KNF according to knfmt(1)

author: tb <> 2023-04-26 21:07:32 +0000
committer: tb <> 2023-04-26 21:07:32 +0000
commit: b79485b52cb70e59a1009a4160ff34017797ef40 (patch)
tree: df0b6fbe00685fbb214e40e97c128f449afa11e3 /src
parent: 102ccf204a2664e54c596fdc47602e28b493842c (diff)
download: openbsd-b79485b52cb70e59a1009a4160ff34017797ef40.tar.gz
openbsd-b79485b52cb70e59a1009a4160ff34017797ef40.tar.bz2
openbsd-b79485b52cb70e59a1009a4160ff34017797ef40.zip
1 files changed, 600 insertions, 515 deletions
diff --git a/src/lib/libcrypto/x509/x509_policy.c b/src/lib/libcrypto/x509/x509_policy.c
index 8d182ef45a..6005acd4fb 100644
--- a/src/lib/libcrypto/x509/x509_policy.c
+++ b/src/lib/libcrypto/x509/x509_policy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_policy.c,v 1.9 2023/04/26 20:52:11 tb Exp $ */
+/*      $OpenBSD: x509_policy.c,v 1.10 2023/04/26 21:07:32 tb Exp $ */
 /* Copyright (c) 2022, Google Inc.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@@ -55,7 +55,7 @@
 // from RFC 5280, section 6.1.2, step (a), but we store some fields differently.
 typedef struct x509_policy_node_st {
  // policy is the "valid_policy" field from RFC 5280.
-  ASN1_OBJECT *policy;
+        ASN1_OBJECT *policy;
  // parent_policies, if non-empty, is the list of "valid_policy" values for all
  // nodes which are a parent of this node. In this case, no entry in this list
@@ -70,15 +70,15 @@ typedef struct x509_policy_node_st {
  // concrete policy as a parent. Section 6.1.3, step (d.1.ii) only runs if
  // there was no match in step (d.1.i). We do not need to represent a parent
  // list of, say, {anyPolicy, OID1, OID2}.
-  STACK_OF(ASN1_OBJECT) *parent_policies;
+        STACK_OF(ASN1_OBJECT) *parent_policies;
  // mapped is one if this node matches a policy mapping in the certificate and
  // zero otherwise.
-  int mapped;
+        int mapped;
  // reachable is one if this node is reachable from some valid policy in the
  // end-entity certificate. It is computed during |has_explicit_policy|.
-  int reachable;
+        int reachable;
 } X509_POLICY_NODE;
 DECLARE_STACK_OF(X509_POLICY_NODE)
@@ -111,11 +111,11 @@ DECLARE_STACK_OF(X509_POLICY_NODE)
 typedef struct x509_policy_level_st {
  // nodes is the list of nodes at this depth, except for the anyPolicy node, if
  // any. This list is sorted by policy OID for efficient lookup.
-  STACK_OF(X509_POLICY_NODE) *nodes;
+        STACK_OF(X509_POLICY_NODE) *nodes;
  // has_any_policy is one if there is an anyPolicy node at this depth, and zero
  // otherwise.
-  int has_any_policy;
+        int has_any_policy;
 } X509_POLICY_LEVEL;
 DECLARE_STACK_OF(X509_POLICY_LEVEL)
@@ -165,84 +165,106 @@ sk_X509_POLICY_NODE_delete_if(STACK_OF(X509_POLICY_NODE) *nodes,
        sk->num = new_num;
 }
-static int is_any_policy(const ASN1_OBJECT *obj) {
+static int
-  return OBJ_obj2nid(obj) == NID_any_policy;
+is_any_policy(const ASN1_OBJECT *obj)
+{
+        return OBJ_obj2nid(obj) == NID_any_policy;
 }
-static void x509_policy_node_free(X509_POLICY_NODE *node) {
+static void
-  if (node != NULL) {
+x509_policy_node_free(X509_POLICY_NODE *node)
-    ASN1_OBJECT_free(node->policy);
+{
-    sk_ASN1_OBJECT_pop_free(node->parent_policies, ASN1_OBJECT_free);
+        if (node != NULL) {
-    free(node);
+                ASN1_OBJECT_free(node->policy);
-  }
+                sk_ASN1_OBJECT_pop_free(node->parent_policies,
+                    ASN1_OBJECT_free);
+                free(node);
+        }
 }
-static X509_POLICY_NODE *x509_policy_node_new(const ASN1_OBJECT *policy) {
+static X509_POLICY_NODE *
-  assert(!is_any_policy(policy));
+x509_policy_node_new(const ASN1_OBJECT *policy)
-  X509_POLICY_NODE *node = malloc(sizeof(X509_POLICY_NODE));
+{
-  if (node == NULL) {
+        assert(!is_any_policy(policy));
-    return NULL;
+        X509_POLICY_NODE *node = malloc(sizeof(X509_POLICY_NODE));
-  }
+        if (node == NULL) {
-  memset(node, 0, sizeof(X509_POLICY_NODE));
+                return NULL;
-  node->policy = OBJ_dup(policy);
+        }
-  node->parent_policies = sk_ASN1_OBJECT_new_null();
+        memset(node, 0, sizeof(X509_POLICY_NODE));
-  if (node->policy == NULL || node->parent_policies == NULL) {
+        node->policy = OBJ_dup(policy);
-    x509_policy_node_free(node);
+        node->parent_policies = sk_ASN1_OBJECT_new_null();
-    return NULL;
+        if (node->policy == NULL || node->parent_policies == NULL) {
-  }
+                x509_policy_node_free(node);
-  return node;
+                return NULL;
+        }
+        return node;
 }
-static int x509_policy_node_cmp(const X509_POLICY_NODE *const *a,
+static int
-                                const X509_POLICY_NODE *const *b) {
+x509_policy_node_cmp(const X509_POLICY_NODE *const *a,
-  return OBJ_cmp((*a)->policy, (*b)->policy);
+    const X509_POLICY_NODE *const *b)
+{
+        return OBJ_cmp((*a)->policy, (*b)->policy);
 }
-static void x509_policy_level_free(X509_POLICY_LEVEL *level) {
+static void
-  if (level != NULL) {
+x509_policy_level_free(X509_POLICY_LEVEL *level)
-    sk_X509_POLICY_NODE_pop_free(level->nodes, x509_policy_node_free);
+{
-    free(level);
+        if (level != NULL) {
-  }
+                sk_X509_POLICY_NODE_pop_free(level->nodes,
+                    x509_policy_node_free);
+                free(level);
+        }
 }
-static X509_POLICY_LEVEL *x509_policy_level_new(void) {
+static X509_POLICY_LEVEL *
-  X509_POLICY_LEVEL *level = malloc(sizeof(X509_POLICY_LEVEL));
+x509_policy_level_new(void)
-  if (level == NULL) {
+{
-    return NULL;
+        X509_POLICY_LEVEL *level = malloc(sizeof(X509_POLICY_LEVEL));
-  }
+        if (level == NULL) {
-  memset(level, 0, sizeof(X509_POLICY_LEVEL));
+                return NULL;
-  level->nodes = sk_X509_POLICY_NODE_new(x509_policy_node_cmp);
+        }
-  if (level->nodes == NULL) {
+        memset(level, 0, sizeof(X509_POLICY_LEVEL));
-    x509_policy_level_free(level);
+        level->nodes = sk_X509_POLICY_NODE_new(x509_policy_node_cmp);
-    return NULL;
+        if (level->nodes == NULL) {
-  }
+                x509_policy_level_free(level);
-  return level;
+                return NULL;
+        }
+        return level;
 }
-static int x509_policy_level_is_empty(const X509_POLICY_LEVEL *level) {
+static int
-  return !level->has_any_policy && sk_X509_POLICY_NODE_num(level->nodes) == 0;
+x509_policy_level_is_empty(const X509_POLICY_LEVEL *level)
+{
+        return !level->has_any_policy &&
+            sk_X509_POLICY_NODE_num(level->nodes) == 0;
 }
-static void x509_policy_level_clear(X509_POLICY_LEVEL *level) {
+static void
-  level->has_any_policy = 0;
+x509_policy_level_clear(X509_POLICY_LEVEL *level)
-  for (size_t i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
+{
-    x509_policy_node_free(sk_X509_POLICY_NODE_value(level->nodes, i));
+        level->has_any_policy = 0;
-  }
+        for (size_t i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
-  sk_X509_POLICY_NODE_zero(level->nodes);
+                x509_policy_node_free(
+                    sk_X509_POLICY_NODE_value(level->nodes, i));
+        }
+        sk_X509_POLICY_NODE_zero(level->nodes);
 }
 // x509_policy_level_find returns the node in |level| corresponding to |policy|,
 // or NULL if none exists.
