |
| 793 | for (i = 0; i < sk_ASN1_OBJECT_num(user_policies); i++) { | 795 | for (i = 0; i < sk_ASN1_OBJECT_num(user_policies); i++) { |
| 794 | if (is_any_policy(sk_ASN1_OBJECT_value(user_policies, i))) { | 796 | if (is_any_policy(sk_ASN1_OBJECT_value(user_policies, i))) { |
| 795 | user_has_any_policy = 1; | 797 | user_has_any_policy = 1; |
| @@ -823,10 +825,8 @@ has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels, | |||
| 823 | 825 | ||
| 824 | for (i = num_levels - 1; i >= 0; i--) { | 826 | for (i = num_levels - 1; i >= 0; i--) { |
| 825 | level = sk_X509_POLICY_LEVEL_value(levels, i); | 827 | level = sk_X509_POLICY_LEVEL_value(levels, i); |
| 826 | for (j = 0; j < sk_X509_POLICY_NODE_num(level->nodes); | 828 | for (j = 0; j < sk_X509_POLICY_NODE_num(level->nodes); j++) { |
| 827 | j++) { | 829 | node = sk_X509_POLICY_NODE_value(level->nodes, j); |
| 828 | X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(level->nodes, | ||
| 829 | j); | ||
| 830 | if (!node->reachable) | 830 | if (!node->reachable) |
| 831 | continue; | 831 | continue; |
| 832 | if (sk_ASN1_OBJECT_num(node->parent_policies) == 0) { | 832 | if (sk_ASN1_OBJECT_num(node->parent_policies) == 0) { |
| @@ -840,19 +840,16 @@ has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels, | |||
| 840 | node->policy) >= 0) | 840 | node->policy) >= 0) |
| 841 | return 1; | 841 | return 1; |
| 842 | } else if (i > 0) { | 842 | } else if (i > 0) { |
| 843 | /* |node|'s parents are concrete policies. Mark | 843 | int num_parent_policies = |
| 844 | sk_ASN1_OBJECT_num(node->parent_policies); | ||
| 845 | /* | ||
| 846 | * |node|'s parents are concrete policies. Mark | ||
| 844 | * the parents reachable, to be inspected by the | 847 | * the parents reachable, to be inspected by the |
| 845 | * next loop iteration. | 848 | * next loop iteration. |
| 846 | */ | 849 | */ |
| 847 | X509_POLICY_LEVEL *prev = sk_X509_POLICY_LEVEL_value(levels, | 850 | prev = sk_X509_POLICY_LEVEL_value(levels, i - 1); |
| 848 | i - 1); | 851 | for (k = 0; k < num_parent_policies; k++) { |
| 849 | for (k = 0; | 852 | parent = x509_policy_level_find(prev, |
| 850 | k < | ||
| 851 | sk_ASN1_OBJECT_num(node->parent_policies); | ||
| 852 | k++) { | ||
| 853 | X509_POLICY_NODE *parent = x509_policy_level_find( | ||
| 854 | prev, | ||
| 855 | |||
| 856 | sk_ASN1_OBJECT_value(node->parent_policies, | 853 | sk_ASN1_OBJECT_value(node->parent_policies, |
| 857 | k)); | 854 | k)); |
| 858 | if (parent != NULL) | 855 | if (parent != NULL) |
| @@ -866,8 +863,7 @@ has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels, | |||
| 866 | } | 863 | } |
| 867 | 864 | ||
| 868 | static int | 865 | static int |
| 869 | asn1_object_cmp(const ASN1_OBJECT *const *a, | 866 | asn1_object_cmp(const ASN1_OBJECT *const *a, const ASN1_OBJECT *const *b) |
| 870 | const ASN1_OBJECT *const *b) | ||
| 871 | { | 867 | { |
| 872 | return OBJ_cmp(*a, *b); | 868 | return OBJ_cmp(*a, *b); |
