pcy_cache.c revision e45f106cb6b47af1f21efe76e933bdea2f5dd1ca
15821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)/* pcy_cache.c */ 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * project 2004. 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) */ 55821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)/* ==================================================================== 65821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * Copyright (c) 2004 The OpenSSL Project. All rights reserved. 790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) * 890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) * Redistribution and use in source and binary forms, with or without 990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) * modification, are permitted provided that the following conditions 105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * are met: 115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * 125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * 1. Redistributions of source code must retain the above copyright 135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * notice, this list of conditions and the following disclaimer. 145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * 155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * 2. Redistributions in binary form must reproduce the above copyright 165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * notice, this list of conditions and the following disclaimer in 175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * the documentation and/or other materials provided with the 185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * distribution. 195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * 205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * 3. All advertising materials mentioning features or use of this 215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * software must display the following acknowledgment: 225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * "This product includes software developed by the OpenSSL Project 235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * 255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * endorse or promote products derived from this software without 275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * prior written permission. For written permission, please contact 285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * licensing@OpenSSL.org. 295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * 305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * 5. Products derived from this software may not be called "OpenSSL" 315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * nor may "OpenSSL" appear in their names without prior written 325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * permission of the OpenSSL Project. 335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * 345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * 6. Redistributions of any form whatsoever must retain the following 355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * acknowledgment: 365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * "This product includes software developed by the OpenSSL Project 375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * 395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * OF THE POSSIBILITY OF SUCH DAMAGE. 515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * ==================================================================== 525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * 535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * This product includes cryptographic software written by Eric Young 542a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) * (eay@cryptsoft.com). This product includes software written by Tim 552a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) * Hudson (tjh@cryptsoft.com). 565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * 575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) */ 585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "cryptlib.h" 605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <openssl/x509.h> 612a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include <openssl/x509v3.h> 625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "pcy_int.h" 645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)static int policy_data_cmp(const X509_POLICY_DATA * const *a, 665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const X509_POLICY_DATA * const *b); 675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)static int policy_cache_set_int(long *out, ASN1_INTEGER *value); 685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)/* Set cache entry according to CertificatePolicies extension. 705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * Note: this destroys the passed CERTIFICATEPOLICIES structure. 715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) */ 725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)static int policy_cache_create(X509 *x, 745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CERTIFICATEPOLICIES *policies, int crit) 755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { 765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int i; 775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int ret = 0; 785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509_POLICY_CACHE *cache = x->policy_cache; 795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509_POLICY_DATA *data = NULL; 805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POLICYINFO *policy; 815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (sk_POLICYINFO_num(policies) == 0) 825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) goto bad_policy; 835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp); 845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (!cache->data) 855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) goto bad_policy; 865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) for (i = 0; i < sk_POLICYINFO_num(policies); i++) 875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { 885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) policy = sk_POLICYINFO_value(policies, i); 892a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) data = policy_data_new(policy, NULL, crit); 902a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) if (!data) 915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) goto bad_policy; 925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) /* Duplicate policy OIDs are illegal: reject if matches 935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * found. 945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) */ 955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) 965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { 975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (cache->anyPolicy) 985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { 995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ret = -1; 1005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) goto bad_policy; 1015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 1025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cache->anyPolicy = data; 1035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 1045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) 1055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { 1065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ret = -1; 1075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) goto bad_policy; 1085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 1095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) else if (!sk_X509_POLICY_DATA_push(cache->data, data)) 1105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) goto bad_policy; 1115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) data = NULL; 1125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 1135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ret = 1; 1142a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) bad_policy: 1155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (ret == -1) 1165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) x->ex_flags |= EXFLAG_INVALID_POLICY; 1175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (data) 1185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) policy_data_free(data); 1195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) sk_POLICYINFO_pop_free(policies, POLICYINFO_free); 1205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (ret <= 0) 1215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { 1225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free); 1235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cache->data = NULL; 1245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 1255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return ret; 1265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 1275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)static int policy_cache_new(X509 *x) 1305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { 1315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509_POLICY_CACHE *cache; 1325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASN1_INTEGER *ext_any = NULL; 1335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POLICY_CONSTRAINTS *ext_pcons = NULL; 1345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CERTIFICATEPOLICIES *ext_cpols = NULL; 1355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POLICY_MAPPINGS *ext_pmaps = NULL; 1365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int i; 1375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cache = OPENSSL_malloc(sizeof(X509_POLICY_CACHE)); 1385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (!cache) 1395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return 0; 1405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cache->anyPolicy = NULL; 1415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cache->data = NULL; 1425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cache->maps = NULL; 1435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cache->any_skip = -1; 1445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cache->explicit_skip = -1; 1455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cache->map_skip = -1; 1465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) x->policy_cache = cache; 1485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) /* Handle requireExplicitPolicy *first*. Need to process this 1505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * even if we don't have any policies. 