-static X509_POLICY_NODE *x509_policy_level_find(X509_POLICY_LEVEL *level,
+static X509_POLICY_NODE *
-                                                const ASN1_OBJECT *policy) {
+x509_policy_level_find(X509_POLICY_LEVEL *level,
-  assert(sk_X509_POLICY_NODE_is_sorted(level->nodes));
+    const ASN1_OBJECT *policy)
-  X509_POLICY_NODE node;
+{
-  node.policy = (ASN1_OBJECT *)policy;
+        assert(sk_X509_POLICY_NODE_is_sorted(level->nodes));
-  int idx;
+        X509_POLICY_NODE node;
-  if ((idx = sk_X509_POLICY_NODE_find(level->nodes, &node)) < 0) {
+        node.policy = (ASN1_OBJECT *)policy;
-    return NULL;
+        int idx;
-  }
+        if ((idx = sk_X509_POLICY_NODE_find(level->nodes, &node)) < 0) {
-  return sk_X509_POLICY_NODE_value(level->nodes, idx);
+                return NULL;
+        }
+        return sk_X509_POLICY_NODE_value(level->nodes, idx);
 }
 // x509_policy_level_add_nodes adds the nodes in |nodes| to |level|. It returns
@@ -252,42 +274,50 @@ static X509_POLICY_NODE *x509_policy_level_find(X509_POLICY_LEVEL *level,
 //
 // This function is used to add nodes to |level| in bulk, and avoid resorting
 // |level| after each addition.
-static int x509_policy_level_add_nodes(X509_POLICY_LEVEL *level,
+static int
-                                       STACK_OF(X509_POLICY_NODE) *nodes) {
+x509_policy_level_add_nodes(X509_POLICY_LEVEL *level,
-  for (size_t i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) {
+    STACK_OF(X509_POLICY_NODE) *nodes)
-    X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(nodes, i);
+{
-    if (!sk_X509_POLICY_NODE_push(level->nodes, node)) {
+        for (size_t i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) {
-      return 0;
+                X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(nodes, i);
-    }
+                if (!sk_X509_POLICY_NODE_push(level->nodes, node)) {
-    sk_X509_POLICY_NODE_set(nodes, i, NULL);
+                        return 0;
-  }
+                }
-  sk_X509_POLICY_NODE_sort(level->nodes);
+                sk_X509_POLICY_NODE_set(nodes, i, NULL);
+        }
+        sk_X509_POLICY_NODE_sort(level->nodes);
 #if !defined(NDEBUG)
  // There should be no duplicate nodes.
-  for (size_t i = 1; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
+        for (size_t i = 1; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
-    assert(OBJ_cmp(sk_X509_POLICY_NODE_value(level->nodes, i - 1)->policy,
+                assert(
-                   sk_X509_POLICY_NODE_value(level->nodes, i)->policy) != 0);
+                    OBJ_cmp(
-  }
+                    sk_X509_POLICY_NODE_value(level->nodes, i - 1)->policy,
+                    sk_X509_POLICY_NODE_value(level->nodes, i)->policy) != 0);
+        }
 #endif
-  return 1;
+        return 1;
 }
-static int policyinfo_cmp(const POLICYINFO *const *a,
+static int
-                          const POLICYINFO *const *b) {
+policyinfo_cmp(const POLICYINFO *const *a,
-  return OBJ_cmp((*a)->policyid, (*b)->policyid);
+    const POLICYINFO *const *b)
+{
+        return OBJ_cmp((*a)->policyid, (*b)->policyid);
 }
-static int delete_if_not_in_policies(X509_POLICY_NODE *node, void *data) {
+static int
-  const CERTIFICATEPOLICIES *policies = data;
+delete_if_not_in_policies(X509_POLICY_NODE *node, void *data)
-  assert(sk_POLICYINFO_is_sorted(policies));
+{
-  POLICYINFO info;
+        const CERTIFICATEPOLICIES *policies = data;
-  info.policyid = node->policy;
+        assert(sk_POLICYINFO_is_sorted(policies));
-  if (sk_POLICYINFO_find(policies, &info) >= 0) {
+        POLICYINFO info;
-    return 0;
+        info.policyid = node->policy;
-  }
+        if (sk_POLICYINFO_find(policies, &info) >= 0) {
-  x509_policy_node_free(node);
+                return 0;
-  return 1;
+        }
+        x509_policy_node_free(node);
+        return 1;
 }
 // process_certificate_policies updates |level| to incorporate |x509|'s
@@ -297,115 +327,128 @@ static int delete_if_not_in_policies(X509_POLICY_NODE *node, void *data) {
 // the output of |process_policy_mappings|. |any_policy_allowed| specifies
 // whether anyPolicy is allowed or inhibited, taking into account the exception
 // for self-issued certificates.
-static int process_certificate_policies(const X509 *x509,
+static int
-                                        X509_POLICY_LEVEL *level,
+process_certificate_policies(const X509 *x509,
-                                        int any_policy_allowed) {
+    X509_POLICY_LEVEL *level,
-  int ret = 0;
+    int any_policy_allowed)
-  int critical;
+{
-  STACK_OF(X509_POLICY_NODE) *new_nodes = NULL;
+        int ret = 0;
-  CERTIFICATEPOLICIES *policies =
+        int critical;
-      X509_get_ext_d2i(x509, NID_certificate_policies, &critical, NULL);
+        STACK_OF(X509_POLICY_NODE) *new_nodes = NULL;
-  if (policies == NULL) {
+        CERTIFICATEPOLICIES *policies =
-    if (critical != -1) {
+            X509_get_ext_d2i(x509, NID_certificate_policies, &critical, NULL);
-      return 0;  // Syntax error in the extension.
