import of OpenSSL 0.9.8h

3 files changed, 76 insertions, 11 deletions

diff --git a/lib/libssl/src/crypto/x509v3/pcy_int.h b/lib/libssl/src/crypto/x509v3/pcy_int.h
index ccff92846e4..ba62a209dad 100644
--- a/lib/libssl/src/crypto/x509v3/pcy_int.h
+++ b/lib/libssl/src/crypto/x509v3/pcy_int.h
@@ -1,5 +1,5 @@
 /* pcy_int.h */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
  * project 2004.
  */
 /* ====================================================================
@@ -56,10 +56,12 @@
  *
  */
 
+DECLARE_STACK_OF(X509_POLICY_DATA)
+DECLARE_STACK_OF(X509_POLICY_REF)
+DECLARE_STACK_OF(X509_POLICY_NODE)
 
 typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
-
-DECLARE_STACK_OF(X509_POLICY_DATA)
+typedef struct X509_POLICY_REF_st X509_POLICY_REF;
 
 /* Internal structures */
 
@@ -108,6 +110,16 @@ struct X509_POLICY_DATA_st
 
 #define POLICY_DATA_FLAG_CRITICAL		0x10
 
+/* This structure is an entry from a table of mapped policies which
+ * cross reference the policy it refers to.
+ */
+
+struct X509_POLICY_REF_st
+	{
+	ASN1_OBJECT *subjectDomainPolicy;
+	const X509_POLICY_DATA *data;
+	};
+
 /* This structure is cached with a certificate */
 
 struct X509_POLICY_CACHE_st {
@@ -115,6 +127,8 @@ struct X509_POLICY_CACHE_st {
 	X509_POLICY_DATA *anyPolicy;
 	/* other policy data */
 	STACK_OF(X509_POLICY_DATA) *data;
+	/* If policyMappings extension present a table of mapped policies */
+	STACK_OF(X509_POLICY_REF) *maps;
 	/* If InhibitAnyPolicy present this is its value or -1 if absent. */
 	long any_skip;
 	/* If policyConstraints and requireExplicitPolicy present this is its
@@ -179,7 +193,7 @@ struct X509_POLICY_TREE_st
 
 /* Internal functions */
 
-X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id,
+X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id,
 								int crit);
 void policy_data_free(X509_POLICY_DATA *data);
 
@@ -195,18 +209,15 @@ void policy_cache_init(void);
 void policy_cache_free(X509_POLICY_CACHE *cache);
 
 X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
-					const X509_POLICY_NODE *parent,	
 					const ASN1_OBJECT *id);
 
 X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
 						const ASN1_OBJECT *id);
 
 X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
-			const X509_POLICY_DATA *data,
+			X509_POLICY_DATA *data,
 			X509_POLICY_NODE *parent,
 			X509_POLICY_TREE *tree);
 void policy_node_free(X509_POLICY_NODE *node);
-int policy_node_match(const X509_POLICY_LEVEL *lvl,
-		      const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
 
 const X509_POLICY_CACHE *policy_cache_set(X509 *x);
diff --git a/lib/libssl/src/crypto/x509v3/pcy_lib.c b/lib/libssl/src/crypto/x509v3/pcy_lib.c
index 93bfd927037..dae4840bc5d 100644
--- a/lib/libssl/src/crypto/x509v3/pcy_lib.c
+++ b/lib/libssl/src/crypto/x509v3/pcy_lib.c
@@ -1,5 +1,5 @@
 /* pcy_lib.c */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
  * project 2004.
  */
 /* ====================================================================
diff --git a/lib/libssl/src/crypto/x509v3/pcy_map.c b/lib/libssl/src/crypto/x509v3/pcy_map.c
index 21163b529d4..35221e8ba82 100644
--- a/lib/libssl/src/crypto/x509v3/pcy_map.c
+++ b/lib/libssl/src/crypto/x509v3/pcy_map.c
@@ -1,5 +1,5 @@
 /* pcy_map.c */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
  * project 2004.
  */
 /* ====================================================================
@@ -62,6 +62,31 @@
 
