diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_policy.c | 43 |
1 files changed, 26 insertions, 17 deletions
diff --git a/src/lib/libcrypto/x509/x509_policy.c b/src/lib/libcrypto/x509/x509_policy.c index 4a3fb84f53..cb8e7d1178 100644 --- a/src/lib/libcrypto/x509/x509_policy.c +++ b/src/lib/libcrypto/x509/x509_policy.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_policy.c,v 1.11 2023/04/26 21:35:22 tb Exp $ */ | 1 | /* $OpenBSD: x509_policy.c,v 1.12 2023/04/26 22:09:07 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2022, Google Inc. | 3 | * Copyright (c) 2022, Google Inc. |
| 4 | * | 4 | * |
| @@ -262,8 +262,10 @@ x509_policy_level_is_empty(const X509_POLICY_LEVEL *level) | |||
| 262 | static void | 262 | static void |
| 263 | x509_policy_level_clear(X509_POLICY_LEVEL *level) | 263 | x509_policy_level_clear(X509_POLICY_LEVEL *level) |
| 264 | { | 264 | { |
| 265 | size_t i; | ||
| 266 | |||
| 265 | level->has_any_policy = 0; | 267 | level->has_any_policy = 0; |
| 266 | for (size_t i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { | 268 | for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { |
| 267 | x509_policy_node_free( | 269 | x509_policy_node_free( |
| 268 | sk_X509_POLICY_NODE_value(level->nodes, i)); | 270 | sk_X509_POLICY_NODE_value(level->nodes, i)); |
| 269 | } | 271 | } |
| @@ -301,7 +303,9 @@ static int | |||
| 301 | x509_policy_level_add_nodes(X509_POLICY_LEVEL *level, | 303 | x509_policy_level_add_nodes(X509_POLICY_LEVEL *level, |
| 302 | STACK_OF(X509_POLICY_NODE) *nodes) | 304 | STACK_OF(X509_POLICY_NODE) *nodes) |
| 303 | { | 305 | { |
| 304 | for (size_t i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) { | 306 | size_t i; |
| 307 | |||
| 308 | for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) { | ||
| 305 | X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(nodes, i); | 309 | X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(nodes, i); |
| 306 | if (!sk_X509_POLICY_NODE_push(level->nodes, node)) { | 310 | if (!sk_X509_POLICY_NODE_push(level->nodes, node)) { |
| 307 | return 0; | 311 | return 0; |
| @@ -312,7 +316,7 @@ x509_policy_level_add_nodes(X509_POLICY_LEVEL *level, | |||
| 312 | 316 | ||
| 313 | #if !defined(NDEBUG) | 317 | #if !defined(NDEBUG) |
| 314 | /* There should be no duplicate nodes. */ | 318 | /* There should be no duplicate nodes. */ |
| 315 | for (size_t i = 1; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { | 319 | for (i = 1; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { |
| 316 | assert( | 320 | assert( |
| 317 | OBJ_cmp( | 321 | OBJ_cmp( |
| 318 | sk_X509_POLICY_NODE_value(level->nodes, i - 1)->policy, | 322 | sk_X509_POLICY_NODE_value(level->nodes, i - 1)->policy, |
| @@ -357,8 +361,10 @@ process_certificate_policies(const X509 *x509, | |||
| 357 | X509_POLICY_LEVEL *level, | 361 | X509_POLICY_LEVEL *level, |
| 358 | int any_policy_allowed) | 362 | int any_policy_allowed) |
| 359 | { | 363 | { |
| 364 | size_t i; | ||
| 360 | int ret = 0; | 365 | int ret = 0; |
| 361 | int critical; | 366 | int critical; |
| 367 | |||
| 362 | STACK_OF(X509_POLICY_NODE) *new_nodes = NULL; | 368 | STACK_OF(X509_POLICY_NODE) *new_nodes = NULL; |
| 363 | CERTIFICATEPOLICIES *policies = | 369 | CERTIFICATEPOLICIES *policies = |
| 364 | X509_get_ext_d2i(x509, NID_certificate_policies, &critical, NULL); | 370 | X509_get_ext_d2i(x509, NID_certificate_policies, &critical, NULL); |
| @@ -384,7 +390,7 @@ process_certificate_policies(const X509 *x509, | |||
| 384 | sk_POLICYINFO_set_cmp_func(policies, policyinfo_cmp); | 390 | sk_POLICYINFO_set_cmp_func(policies, policyinfo_cmp); |
| 385 | sk_POLICYINFO_sort(policies); | 391 | sk_POLICYINFO_sort(policies); |
| 386 | int cert_has_any_policy = 0; | 392 | int cert_has_any_policy = 0; |
| 387 | for (size_t i = 0; i < sk_POLICYINFO_num(policies); i++) { | 393 | for (i = 0; i < sk_POLICYINFO_num(policies); i++) { |
| 388 | const POLICYINFO *policy = sk_POLICYINFO_value(policies, i); | 394 | const POLICYINFO *policy = sk_POLICYINFO_value(policies, i); |