+        if (policies == NULL) {
-    }
+                if (critical != -1) {
+                        return 0;  // Syntax error in the extension.
+                }
    // RFC 5280, section 6.1.3, step (e).
-    x509_policy_level_clear(level);
+                x509_policy_level_clear(level);
-    return 1;
+                return 1;
-  }
+        }
  // certificatePolicies may not be empty. See RFC 5280, section 4.2.1.4.
  // TODO(https://crbug.com/boringssl/443): Move this check into the parser.
-  if (sk_POLICYINFO_num(policies) == 0) {
+        if (sk_POLICYINFO_num(policies) == 0) {
-    X509error(X509_R_INVALID_POLICY_EXTENSION);
+                X509error(X509_R_INVALID_POLICY_EXTENSION);
-    goto err;
+                goto err;
-  }
+        }
-  sk_POLICYINFO_set_cmp_func(policies, policyinfo_cmp);
+        sk_POLICYINFO_set_cmp_func(policies, policyinfo_cmp);
-  sk_POLICYINFO_sort(policies);
+        sk_POLICYINFO_sort(policies);
-  int cert_has_any_policy = 0;
+        int cert_has_any_policy = 0;
-  for (size_t i = 0; i < sk_POLICYINFO_num(policies); i++) {
+        for (size_t i = 0; i < sk_POLICYINFO_num(policies); i++) {
-    const POLICYINFO *policy = sk_POLICYINFO_value(policies, i);
+                const POLICYINFO *policy = sk_POLICYINFO_value(policies, i);
-    if (is_any_policy(policy->policyid)) {
+                if (is_any_policy(policy->policyid)) {
-      cert_has_any_policy = 1;
+                        cert_has_any_policy = 1;
-    }
+                }
-    if (i > 0 && OBJ_cmp(sk_POLICYINFO_value(policies, i - 1)->policyid,
+                if (i > 0 &&
-                         policy->policyid) == 0) {
+                    OBJ_cmp(sk_POLICYINFO_value(policies, i - 1)->policyid,
+                    policy->policyid) == 0) {
      // Per RFC 5280, section 4.2.1.4, |policies| may not have duplicates.
-      X509error(X509_R_INVALID_POLICY_EXTENSION);
+                        X509error(X509_R_INVALID_POLICY_EXTENSION);
-      goto err;
+                        goto err;
-    }
+                }
-  }
+        }
  // This does the same thing as RFC 5280, section 6.1.3, step (d), though in
  // a slighty different order. |level| currently contains "expected_policy_set"
  // values of the previous level. See |process_policy_mappings| for details.
-  const int previous_level_has_any_policy = level->has_any_policy;
+        const int previous_level_has_any_policy = level->has_any_policy;
  // First, we handle steps (d.1.i) and (d.2). The net effect of these two steps
  // is to intersect |level| with |policies|, ignoring anyPolicy if it is
  // inhibited.
-  if (!cert_has_any_policy || !any_policy_allowed) {
+        if (!cert_has_any_policy || !any_policy_allowed) {
-    sk_X509_POLICY_NODE_delete_if(level->nodes, delete_if_not_in_policies,
+                sk_X509_POLICY_NODE_delete_if(level->nodes,
-                                  policies);
+                    delete_if_not_in_policies, policies);
-    level->has_any_policy = 0;
+                level->has_any_policy = 0;
-  }
+        }
  // Step (d.1.ii) may attach new nodes to the previous level's anyPolicy node.
-  if (previous_level_has_any_policy) {
+        if (previous_level_has_any_policy) {
-    new_nodes = sk_X509_POLICY_NODE_new_null();
+                new_nodes = sk_X509_POLICY_NODE_new_null();
-    if (new_nodes == NULL) {
+                if (new_nodes == NULL) {
-      goto err;
+                        goto err;
-    }
+                }
-    for (size_t i = 0; i < sk_POLICYINFO_num(policies); i++) {
+                for (size_t i = 0; i < sk_POLICYINFO_num(policies); i++) {
-      const POLICYINFO *policy = sk_POLICYINFO_value(policies, i);
+                        const POLICYINFO *policy = sk_POLICYINFO_value(policies,
+                            i);
      // Though we've reordered the steps slightly, |policy| is in |level| if
      // and only if it would have been a match in step (d.1.ii).
-      if (!is_any_policy(policy->policyid) &&
+                        if (!is_any_policy(policy->policyid) &&
-          x509_policy_level_find(level, policy->policyid) == NULL) {
+                            x509_policy_level_find(level, policy->policyid) ==
-        X509_POLICY_NODE *node = x509_policy_node_new(policy->policyid);
+                            NULL) {
-        if (node == NULL ||  //
+                                X509_POLICY_NODE *node = x509_policy_node_new(
-            !sk_X509_POLICY_NODE_push(new_nodes, node)) {
+                                    policy->policyid);
-          x509_policy_node_free(node);
+                                if (node == NULL ||  //
-          goto err;
+                                    !sk_X509_POLICY_NODE_push(new_nodes,
-        }
+                                    node)) {
-      }
+                                        x509_policy_node_free(node);
-    }
+                                        goto err;
-    if (!x509_policy_level_add_nodes(level, new_nodes)) {
+                                }
-      goto err;
+                        }
-    }
+                }
-  }
+                if (!x509_policy_level_add_nodes(level, new_nodes)) {
+                        goto err;
-  ret = 1;
+                }
+        }
+        ret = 1;
 err:
-  sk_X509_POLICY_NODE_pop_free(new_nodes, x509_policy_node_free);
+        sk_X509_POLICY_NODE_pop_free(new_nodes, x509_policy_node_free);
-  CERTIFICATEPOLICIES_free(policies);
+        CERTIFICATEPOLICIES_free(policies);
-  return ret;
+        return ret;
 }
-static int compare_issuer_policy(const POLICY_MAPPING *const *a,
+static int
-                                 const POLICY_MAPPING *const *b) {
+compare_issuer_policy(const POLICY_MAPPING *const *a,
-  return OBJ_cmp((*a)->issuerDomainPolicy, (*b)->issuerDomainPolicy);
+    const POLICY_MAPPING *const *b)
+{
+        return OBJ_cmp((*a)->issuerDomainPolicy, (*b)->issuerDomainPolicy);
 }
-static int compare_subject_policy(const POLICY_MAPPING *const *a,
+static int
-                                  const POLICY_MAPPING *const *b) {
+compare_subject_policy(const POLICY_MAPPING *const *a,
-  return OBJ_cmp((*a)->subjectDomainPolicy, (*b)->subjectDomainPolicy);
+    const POLICY_MAPPING *const *b)
+{
+        return OBJ_cmp((*a)->subjectDomainPolicy, (*b)->subjectDomainPolicy);
 }
-static int delete_if_mapped(X509_POLICY_NODE *node, void *data) {
+static int
-  const POLICY_MAPPINGS *mappings = data;
+delete_if_mapped(X509_POLICY_NODE *node, void *data)
+{
+        const POLICY_MAPPINGS *mappings = data;
  // |mappings| must have been sorted by |compare_issuer_policy|.