| 873 | } | 869 | } |
| @@ -879,10 +875,13 @@ X509_policy_check(const STACK_OF(X509) *certs, | |||
| 879 | { | 875 | { |
| 880 | *out_current_cert = NULL; | 876 | *out_current_cert = NULL; |
| 881 | int ret = X509_V_ERR_OUT_OF_MEM; | 877 | int ret = X509_V_ERR_OUT_OF_MEM; |
| 878 | X509 *cert; | ||
| 882 | X509_POLICY_LEVEL *level = NULL; | 879 | X509_POLICY_LEVEL *level = NULL; |
| 880 | X509_POLICY_LEVEL *current_level; | ||
| 883 | STACK_OF(X509_POLICY_LEVEL) *levels = NULL; | 881 | STACK_OF(X509_POLICY_LEVEL) *levels = NULL; |
| 884 | STACK_OF(ASN1_OBJECT) *user_policies_sorted = NULL; | 882 | STACK_OF(ASN1_OBJECT) *user_policies_sorted = NULL; |
| 885 | int num_certs = sk_X509_num(certs); | 883 | int num_certs = sk_X509_num(certs); |
| 884 | int is_self_issued, any_policy_allowed; | ||
| 886 | int i; | 885 | int i; |
| 887 | 886 | ||
| 888 | /* Skip policy checking if the chain is just the trust anchor. */ | 887 | /* Skip policy checking if the chain is just the trust anchor. */ |
| @@ -902,10 +901,10 @@ X509_policy_check(const STACK_OF(X509) *certs, | |||
| 902 | goto err; | 901 | goto err; |
| 903 | 902 | ||
| 904 | for (i = num_certs - 2; i >= 0; i--) { | 903 | for (i = num_certs - 2; i >= 0; i--) { |
| 905 | X509 *cert = sk_X509_value(certs, i); | 904 | cert = sk_X509_value(certs, i); |
| 906 | if (!x509v3_cache_extensions(cert)) | 905 | if (!x509v3_cache_extensions(cert)) |
| 907 | goto err; | 906 | goto err; |
| 908 | const int is_self_issued = (cert->ex_flags & EXFLAG_SI) != 0; | 907 | is_self_issued = (cert->ex_flags & EXFLAG_SI) != 0; |
| 909 | 908 | ||
| 910 | if (level == NULL) { | 909 | if (level == NULL) { |
| 911 | assert(i == num_certs - 2); | 910 | assert(i == num_certs - 2); |
| @@ -919,7 +918,7 @@ X509_policy_check(const STACK_OF(X509) *certs, | |||
| 919 | * RFC 5280, section 6.1.3, steps (d) and (e). |any_policy_allowed| | 918 | * RFC 5280, section 6.1.3, steps (d) and (e). |any_policy_allowed| |
| 920 | * is computed as in step (d.2). | 919 | * is computed as in step (d.2). |
| 921 | */ | 920 | */ |
| 922 | const int any_policy_allowed = | 921 | any_policy_allowed = |
| 923 | inhibit_any_policy > 0 || (i > 0 && is_self_issued); | 922 | inhibit_any_policy > 0 || (i > 0 && is_self_issued); |
| 924 | if (!process_certificate_policies(cert, level, | 923 | if (!process_certificate_policies(cert, level, |
| 925 | any_policy_allowed)) { | 924 | any_policy_allowed)) { |
| @@ -937,7 +936,7 @@ X509_policy_check(const STACK_OF(X509) *certs, | |||
| 937 | /* Insert into the list. */ | 936 | /* Insert into the list. */ |
| 938 | if (!sk_X509_POLICY_LEVEL_push(levels, level)) | 937 | if (!sk_X509_POLICY_LEVEL_push(levels, level)) |
| 939 | goto err; | 938 | goto err; |
| 940 | X509_POLICY_LEVEL *current_level = level; | 939 | current_level = level; |
| 941 | level = NULL; | 940 | level = NULL; |
| 942 | 941 | ||
| 943 | /* | 942 | /* |