| 389 | if (is_any_policy(policy->policyid)) { | 395 | if (is_any_policy(policy->policyid)) { |
| 390 | cert_has_any_policy = 1; | 396 | cert_has_any_policy = 1; |
| @@ -429,7 +435,7 @@ process_certificate_policies(const X509 *x509, | |||
| 429 | if (new_nodes == NULL) { | 435 | if (new_nodes == NULL) { |
| 430 | goto err; | 436 | goto err; |
| 431 | } | 437 | } |
| 432 | for (size_t i = 0; i < sk_POLICYINFO_num(policies); i++) { | 438 | for (i = 0; i < sk_POLICYINFO_num(policies); i++) { |
| 433 | const POLICYINFO *policy = sk_POLICYINFO_value(policies, | 439 | const POLICYINFO *policy = sk_POLICYINFO_value(policies, |
| 434 | i); | 440 | i); |
| 435 | /* | 441 | /* |
| @@ -515,6 +521,7 @@ process_policy_mappings(const X509 *cert, | |||
| 515 | X509_POLICY_LEVEL *level, | 521 | X509_POLICY_LEVEL *level, |
| 516 | int mapping_allowed) | 522 | int mapping_allowed) |
| 517 | { | 523 | { |
| 524 | size_t i; | ||
| 518 | int ok = 0; | 525 | int ok = 0; |
| 519 | STACK_OF(X509_POLICY_NODE) *new_nodes = NULL; | 526 | STACK_OF(X509_POLICY_NODE) *new_nodes = NULL; |
| 520 | X509_POLICY_LEVEL *next = NULL; | 527 | X509_POLICY_LEVEL *next = NULL; |
| @@ -538,7 +545,7 @@ process_policy_mappings(const X509 *cert, | |||
| 538 | } | 545 | } |
| 539 | 546 | ||
| 540 | /* RFC 5280, section 6.1.4, step (a). */ | 547 | /* RFC 5280, section 6.1.4, step (a). */ |
| 541 | for (size_t i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) { | 548 | for (i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) { |
| 542 | POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, i); | 549 | POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, i); |
| 543 | if (is_any_policy(mapping->issuerDomainPolicy) || | 550 | if (is_any_policy(mapping->issuerDomainPolicy) || |
| 544 | is_any_policy(mapping->subjectDomainPolicy)) { | 551 | is_any_policy(mapping->subjectDomainPolicy)) { |
| @@ -561,7 +568,7 @@ process_policy_mappings(const X509 *cert, | |||
| 561 | goto err; | 568 | goto err; |
| 562 | } | 569 | } |
| 563 | const ASN1_OBJECT *last_policy = NULL; | 570 | const ASN1_OBJECT *last_policy = NULL; |
| 564 | for (size_t i = 0; i < sk_POLICY_MAPPING_num(mappings); | 571 | for (i = 0; i < sk_POLICY_MAPPING_num(mappings); |
| 565 | i++) { | 572 | i++) { |
| 566 | const POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, | 573 | const POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, |
| 567 | i); | 574 | i); |
| @@ -620,7 +627,7 @@ process_policy_mappings(const X509 *cert, | |||
| 620 | goto err; | 627 | goto err; |
| 621 | } | 628 | } |
| 622 | } | 629 | } |
| 623 | for (size_t i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { | 630 | for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { |
| 624 | X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(level->nodes, | 631 | X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(level->nodes, |
| 625 | i); | 632 | i); |
| 626 | if (!node->mapped) { | 633 | if (!node->mapped) { |
| @@ -651,7 +658,7 @@ process_policy_mappings(const X509 *cert, | |||
| 651 | next->has_any_policy = level->has_any_policy; | 658 | next->has_any_policy = level->has_any_policy; |
| 652 | 659 | ||
| 653 | X509_POLICY_NODE *last_node = NULL; | 660 | X509_POLICY_NODE *last_node = NULL; |
| 654 | for (size_t i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) { | 661 | for (i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) { |
| 655 | POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, i); | 662 | POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, i); |
| 656 | /* | 663 | /* |
| 657 | * Skip mappings where |issuerDomainPolicy| does not appear in | 664 | * Skip mappings where |issuerDomainPolicy| does not appear in |
| @@ -783,6 +790,8 @@ static int | |||
| 783 | has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels, | 790 | has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels, |
| 784 | const STACK_OF(ASN1_OBJECT) *user_policies) | 791 | const STACK_OF(ASN1_OBJECT) *user_policies) |
| 785 | { | 792 | { |