-  assert(sk_POLICY_MAPPING_is_sorted(mappings));
+        assert(sk_POLICY_MAPPING_is_sorted(mappings));
-  POLICY_MAPPING mapping;
+        POLICY_MAPPING mapping;
-  mapping.issuerDomainPolicy = node->policy;
+        mapping.issuerDomainPolicy = node->policy;
-  if (sk_POLICY_MAPPING_find(mappings, &mapping) < 0) {
+        if (sk_POLICY_MAPPING_find(mappings, &mapping) < 0) {
-    return 0;
+                return 0;
-  }
+        }
-  x509_policy_node_free(node);
+        x509_policy_node_free(node);
-  return 1;
+        return 1;
 }
 // process_policy_mappings processes the policy mappings extension of |cert|,
@@ -424,224 +467,245 @@ static int delete_if_mapped(X509_POLICY_NODE *node, void *data) {
 // This is equivalent to the |X509_POLICY_LEVEL| that would result if the next
 // certificats contained anyPolicy. |process_certificate_policies| will filter
 // this result down to compute the actual level.
-static X509_POLICY_LEVEL *process_policy_mappings(const X509 *cert,
+static X509_POLICY_LEVEL *
-                                                  X509_POLICY_LEVEL *level,
+process_policy_mappings(const X509 *cert,
-                                                  int mapping_allowed) {
+    X509_POLICY_LEVEL *level,
-  int ok = 0;
+    int mapping_allowed)
-  STACK_OF(X509_POLICY_NODE) *new_nodes = NULL;
+{
-  X509_POLICY_LEVEL *next = NULL;
+        int ok = 0;
-  int critical;
+        STACK_OF(X509_POLICY_NODE) *new_nodes = NULL;
-  POLICY_MAPPINGS *mappings =
+        X509_POLICY_LEVEL *next = NULL;
-      X509_get_ext_d2i(cert, NID_policy_mappings, &critical, NULL);
+        int critical;
-  if (mappings == NULL && critical != -1) {
+        POLICY_MAPPINGS *mappings =
+            X509_get_ext_d2i(cert, NID_policy_mappings, &critical, NULL);
+        if (mappings == NULL && critical != -1) {
    // Syntax error in the policy mappings extension.
-    goto err;
+                goto err;
-  }
+        }
-  if (mappings != NULL) {
+        if (mappings != NULL) {
    // PolicyMappings may not be empty. See RFC 5280, section 4.2.1.5.
    // TODO(https://crbug.com/boringssl/443): Move this check into the parser.
-    if (sk_POLICY_MAPPING_num(mappings) == 0) {
+                if (sk_POLICY_MAPPING_num(mappings) == 0) {
-      X509error(X509_R_INVALID_POLICY_EXTENSION);
+                        X509error(X509_R_INVALID_POLICY_EXTENSION);
-      goto err;
+                        goto err;
-    }
+                }
    // RFC 5280, section 6.1.4, step (a).
-    for (size_t i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) {
+                for (size_t i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) {
-      POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, i);
+                        POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings,
-      if (is_any_policy(mapping->issuerDomainPolicy) ||
+                            i);
-          is_any_policy(mapping->subjectDomainPolicy)) {
+                        if (is_any_policy(mapping->issuerDomainPolicy) ||
-        goto err;
+                            is_any_policy(mapping->subjectDomainPolicy)) {
-      }
+                                goto err;
-    }
+                        }
+                }
    // Sort to group by issuerDomainPolicy.
-    sk_POLICY_MAPPING_set_cmp_func(mappings, compare_issuer_policy);
+                sk_POLICY_MAPPING_set_cmp_func(mappings, compare_issuer_policy);
-    sk_POLICY_MAPPING_sort(mappings);
+                sk_POLICY_MAPPING_sort(mappings);
-    if (mapping_allowed) {
+                if (mapping_allowed) {
      // Mark nodes as mapped, and add any nodes to |level| which may be needed
      // as part of RFC 5280, section 6.1.4, step (b.1).
-      new_nodes = sk_X509_POLICY_NODE_new_null();
+                        new_nodes = sk_X509_POLICY_NODE_new_null();
-      if (new_nodes == NULL) {
+                        if (new_nodes == NULL) {
-        goto err;
+                                goto err;
-      }
+                        }
-      const ASN1_OBJECT *last_policy = NULL;
+                        const ASN1_OBJECT *last_policy = NULL;
-      for (size_t i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) {
+                        for (size_t i = 0; i < sk_POLICY_MAPPING_num(mappings);
-        const POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, i);
+                            i++) {
-        // There may be multiple mappings with the same |issuerDomainPolicy|.
+                                const POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings,
-        if (last_policy != NULL &&
+                                    i);
-            OBJ_cmp(mapping->issuerDomainPolicy, last_policy) == 0) {
+        // There may be multiple mappings with the same |issuerDomainPolicy|.
-          continue;
+                                if (last_policy != NULL &&
-        }
+                                    OBJ_cmp(mapping->issuerDomainPolicy,
-        last_policy = mapping->issuerDomainPolicy;
+                                    last_policy) == 0) {
+                                        continue;
-        X509_POLICY_NODE *node =
+                                }
-            x509_policy_level_find(level, mapping->issuerDomainPolicy);
+                                last_policy = mapping->issuerDomainPolicy;
-        if (node == NULL) {
-          if (!level->has_any_policy) {
+                                X509_POLICY_NODE *node =
-            continue;
+                                    x509_policy_level_find(level,
-          }
+                                    mapping->issuerDomainPolicy);
-          node = x509_policy_node_new(mapping->issuerDomainPolicy);
+                                if (node == NULL) {
-          if (node == NULL ||  //
+                                        if (!level->has_any_policy) {
-              !sk_X509_POLICY_NODE_push(new_nodes, node)) {
+                                                continue;
-            x509_policy_node_free(node);
+                                        }
-            goto err;
+                                        node = x509_policy_node_new(
-          }
+                                            mapping->issuerDomainPolicy);
-        }
+                                        if (node == NULL ||  //
-        node->mapped = 1;
+                                            !sk_X509_POLICY_NODE_push(new_nodes,
-      }
+                                            node)) {
-      if (!x509_policy_level_add_nodes(level, new_nodes)) {
+                                                x509_policy_node_free(node);
-        goto err;
+                                                goto err;
-      }
+                                        }
-    } else {
+                                }
+                                node->mapped = 1;
+                        }
+                        if (!x509_policy_level_add_nodes(level, new_nodes)) {
+                                goto err;
+                        }
+                } else {
      // RFC 5280, section 6.1.4, step (b.2). If mapping is inhibited, delete
      // all mapped nodes.