 #include "pcy_int.h"
 
+static int ref_cmp(const X509_POLICY_REF * const *a,
+			const X509_POLICY_REF * const *b)
+	{
+	return OBJ_cmp((*a)->subjectDomainPolicy, (*b)->subjectDomainPolicy);
+	}
+
+static void policy_map_free(X509_POLICY_REF *map)
+	{
+	if (map->subjectDomainPolicy)
+		ASN1_OBJECT_free(map->subjectDomainPolicy);
+	OPENSSL_free(map);
+	}
+
+static X509_POLICY_REF *policy_map_find(X509_POLICY_CACHE *cache, ASN1_OBJECT *id)
+	{
+	X509_POLICY_REF tmp;
+	int idx;
+	tmp.subjectDomainPolicy = id;
+
+	idx = sk_X509_POLICY_REF_find(cache->maps, &tmp);
+	if (idx == -1)
+		return NULL;
+	return sk_X509_POLICY_REF_value(cache->maps, idx);
+	}
+
 /* Set policy mapping entries in cache.
  * Note: this modifies the passed POLICY_MAPPINGS structure
  */
@@ -69,6 +94,7 @@
 int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
 	{
 	POLICY_MAPPING *map;
+	X509_POLICY_REF *ref = NULL;
 	X509_POLICY_DATA *data;
 	X509_POLICY_CACHE *cache = x->policy_cache;
 	int i;
@@ -78,6 +104,7 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
 		ret = -1;
 		goto bad_mapping;
 		}
+	cache->maps = sk_X509_POLICY_REF_new(ref_cmp);
 	for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++)
 		{
 		map = sk_POLICY_MAPPING_value(maps, i);
@@ -89,6 +116,13 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
 			goto bad_mapping;
 			}
 
+		/* If we've already mapped from this OID bad mapping */
+		if (policy_map_find(cache, map->subjectDomainPolicy) != NULL)
+			{
+			ret = -1;
+			goto bad_mapping;
+			}
+
 		/* Attempt to find matching policy data */
 		data = policy_cache_find_data(cache, map->issuerDomainPolicy);
 		/* If we don't have anyPolicy can't map */
@@ -104,7 +138,7 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
 			if (!data)
 				goto bad_mapping;
 			data->qualifier_set = cache->anyPolicy->qualifier_set;
-			/*map->issuerDomainPolicy = NULL;*/
+			map->issuerDomainPolicy = NULL;
 			data->flags |= POLICY_DATA_FLAG_MAPPED_ANY;
 			data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
 			if (!sk_X509_POLICY_DATA_push(cache->data, data))
@@ -115,10 +149,23 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
 			}
 		else
 			data->flags |= POLICY_DATA_FLAG_MAPPED;
+
 		if (!sk_ASN1_OBJECT_push(data->expected_policy_set, 
 						map->subjectDomainPolicy))
 			goto bad_mapping;
+		
+		ref = OPENSSL_malloc(sizeof(X509_POLICY_REF));
+		if (!ref)
+			goto bad_mapping;
+
+		ref->subjectDomainPolicy = map->subjectDomainPolicy;
 		map->subjectDomainPolicy = NULL;
+		ref->data = data;
+
+		if (!sk_X509_POLICY_REF_push(cache->maps, ref))
+			goto bad_mapping;
+
+		ref = NULL;
 
 		}
 
@@ -126,6 +173,13 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
 	bad_mapping:
 	if (ret == -1)
 		x->ex_flags |= EXFLAG_INVALID_POLICY;
+	if (ref)
+		policy_map_free(ref);
+	if (ret <= 0)
+		{
+		sk_X509_POLICY_REF_pop_free(cache->maps, policy_map_free);
+		cache->maps = NULL;
+		}
 	sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
 	return ret;