| 793 | size_t i, j, k; | ||
| 794 | |||
| 786 | assert(user_policies == NULL || | 795 | assert(user_policies == NULL || |
| 787 | sk_ASN1_OBJECT_is_sorted(user_policies)); | 796 | sk_ASN1_OBJECT_is_sorted(user_policies)); |
| 788 | 797 | ||
| @@ -800,7 +809,7 @@ has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels, | |||
| 800 | * explicitly. | 809 | * explicitly. |
| 801 | */ | 810 | */ |
| 802 | int user_has_any_policy = sk_ASN1_OBJECT_num(user_policies) == 0; | 811 | int user_has_any_policy = sk_ASN1_OBJECT_num(user_policies) == 0; |
| 803 | for (size_t i = 0; i < sk_ASN1_OBJECT_num(user_policies); i++) { | 812 | for (i = 0; i < sk_ASN1_OBJECT_num(user_policies); i++) { |
| 804 | if (is_any_policy(sk_ASN1_OBJECT_value(user_policies, i))) { | 813 | if (is_any_policy(sk_ASN1_OBJECT_value(user_policies, i))) { |
| 805 | user_has_any_policy = 1; | 814 | user_has_any_policy = 1; |
| 806 | break; | 815 | break; |
| @@ -830,13 +839,13 @@ has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels, | |||
| 830 | * anyPolicy, step (g.iii.1), we must limit to nodes reachable from the | 839 | * anyPolicy, step (g.iii.1), we must limit to nodes reachable from the |
| 831 | * bottommost level. Start by marking each of those nodes as reachable. | 840 | * bottommost level. Start by marking each of those nodes as reachable. |
| 832 | */ | 841 | */ |
| 833 | for (size_t i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { | 842 | for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { |
| 834 | sk_X509_POLICY_NODE_value(level->nodes, i)->reachable = 1; | 843 | sk_X509_POLICY_NODE_value(level->nodes, i)->reachable = 1; |
| 835 | } | 844 | } |
| 836 | 845 | ||
| 837 | for (size_t i = num_levels - 1; i < num_levels; i--) { | 846 | for (i = num_levels - 1; i < num_levels; i--) { |
| 838 | level = sk_X509_POLICY_LEVEL_value(levels, i); | 847 | level = sk_X509_POLICY_LEVEL_value(levels, i); |
| 839 | for (size_t j = 0; j < sk_X509_POLICY_NODE_num(level->nodes); | 848 | for (j = 0; j < sk_X509_POLICY_NODE_num(level->nodes); |
| 840 | j++) { | 849 | j++) { |
| 841 | X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(level->nodes, | 850 | X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(level->nodes, |
| 842 | j); | 851 | j); |
| @@ -861,8 +870,7 @@ has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels, | |||
| 861 | */ | 870 | */ |
| 862 | X509_POLICY_LEVEL *prev = sk_X509_POLICY_LEVEL_value(levels, | 871 | X509_POLICY_LEVEL *prev = sk_X509_POLICY_LEVEL_value(levels, |
| 863 | i - 1); | 872 | i - 1); |
| 864 | for (size_t k = 0; k < | 873 | for (k = 0; k < sk_ASN1_OBJECT_num(node->parent_policies); |
| 865 | sk_ASN1_OBJECT_num(node->parent_policies); | ||
| 866 | k++) { | 874 | k++) { |
| 867 | X509_POLICY_NODE *parent = x509_policy_level_find( | 875 | X509_POLICY_NODE *parent = x509_policy_level_find( |
| 868 | prev, | 876 | prev, |
| @@ -897,6 +905,7 @@ X509_policy_check(const STACK_OF(X509) *certs, | |||
| 897 | STACK_OF(X509_POLICY_LEVEL) *levels = NULL; | 905 | STACK_OF(X509_POLICY_LEVEL) *levels = NULL; |
| 898 | STACK_OF(ASN1_OBJECT) *user_policies_sorted = NULL; | 906 | STACK_OF(ASN1_OBJECT) *user_policies_sorted = NULL; |
| 899 | size_t num_certs = sk_X509_num(certs); | 907 | size_t num_certs = sk_X509_num(certs); |
| 908 | size_t i; | ||
| 900 | 909 | ||
| 901 | /* Skip policy checking if the chain is just the trust anchor. */ | 910 | /* Skip policy checking if the chain is just the trust anchor. */ |
| 902 | if (num_certs <= 1) { | 911 | if (num_certs <= 1) { |
| @@ -916,7 +925,7 @@ X509_policy_check(const STACK_OF(X509) *certs, | |||
| 916 | goto err; | 925 | goto err; |
| 917 | } | 926 | } |
| 918 | 927 | ||
| 919 | for (size_t i = num_certs - 2; i < num_certs; i--) { | 928 | for (i = num_certs - 2; i < num_certs; i--) { |
| 920 | X509 *cert = sk_X509_value(certs, i); | 929 | X509 *cert = sk_X509_value(certs, i); |
| 921 | if (!x509v3_cache_extensions(cert)) { | 930 | if (!x509v3_cache_extensions(cert)) { |
| 922 | goto err; | 931 | goto err; |