-      sk_X509_POLICY_NODE_delete_if(level->nodes, delete_if_mapped, mappings);
+                        sk_X509_POLICY_NODE_delete_if(level->nodes,
-      sk_POLICY_MAPPING_pop_free(mappings, POLICY_MAPPING_free);
+                            delete_if_mapped, mappings);
-      mappings = NULL;
+                        sk_POLICY_MAPPING_pop_free(mappings,
-    }
+                            POLICY_MAPPING_free);
-  }
+                        mappings = NULL;
+                }
+        }
  // If a node was not mapped, it retains the original "explicit_policy_set"
  // value, itself. Add those to |mappings|.
-  if (mappings == NULL) {
+        if (mappings == NULL) {
-    mappings = sk_POLICY_MAPPING_new_null();
+                mappings = sk_POLICY_MAPPING_new_null();
-    if (mappings == NULL) {
+                if (mappings == NULL) {
-      goto err;
+                        goto err;
-    }
+                }
-  }
+        }
-  for (size_t i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
+        for (size_t i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
-    X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(level->nodes, i);
+                X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(level->nodes,
-    if (!node->mapped) {
+                    i);
-      POLICY_MAPPING *mapping = POLICY_MAPPING_new();
+                if (!node->mapped) {
-      if (mapping == NULL) {
+                        POLICY_MAPPING *mapping = POLICY_MAPPING_new();
-        goto err;
+                        if (mapping == NULL) {
-      }
+                                goto err;
-      mapping->issuerDomainPolicy = OBJ_dup(node->policy);
+                        }
-      mapping->subjectDomainPolicy = OBJ_dup(node->policy);
+                        mapping->issuerDomainPolicy = OBJ_dup(node->policy);
-      if (mapping->issuerDomainPolicy == NULL ||
+                        mapping->subjectDomainPolicy = OBJ_dup(node->policy);
-          mapping->subjectDomainPolicy == NULL ||
+                        if (mapping->issuerDomainPolicy == NULL ||
-          !sk_POLICY_MAPPING_push(mappings, mapping)) {
+                            mapping->subjectDomainPolicy == NULL ||
-        POLICY_MAPPING_free(mapping);
+                            !sk_POLICY_MAPPING_push(mappings, mapping)) {
-        goto err;
+                                POLICY_MAPPING_free(mapping);
-      }
+                                goto err;
-    }
+                        }
-  }
+                }
+        }
  // Sort to group by subjectDomainPolicy.
-  sk_POLICY_MAPPING_set_cmp_func(mappings, compare_subject_policy);
+        sk_POLICY_MAPPING_set_cmp_func(mappings, compare_subject_policy);
-  sk_POLICY_MAPPING_sort(mappings);
+        sk_POLICY_MAPPING_sort(mappings);
  // Convert |mappings| to our "expected_policy_set" representation.
-  next = x509_policy_level_new();
+        next = x509_policy_level_new();
-  if (next == NULL) {
+        if (next == NULL) {
-    goto err;
+                goto err;
-  }
+        }
-  next->has_any_policy = level->has_any_policy;
+        next->has_any_policy = level->has_any_policy;
-  X509_POLICY_NODE *last_node = NULL;
+        X509_POLICY_NODE *last_node = NULL;
-  for (size_t i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) {
+        for (size_t i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) {
-    POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, i);
+                POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, i);
    // Skip mappings where |issuerDomainPolicy| does not appear in the graph.
-    if (!level->has_any_policy &&
+                if (!level->has_any_policy &&
-        x509_policy_level_find(level, mapping->issuerDomainPolicy) == NULL) {
+                    x509_policy_level_find(level,
-      continue;
+                    mapping->issuerDomainPolicy) == NULL) {
-    }
+                        continue;
+                }
-    if (last_node == NULL ||
-        OBJ_cmp(last_node->policy, mapping->subjectDomainPolicy) != 0) {
+                if (last_node == NULL ||
-      last_node = x509_policy_node_new(mapping->subjectDomainPolicy);
+                    OBJ_cmp(last_node->policy, mapping->subjectDomainPolicy) !=
-      if (last_node == NULL ||
+                    0) {
-          !sk_X509_POLICY_NODE_push(next->nodes, last_node)) {
+                        last_node = x509_policy_node_new(
-        x509_policy_node_free(last_node);
+                            mapping->subjectDomainPolicy);
-        goto err;
+                        if (last_node == NULL ||
-      }
+                            !sk_X509_POLICY_NODE_push(next->nodes, last_node)) {
-    }
+                                x509_policy_node_free(last_node);
+                                goto err;
-    if (!sk_ASN1_OBJECT_push(last_node->parent_policies,
+                        }
-                             mapping->issuerDomainPolicy)) {
+                }
-      goto err;
-    }
+                if (!sk_ASN1_OBJECT_push(last_node->parent_policies,
-    mapping->issuerDomainPolicy = NULL;
+                    mapping->issuerDomainPolicy)) {
-  }
+                        goto err;
+                }
-  sk_X509_POLICY_NODE_sort(next->nodes);
+                mapping->issuerDomainPolicy = NULL;
-  ok = 1;
+        }
+        sk_X509_POLICY_NODE_sort(next->nodes);
+        ok = 1;
 err:
-  if (!ok) {
+        if (!ok) {
-    x509_policy_level_free(next);
+                x509_policy_level_free(next);
-    next = NULL;
+                next = NULL;
-  }
+        }
-  sk_POLICY_MAPPING_pop_free(mappings, POLICY_MAPPING_free);
+        sk_POLICY_MAPPING_pop_free(mappings, POLICY_MAPPING_free);
-  sk_X509_POLICY_NODE_pop_free(new_nodes, x509_policy_node_free);
+        sk_X509_POLICY_NODE_pop_free(new_nodes, x509_policy_node_free);
-  return next;
+        return next;
 }
 // apply_skip_certs, if |skip_certs| is non-NULL, sets |*value| to the minimum
 // of its current value and |skip_certs|. It returns one on success and zero if
 // |skip_certs| is negative.
-static int apply_skip_certs(const ASN1_INTEGER *skip_certs, size_t *value) {
+static int
-  if (skip_certs == NULL) {
+apply_skip_certs(const ASN1_INTEGER *skip_certs, size_t *value)
-    return 1;
+{
-  }
+        if (skip_certs == NULL) {
+                return 1;
+        }
  // TODO(https://crbug.com/boringssl/443): Move this check into the parser.
-  if (skip_certs->type & V_ASN1_NEG) {
+        if (skip_certs->type & V_ASN1_NEG) {
-    X509error(X509_R_INVALID_POLICY_EXTENSION);
+                X509error(X509_R_INVALID_POLICY_EXTENSION);
-    return 0;
+                return 0;
-  }
+        }
  // If |skip_certs| does not fit in |uint64_t|, it must exceed |*value|.
