summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509/x509_policy.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/x509/x509_policy.c')
-rw-r--r--src/lib/libcrypto/x509/x509_policy.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/src/lib/libcrypto/x509/x509_policy.c b/src/lib/libcrypto/x509/x509_policy.c
index 368a3e42f4..b8ddef091f 100644
--- a/src/lib/libcrypto/x509/x509_policy.c
+++ b/src/lib/libcrypto/x509/x509_policy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_policy.c,v 1.20 2023/04/28 15:30:14 tb Exp $ */ 1/* $OpenBSD: x509_policy.c,v 1.21 2023/04/28 15:35:55 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2022, Google Inc. 3 * Copyright (c) 2022, Google Inc.
4 * 4 *
@@ -164,7 +164,7 @@ DECLARE_STACK_OF(X509_POLICY_LEVEL)
164/* 164/*
165 * Don't look Ethel, but you would really not want to look if we did 165 * Don't look Ethel, but you would really not want to look if we did
166 * this the OpenSSL way either, and we are not using this boringsslism 166 * this the OpenSSL way either, and we are not using this boringsslism
167 * anywhere else. 167 * anywhere else. Callers should ensure that the stack in data is sorted.
168 */ 168 */
169void 169void
170sk_X509_POLICY_NODE_delete_if(STACK_OF(X509_POLICY_NODE) *nodes, 170sk_X509_POLICY_NODE_delete_if(STACK_OF(X509_POLICY_NODE) *nodes,
@@ -333,9 +333,9 @@ static int
333delete_if_not_in_policies(X509_POLICY_NODE *node, void *data) 333delete_if_not_in_policies(X509_POLICY_NODE *node, void *data)
334{ 334{
335 const CERTIFICATEPOLICIES *policies = data; 335 const CERTIFICATEPOLICIES *policies = data;
336 assert(sk_POLICYINFO_is_sorted(policies));
337 POLICYINFO info; 336 POLICYINFO info;
338 info.policyid = node->policy; 337 info.policyid = node->policy;
338
339 if (sk_POLICYINFO_find(policies, &info) >= 0) 339 if (sk_POLICYINFO_find(policies, &info) >= 0)
340 return 0; 340 return 0;
341 x509_policy_node_free(node); 341 x509_policy_node_free(node);
@@ -415,6 +415,8 @@ process_certificate_policies(const X509 *x509, X509_POLICY_LEVEL *level,
415 * anyPolicy if it is inhibited. 415 * anyPolicy if it is inhibited.
416 */ 416 */
417 if (!cert_has_any_policy || !any_policy_allowed) { 417 if (!cert_has_any_policy || !any_policy_allowed) {
418 if (!sk_POLICYINFO_is_sorted(policies))
419 goto err;
418 sk_X509_POLICY_NODE_delete_if(level->nodes, 420 sk_X509_POLICY_NODE_delete_if(level->nodes,
419 delete_if_not_in_policies, policies); 421 delete_if_not_in_policies, policies);
420 level->has_any_policy = 0; 422 level->has_any_policy = 0;
@@ -478,8 +480,6 @@ static int
478delete_if_mapped(X509_POLICY_NODE *node, void *data) 480delete_if_mapped(X509_POLICY_NODE *node, void *data)
479{ 481{
480 const POLICY_MAPPINGS *mappings = data; 482 const POLICY_MAPPINGS *mappings = data;
481 /* |mappings| must have been sorted by |compare_issuer_policy|. */
482 assert(sk_POLICY_MAPPING_is_sorted(mappings));
483 POLICY_MAPPING mapping; 483 POLICY_MAPPING mapping;
484 mapping.issuerDomainPolicy = node->policy; 484 mapping.issuerDomainPolicy = node->policy;
485 if (sk_POLICY_MAPPING_find(mappings, &mapping) < 0) 485 if (sk_POLICY_MAPPING_find(mappings, &mapping) < 0)
@@ -596,6 +596,8 @@ process_policy_mappings(const X509 *cert,
596 * RFC 5280, section 6.1.4, step (b.2). If mapping is 596 * RFC 5280, section 6.1.4, step (b.2). If mapping is
597 * inhibited, delete all mapped nodes. 597 * inhibited, delete all mapped nodes.
598 */ 598 */
599 if (!sk_POLICY_MAPPING_is_sorted(mappings))
600 goto err;
599 sk_X509_POLICY_NODE_delete_if(level->nodes, 601 sk_X509_POLICY_NODE_delete_if(level->nodes,
600 delete_if_mapped, mappings); 602 delete_if_mapped, mappings);
601 sk_POLICY_MAPPING_pop_free(mappings, 603 sk_POLICY_MAPPING_pop_free(mappings,
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-26 23:02:19 +0000