1515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) */ 1525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL); 1535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (!ext_pcons) 1555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { 1565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (i != -1) 1575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) goto bad_cache; 1585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 1595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) else 1605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { 1615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (!ext_pcons->requireExplicitPolicy 1625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) && !ext_pcons->inhibitPolicyMapping) 1635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) goto bad_cache; 1645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (!policy_cache_set_int(&cache->explicit_skip, 1655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ext_pcons->requireExplicitPolicy)) 1665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) goto bad_cache; 1675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (!policy_cache_set_int(&cache->map_skip, 1685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ext_pcons->inhibitPolicyMapping)) 1695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) goto bad_cache; 1705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 1715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1722a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) /* Process CertificatePolicies */ 1735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL); 1755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) /* If no CertificatePolicies extension or problem decoding then 1765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * there is no point continuing because the valid policies will be 1775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * NULL. 1785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) */ 1795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (!ext_cpols) 1805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { 1815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) /* If not absent some problem with extension */ 1825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (i != -1) 1835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) goto bad_cache; 1845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return 1; 1855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 1865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) i = policy_cache_create(x, ext_cpols, i); 1885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) /* NB: ext_cpols freed by policy_cache_set_policies */ 1905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (i <= 0) 1925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return i; 1932a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 1945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL); 1955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (!ext_pmaps) 1975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { 1985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) /* If not absent some problem with extension */ 1995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (i != -1) 2005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) goto bad_cache; 2015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 2022a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) else 2032a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) { 2045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) i = policy_cache_set_mapping(x, ext_pmaps); 2052a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) if (i <= 0) 2062a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) goto bad_cache; 2072a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) } 2085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL); 2105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (!ext_any) 2125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { 2135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (i != -1) 2145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) goto bad_cache; 2155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 2165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) else if (!policy_cache_set_int(&cache->any_skip, ext_any)) 2175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) goto bad_cache; 2182a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 2192a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) if (0) 2202a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) { 2212a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) bad_cache: 2222a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) x->ex_flags |= EXFLAG_INVALID_POLICY; 2232a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) } 2242a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 2252a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) if(ext_pcons) 2265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POLICY_CONSTRAINTS_free(ext_pcons); 2275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (ext_any) 2295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASN1_INTEGER_free(ext_any); 2305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return 1; 2325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 2355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)void policy_cache_free(X509_POLICY_CACHE *cache) 2375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { 2385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (!cache) 2395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return; 2402a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) if (cache->anyPolicy) 2412a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) policy_data_free(cache->anyPolicy); 2425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (cache->data) 2435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free); 2445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) OPENSSL_free(cache); 2455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 2465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)const X509_POLICY_CACHE *policy_cache_set(X509 *x) 2485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { 2495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (x->policy_cache == NULL) 2515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { 2525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CRYPTO_w_lock(CRYPTO_LOCK_X509); 2535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) policy_cache_new(x); 2545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CRYPTO_w_unlock(CRYPTO_LOCK_X509); 2555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 2565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return x->policy_cache; 2585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 2605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache, 2625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const ASN1_OBJECT *id) 2635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { 2645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int idx; 2655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509_POLICY_DATA tmp; 2665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) tmp.valid_policy = (ASN1_OBJECT *)id; 2675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) idx = sk_X509_POLICY_DATA_find(cache->data, &tmp); 2685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (idx == -1) 2692a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return NULL; 2702a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return sk_X509_POLICY_DATA_value(cache->data, idx); 2715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 2725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)static int policy_data_cmp(const X509_POLICY_DATA * const *a, 2745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const X509_POLICY_DATA * const *b) 2755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { 2765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy); 2775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 2785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)static int policy_cache_set_int(long *out, ASN1_INTEGER *value) 2805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { 2815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (value == NULL) 282 return 1; 283 if (value->type == V_ASN1_NEG_INTEGER) 284 return 0; 285 *out = ASN1_INTEGER_get(value); 286 return 1; 287 } 288