-  uint64_t u64;
+        uint64_t u64;
-  if (ASN1_INTEGER_get_uint64(&u64, skip_certs) && u64 < *value) {
+        if (ASN1_INTEGER_get_uint64(&u64, skip_certs) && u64 < *value) {
-    *value = (size_t)u64;
+                *value = (size_t)u64;
-  }
+        }
-  ERR_clear_error();
+        ERR_clear_error();
-  return 1;
+        return 1;
 }
 // process_policy_constraints updates |*explicit_policy|, |*policy_mapping|, and
 // |*inhibit_any_policy| according to |x509|'s policy constraints and inhibit
 // anyPolicy extensions. It returns one on success and zero on error. This
 // implements steps (i) and (j) of RFC 5280, section 6.1.4.
-static int process_policy_constraints(const X509 *x509, size_t *explicit_policy,
+static int
-                                      size_t *policy_mapping,
+process_policy_constraints(const X509 *x509, size_t *explicit_policy,
-                                      size_t *inhibit_any_policy) {
+    size_t *policy_mapping,
-  int critical;
+    size_t *inhibit_any_policy)
-  POLICY_CONSTRAINTS *constraints =
+{
-      X509_get_ext_d2i(x509, NID_policy_constraints, &critical, NULL);
+        int critical;
-  if (constraints == NULL && critical != -1) {
+        POLICY_CONSTRAINTS *constraints =
-    return 0;
+            X509_get_ext_d2i(x509, NID_policy_constraints, &critical, NULL);
-  }
+        if (constraints == NULL && critical != -1) {
-  if (constraints != NULL) {
+                return 0;
-    if (constraints->requireExplicitPolicy == NULL &&
+        }
-        constraints->inhibitPolicyMapping == NULL) {
+        if (constraints != NULL) {
+                if (constraints->requireExplicitPolicy == NULL &&
+                    constraints->inhibitPolicyMapping == NULL) {
      // Per RFC 5280, section 4.2.1.11, at least one of the fields must be
      // present.
-      X509error(X509_R_INVALID_POLICY_EXTENSION);
+                        X509error(X509_R_INVALID_POLICY_EXTENSION);
-      POLICY_CONSTRAINTS_free(constraints);
+                        POLICY_CONSTRAINTS_free(constraints);
-      return 0;
+                        return 0;
-    }
+                }
-    int ok =
+                int ok =
-        apply_skip_certs(constraints->requireExplicitPolicy, explicit_policy) &&
+                    apply_skip_certs(constraints->requireExplicitPolicy,
-        apply_skip_certs(constraints->inhibitPolicyMapping, policy_mapping);
+                    explicit_policy) &&
-    POLICY_CONSTRAINTS_free(constraints);
+                    apply_skip_certs(constraints->inhibitPolicyMapping,
-    if (!ok) {
+                    policy_mapping);
-      return 0;
+                POLICY_CONSTRAINTS_free(constraints);
-    }
+                if (!ok) {
-  }
+                        return 0;
+                }
-  ASN1_INTEGER *inhibit_any_policy_ext =
+        }
-      X509_get_ext_d2i(x509, NID_inhibit_any_policy, &critical, NULL);
-  if (inhibit_any_policy_ext == NULL && critical != -1) {
+        ASN1_INTEGER *inhibit_any_policy_ext =
-    return 0;
+            X509_get_ext_d2i(x509, NID_inhibit_any_policy, &critical, NULL);
-  }
+        if (inhibit_any_policy_ext == NULL && critical != -1) {
-  int ok = apply_skip_certs(inhibit_any_policy_ext, inhibit_any_policy);
+                return 0;
-  ASN1_INTEGER_free(inhibit_any_policy_ext);
+        }
-  return ok;
+        int ok = apply_skip_certs(inhibit_any_policy_ext, inhibit_any_policy);
+        ASN1_INTEGER_free(inhibit_any_policy_ext);
+        return ok;
 }
 // has_explicit_policy returns one if the set of authority-space policy OIDs
@@ -649,215 +713,236 @@ static int process_policy_constraints(const X509 *x509, size_t *explicit_policy,
 // otherwise. This mirrors the logic in RFC 5280, section 6.1.5, step (g). This
 // function modifies |levels| and should only be called at the end of policy
 // evaluation.
-static int has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels,
+static int
-                               const STACK_OF(ASN1_OBJECT) *user_policies) {
+has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels,
-  assert(user_policies == NULL || sk_ASN1_OBJECT_is_sorted(user_policies));
+    const STACK_OF(ASN1_OBJECT) *user_policies)
+{
+        assert(user_policies == NULL ||
+            sk_ASN1_OBJECT_is_sorted(user_policies));
  // Step (g.i). If the policy graph is empty, the intersection is empty.
-  size_t num_levels = sk_X509_POLICY_LEVEL_num(levels);
+        size_t num_levels = sk_X509_POLICY_LEVEL_num(levels);
-  X509_POLICY_LEVEL *level = sk_X509_POLICY_LEVEL_value(levels, num_levels - 1);
+        X509_POLICY_LEVEL *level = sk_X509_POLICY_LEVEL_value(levels,
-  if (x509_policy_level_is_empty(level)) {
+            num_levels - 1);
-    return 0;
+        if (x509_policy_level_is_empty(level)) {
-  }
+                return 0;
+        }
  // If |user_policies| is empty, we interpret it as having a single anyPolicy
  // value. The caller may also have supplied anyPolicy explicitly.
-  int user_has_any_policy = sk_ASN1_OBJECT_num(user_policies) == 0;
+        int user_has_any_policy = sk_ASN1_OBJECT_num(user_policies) == 0;
-  for (size_t i = 0; i < sk_ASN1_OBJECT_num(user_policies); i++) {
+        for (size_t i = 0; i < sk_ASN1_OBJECT_num(user_policies); i++) {
-    if (is_any_policy(sk_ASN1_OBJECT_value(user_policies, i))) {
+                if (is_any_policy(sk_ASN1_OBJECT_value(user_policies, i))) {
-      user_has_any_policy = 1;
+                        user_has_any_policy = 1;
-      break;
+                        break;
-    }
+                }
-  }
+        }
  // Step (g.ii). If the policy graph is not empty and the user set contains
  // anyPolicy, the intersection is the entire (non-empty) graph.
-  if (user_has_any_policy) {
+        if (user_has_any_policy) {
-    return 1;
+                return 1;
-  }
+        }
  // Step (g.iii) does not delete anyPolicy nodes, so if the graph has
  // anyPolicy, some explicit policy will survive. The actual intersection may
  // synthesize some nodes in step (g.iii.3), but we do not return the policy
  // list itself, so we skip actually computing this.
-  if (level->has_any_policy) {
+        if (level->has_any_policy) {
-    return 1;
+                return 1;
-  }
+        }
  // We defer pruning the tree, so as we look for nodes with parent anyPolicy,
  // step (g.iii.1), we must limit to nodes reachable from the bottommost level.
  // Start by marking each of those nodes as reachable.
-  for (size_t i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
+        for (size_t i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
-    sk_X509_POLICY_NODE_value(level->nodes, i)->reachable = 1;
+                sk_X509_POLICY_NODE_value(level->nodes, i)->reachable = 1;
-  }
+        }
-  for (size_t i = num_levels - 1; i < num_levels; i--) {
+        for (size_t i = num_levels - 1; i < num_levels; i--) {
-    level = sk_X509_POLICY_LEVEL_value(levels, i);
+                level = sk_X509_POLICY_LEVEL_value(levels, i);
-    for (size_t j = 0; j < sk_X509_POLICY_NODE_num(level->nodes); j++) {
+                for (size_t j = 0; j < sk_X509_POLICY_NODE_num(level->nodes);
-      X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(level->nodes, j);
+                    j++) {
-      if (!node->reachable) {
+                        X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(level->nodes,
-        continue;
+                            j);
-      }
+                        if (!node->reachable) {
-      if (sk_ASN1_OBJECT_num(node->parent_policies) == 0) {
+                                continue;
-        // |node|'s parent is anyPolicy and is part of "valid_policy_node_set".
+                        }
-        // If it exists in |user_policies|, the intersection is non-empty and we
+                        if (sk_ASN1_OBJECT_num(node->parent_policies) == 0) {
-        // can return immediately.
+        // |node|'s parent is anyPolicy and is part of "valid_policy_node_set".
-        if (sk_ASN1_OBJECT_find(user_policies, node->policy) >= 0) {
+        // If it exists in |user_policies|, the intersection is non-empty and we
-          return 1;
+        // can return immediately.
-        }
+                                if (sk_ASN1_OBJECT_find(user_policies,
-      } else if (i > 0) {
+                                    node->policy) >= 0) {
-        // |node|'s parents are concrete policies. Mark the parents reachable,
+                                        return 1;
-        // to be inspected by the next loop iteration.
+                                }
-        X509_POLICY_LEVEL *prev = sk_X509_POLICY_LEVEL_value(levels, i - 1);
+                        } else if (i > 0) {
-        for (size_t k = 0; k < sk_ASN1_OBJECT_num(node->parent_policies); k++) {
+        // |node|'s parents are concrete policies. Mark the parents reachable,
-          X509_POLICY_NODE *parent = x509_policy_level_find(
+        // to be inspected by the next loop iteration.
-              prev, sk_ASN1_OBJECT_value(node->parent_policies, k));
+                                X509_POLICY_LEVEL *prev = sk_X509_POLICY_LEVEL_value(levels,
-          if (parent != NULL) {
+                                    i - 1);
-            parent->reachable = 1;
+                                for (size_t k = 0; k <
-          }
+                                    sk_ASN1_OBJECT_num(node->parent_policies);
-        }
+                                    k++) {
-      }
+                                        X509_POLICY_NODE *parent = x509_policy_level_find(
-    }
+                                            prev,
-  }
+                                            sk_ASN1_OBJECT_value(node->parent_policies,
-  return 0;
+                                            k));
+                                        if (parent != NULL) {
+                                                parent->reachable = 1;
+                                        }
+                                }
+                        }
+                }
+        }
+        return 0;
 }
-static int asn1_object_cmp(const ASN1_OBJECT *const *a,
+static int
-                           const ASN1_OBJECT *const *b) {
+asn1_object_cmp(const ASN1_OBJECT *const *a,
-  return OBJ_cmp(*a, *b);
+    const ASN1_OBJECT *const *b)
+{
+        return OBJ_cmp(*a, *b);
 }
-int X509_policy_check(const STACK_OF(X509) *certs,
+int
-                      const STACK_OF(ASN1_OBJECT) *user_policies,
+X509_policy_check(const STACK_OF(X509) *certs,
-                      unsigned long flags, X509 **out_current_cert) {
+    const STACK_OF(ASN1_OBJECT) *user_policies,
-  *out_current_cert = NULL;
+    unsigned long flags, X509 **out_current_cert)
-  int ret = X509_V_ERR_OUT_OF_MEM;
+{
-  X509_POLICY_LEVEL *level = NULL;
+        *out_current_cert = NULL;
-  STACK_OF(X509_POLICY_LEVEL) *levels = NULL;
+        int ret = X509_V_ERR_OUT_OF_MEM;
-  STACK_OF(ASN1_OBJECT) *user_policies_sorted = NULL;
+        X509_POLICY_LEVEL *level = NULL;
-  size_t num_certs = sk_X509_num(certs);
+        STACK_OF(X509_POLICY_LEVEL) *levels = NULL;
+        STACK_OF(ASN1_OBJECT) *user_policies_sorted = NULL;
+        size_t num_certs = sk_X509_num(certs);
  // Skip policy checking if the chain is just the trust anchor.
-  if (num_certs <= 1) {
+        if (num_certs <= 1) {
-    return X509_V_OK;
+                return X509_V_OK;
-  }
+        }
  // See RFC 5280, section 6.1.2, steps (d) through (f).
-  size_t explicit_policy =
+        size_t explicit_policy =
-      (flags & X509_V_FLAG_EXPLICIT_POLICY) ? 0 : num_certs + 1;
+            (flags & X509_V_FLAG_EXPLICIT_POLICY) ? 0 : num_certs + 1;
-  size_t inhibit_any_policy =
+        size_t inhibit_any_policy =
-      (flags & X509_V_FLAG_INHIBIT_ANY) ? 0 : num_certs + 1;
+            (flags & X509_V_FLAG_INHIBIT_ANY) ? 0 : num_certs + 1;
-  size_t policy_mapping =
+        size_t policy_mapping =
-      (flags & X509_V_FLAG_INHIBIT_MAP) ? 0 : num_certs + 1;
+            (flags & X509_V_FLAG_INHIBIT_MAP) ? 0 : num_certs + 1;
-  levels = sk_X509_POLICY_LEVEL_new_null();
+        levels = sk_X509_POLICY_LEVEL_new_null();
-  if (levels == NULL) {
+        if (levels == NULL) {
-    goto err;
+                goto err;
-  }
+        }
-  for (size_t i = num_certs - 2; i < num_certs; i--) {
+        for (size_t i = num_certs - 2; i < num_certs; i--) {
-    X509 *cert = sk_X509_value(certs, i);
+                X509 *cert = sk_X509_value(certs, i);
-    if (!x509v3_cache_extensions(cert)) {
+                if (!x509v3_cache_extensions(cert)) {
-      goto err;
+                        goto err;
-    }
+                }
-    const int is_self_issued = (cert->ex_flags & EXFLAG_SI) != 0;
+                const int is_self_issued = (cert->ex_flags & EXFLAG_SI) != 0;
-    if (level == NULL) {
+                if (level == NULL) {
-      assert(i == num_certs - 2);
+                        assert(i == num_certs - 2);
-      level = x509_policy_level_new();
+                        level = x509_policy_level_new();
-      if (level == NULL) {
+                        if (level == NULL) {
-        goto err;
+                                goto err;
-      }
+                        }
-      level->has_any_policy = 1;
+                        level->has_any_policy = 1;
-    }
+                }
    // RFC 5280, section 6.1.3, steps (d) and (e). |any_policy_allowed| is
    // computed as in step (d.2).
-    const int any_policy_allowed =
+                const int any_policy_allowed =
-        inhibit_any_policy > 0 || (i > 0 && is_self_issued);
+                    inhibit_any_policy > 0 || (i > 0 && is_self_issued);
-    if (!process_certificate_policies(cert, level, any_policy_allowed)) {
+                if (!process_certificate_policies(cert, level,
-      ret = X509_V_ERR_INVALID_POLICY_EXTENSION;
+                    any_policy_allowed)) {
-      *out_current_cert = cert;
+                        ret = X509_V_ERR_INVALID_POLICY_EXTENSION;
-      goto err;
+                        *out_current_cert = cert;
-    }
+                        goto err;
+                }
    // RFC 5280, section 6.1.3, step (f).
-    if (explicit_policy == 0 && x509_policy_level_is_empty(level)) {
+                if (explicit_policy == 0 && x509_policy_level_is_empty(level)) {
-      ret = X509_V_ERR_NO_EXPLICIT_POLICY;
+                        ret = X509_V_ERR_NO_EXPLICIT_POLICY;
-      goto err;
+                        goto err;
-    }
+                }
    // Insert into the list.
-    if (!sk_X509_POLICY_LEVEL_push(levels, level)) {
+                if (!sk_X509_POLICY_LEVEL_push(levels, level)) {
-      goto err;
+                        goto err;
-    }
+                }
-    X509_POLICY_LEVEL *current_level = level;
+                X509_POLICY_LEVEL *current_level = level;
-    level = NULL;
+                level = NULL;
    // If this is not the leaf certificate, we go to section 6.1.4. If it
    // is the leaf certificate, we go to section 6.1.5 instead.
-    if (i != 0) {
+                if (i != 0) {
      // RFC 5280, section 6.1.4, steps (a) and (b).
-      level = process_policy_mappings(cert, current_level, policy_mapping > 0);
+                        level = process_policy_mappings(cert, current_level,
-      if (level == NULL) {
+                            policy_mapping > 0);
-        ret = X509_V_ERR_INVALID_POLICY_EXTENSION;
+                        if (level == NULL) {
-        *out_current_cert = cert;
+                                ret = X509_V_ERR_INVALID_POLICY_EXTENSION;
-        goto err;
+                                *out_current_cert = cert;
-      }
+                                goto err;
-    }
+                        }
+                }
    // RFC 5280, section 6.1.4, step (h-j) for non-leaves, and section 6.1.5,
    // step (a-b) for leaves. In the leaf case, RFC 5280 says only to update
    // |explicit_policy|, but |policy_mapping| and |inhibit_any_policy| are no
    // longer read at this point, so we use the same process.
-    if (i == 0 || !is_self_issued) {
+                if (i == 0 || !is_self_issued) {
-      if (explicit_policy > 0) {
+                        if (explicit_policy > 0) {
-        explicit_policy--;
+                                explicit_policy--;
-      }
+                        }
-      if (policy_mapping > 0) {
+                        if (policy_mapping > 0) {
-        policy_mapping--;
+                                policy_mapping--;
-      }
+                        }
-      if (inhibit_any_policy > 0) {
+                        if (inhibit_any_policy > 0) {
-        inhibit_any_policy--;
+                                inhibit_any_policy--;
-      }
+                        }
-    }
+                }
-    if (!process_policy_constraints(cert, &explicit_policy, &policy_mapping,
+                if (!process_policy_constraints(cert, &explicit_policy,
-                                    &inhibit_any_policy)) {
+                    &policy_mapping, &inhibit_any_policy)) {
-      ret = X509_V_ERR_INVALID_POLICY_EXTENSION;
+                        ret = X509_V_ERR_INVALID_POLICY_EXTENSION;
-      *out_current_cert = cert;
+                        *out_current_cert = cert;
-      goto err;
+                        goto err;
-    }
+                }
-  }
+        }
  // RFC 5280, section 6.1.5, step (g). We do not output the policy set, so it
  // is only necessary to check if the user-constrained-policy-set is not empty.
-  if (explicit_policy == 0) {
+        if (explicit_policy == 0) {
    // Build a sorted copy of |user_policies| for more efficient lookup.
-    if (user_policies != NULL) {
+                if (user_policies != NULL) {
-      user_policies_sorted = sk_ASN1_OBJECT_dup(user_policies);
+                        user_policies_sorted = sk_ASN1_OBJECT_dup(
-      if (user_policies_sorted == NULL) {
+                            user_policies);
-        goto err;
+                        if (user_policies_sorted == NULL) {
-      }
+                                goto err;
-      sk_ASN1_OBJECT_set_cmp_func(user_policies_sorted, asn1_object_cmp);
+                        }
-      sk_ASN1_OBJECT_sort(user_policies_sorted);
+                        sk_ASN1_OBJECT_set_cmp_func(user_policies_sorted,
-    }
+                            asn1_object_cmp);
+                        sk_ASN1_OBJECT_sort(user_policies_sorted);
-    if (!has_explicit_policy(levels, user_policies_sorted)) {
+                }
-      ret = X509_V_ERR_NO_EXPLICIT_POLICY;
-      goto err;
+                if (!has_explicit_policy(levels, user_policies_sorted)) {
-    }
+                        ret = X509_V_ERR_NO_EXPLICIT_POLICY;
-  }
+                        goto err;
+                }
-  ret = X509_V_OK;
+        }
+        ret = X509_V_OK;
 err:
-  x509_policy_level_free(level);
+        x509_policy_level_free(level);
  // |user_policies_sorted|'s contents are owned by |user_policies|, so we do
  // not use |sk_ASN1_OBJECT_pop_free|.
-  sk_ASN1_OBJECT_free(user_policies_sorted);
+        sk_ASN1_OBJECT_free(user_policies_sorted);
-  sk_X509_POLICY_LEVEL_pop_free(levels, x509_policy_level_free);
+        sk_X509_POLICY_LEVEL_pop_free(levels, x509_policy_level_free);
-  return ret;
+        return ret;
 }
 #endif /* LIBRESSL_HAS_POLICY_DAG */
author	tb <>	2023-04-26 21:07:32 +0000
committer	tb <>	2023-04-26 21:07:32 +0000
commit	b79485b52cb70e59a1009a4160ff34017797ef40 (patch)
tree	df0b6fbe00685fbb214e40e97c128f449afa11e3 /src
parent	102ccf204a2664e54c596fdc47602e28b493842c (diff)
download	openbsd-b79485b52cb70e59a1009a4160ff34017797ef40.tar.gz openbsd-b79485b52cb70e59a1009a4160ff34017797ef40.tar.bz2 openbsd-b79485b52cb70e59a1009a4160ff34017797ef40.zip